In the opening session I had a question in regards to item level permissions and anonymous access, for instance if you break inheritance at a folder level to assign unique permissions you will not be able to allow anonymous access from that point on. Tom Rizzo and I had agreed to discuss this offline and we did. A big thanks to Tom for working with me on getting some feedback so quickly! Several of you have asked me about the final outcome so I decided the best way to share out the answer was through my blog. The response from Microsoft of this was:
“I can explain why anonymous access at folders with unique permission was not enabled in O12. Basically, the difficult is in managing the anonymous settings, not in browse time permission check.One goal of managing anonymous access is to make sure that if you block anonymous access at a higher level, all contents from that level below should also be protected. And if you enable anonymous access at a lower level, it should not automatically open up contents on higher level.For example, at web level, the anonymous state has three values: disabled, enabled, open. If it’s disabled, then all lists within the web are off limit to anonymous users, no matter whether the list has unique permissions or not. If it’s enabled, then the web itself (and all lists inheriting permission from the web) is not accessible by anonymous user, but lists with unique permissions MAY be opened to anonymous user.Now, suppose that we want to allow user to manage anonymous permission at folder/item level. Then the parent scope (could be parent folder, parent list, or parent web) should at least “enable” anonymous access. This means we have to implement “enable” semantic at list/folder level. Also, when you disable anonymous access at web/list/folder level, we must also update security setting on all subfolder/items to remove anonymous access. This will scan the docs table.This is the reason that in O12, if you set a folder/item to have unique perm, it automatically sets anonymous permmask to 0.”
August 3, 2008 at 3:40 am |
Thanks !
August 15, 2008 at 9:05 pm |
So if I have a single page that I don’t want my approvers and members/contributors to be able to edit, but they do have the ability to edit all other pages in that web, what do I do? I have an authoring site and an extended public (anonymous) site and if I break the inheritance the anonymous users can no longer see the page.
August 29, 2008 at 1:37 pm |
[...] I thought this was a bug for which MS would be giving a fix, and kind of expected it to be fixed in the MOSS Infrastructure update, however found this pretty old link stating that this was due to difficulties in managing anonymous settings. http://yvonneharryman.wordpress.com/2007/11/23/follow-up-on-anonymous-access-and-item-level-permissi…. [...]
December 12, 2008 at 1:20 pm |
The greatest web site on the net
February 20, 2009 at 11:06 pm |
Thanks for posting this information.