Permissions modified on sub-sites, items when changing inheritance of parent sites, items

  • Article

 

This post describes a by-design behavior. The following site gives you deeper information regarding this behavior: https://blog.krichie.com/2007/04/05/beware-of-cascading-deletes-in-wssmoss/

Detailed Description of the Issue

This behavior appears when permission inheritance of site in the hierarchy  of a site collection has been changed. People suddenly are able to access private documents of other people.

When the inheritance permission, on a site, is set the its original value, the permissions on all children (and grand children, grand grand children, and so on) are set to the original value, i.e. “Use same permissions as parent site”.

Deeper Information - Imagine the Following Scenario

Sites Hierarchy

image 

Step by Step to Repro the Scenario

  1. Create the following users: "user1", "user2", "user3", "user4", "user5", "limiteduser"
  2. Hover over DocumentA1, choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the item
  3. Add user1 to the item with contribute permission
  4. Navigate to the Shared Documents library in SubsiteA1
  5. Hover over FolderA1 and choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the folder
  6. Add user2 to the folder with contribute permission
  7. Navigate to SubsiteA
  8. Hover over DocumentA, choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the item
  9. Add user3 to the item with contribute permission
  10. Hover over FolderA and choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the folder
  11. Add user4 to the folder with contribute permission
  12. Navigate back to SubsiteA
  13. Select "site actions" - "site settings" - "Advanced permissions" - "actions" - "edit permission" to break permission inheritance for subsiteA
  14. Add user5 to the site with read permission
  15. Navigate to the root site of the collection
  16. Add user "limiteduser" to the rootsite with read permission
  17. Navigate to SubsiteA
  18. Select "site actions" - "site settings" - "Advanced permissions" - "actions" - "inherit permission" to enable permission inheritance for subsiteA
  19. Verify the permissions for the following items, folders and lists:

/SubsiteA/Shared Documents/FolderA
/SubsiteA/Shared Documents/FolderA/DocumentA
/SubsiteA/SubsiteA1/Shared Documents/FolderA1
/SubsiteA/SubsiteA1/Shared Documents/FolderA1/DocumentA1

Result / Notes 

  • Permission inheritance for all child sites, lists, folders and items has been enabled again.
  • That causes users who have been given access to these sub "sites/lists/folders/items" to be no longer able to access the items.
  • This also causes users who should not have access to these sub "sites/lists/folders/items" to be able to access the items if they had permissions on the site above the site where permission inheritance had been enabled again. 

How to Reapply the Permissions?

The only way, out of the box, to get them back is a database restore.

Third Party Solution

You can find tools on the Internet to restore/import permissions from a database restored in parallel.

For example, a search on Bing with the following keywords will give you interesting results (security permission sharepoint clone).

By Yamine Taïeb - SharePoint escalation engineer