Sunday, May 22, 2011

SharePoint 2010 - Access denied for users that have full control on the site

Scenario:
  • Users get "Access Denied" over the whole site, despite having Full Control permission
  • Site Collection Administrators have no problem logging in
Explanation:

A SharePoint 2010 site that uses claims-based authentication has been extended to Intranet zone that uses AD as well as FBA. The site has number of users in the default owners and members groups.

All the site users always get access denied over the whole site even though they clearly have access to the site through the site groups.

Site Collection Administrators are allowed to access the site and have no problems logging in.

Resolution:


Make sure that all the Master page, CSS files, any other files that are required are published.
If there are files that are required in the master pages and are not published, users will get access denied even if they have full control on the site.

If you are ok with giving all authenticated users atleast road-only access to all files inorder to prevent the access denied problem, then you can try the below.

Add a new "User Policy" for the web application that allows "All Authenticated Users" the permissions "Full Read" on the desired zone.

To add a new User Policy:


Go to Central Administration
Click on Application Management
Click on Manage Web Applications

Choose the desired web application:


Click on "User Policy"


Click on "Add Users" to add a new User Policy:



Select the zone that you want to apply the new policy to. If you are not sure what to choose, leave the defaut value selected (All Zones) and cick next


Choose the permissions that you would like to give to the user(s) in this new user policy. If you do not want to give the user(s) full permission, choose "Full Read". This permission ensures that all the users in this policy can atleast access the site. Then click on "Browse" icon in the "Choose Users" area.


If you would ike to give All Authenticated Users / AD users / FBA users "Full Read" access, then choose the appropriate group(s).
In the next screens, click OK to get out of the wizard.
Your new user policy should be ready now.

No comments:

Post a Comment