Forum Discussion

Erik63's avatar
Erik63
Copper Contributor
Aug 04, 2023

Default type=user permission issue

Hello,

 

I am having a security issue with SharePoint permissions, seems the access requests come in 3 forms depending on the URL used to make the request.  One puts the person in the correct group, the other two place them in the type=user which has a default that allows the requestor access to other sites in the Sharepoint that have different permissions (not shared).  In this case, a file was edited that was in a read-only site for visitors and members.  I am unable to determine how to change the default user permission to stop this security issue.  Any idea as to how to fix this?  Any help would be greatly appreciated. 

-Erik

  • Lalit Mohan's avatar
    Lalit Mohan
    Iron Contributor

    Hi Erik63 

    It appears that you are facing a security issue related to SharePoint permissions, specifically with default type=user permissions. This issue is causing access requests to be granted improperly, allowing users access to sites with different permissions, which is leading to unauthorized file edits.

    To resolve this security concern, you can follow these steps:

    1. Review Existing Permissions: Start by reviewing the current permission settings in SharePoint. Ensure that all the sites and document libraries have the correct permissions assigned, and there are no unexpected inheritance settings.

    2. Check Permission Levels: SharePoint offers different permission levels such as Read, Contribute, Edit, Full Control, etc. Make sure you are using the appropriate permission levels for different user groups. Avoid using the "Full Control" level unless absolutely necessary.

    3. Manage SharePoint Groups: Create SharePoint groups with specific permission levels and add users to these groups accordingly. Avoid directly assigning permissions to individual users whenever possible.

    4. Disable Access Requests: To prevent the issue where type=user grants access to other sites, you can disable the access request feature or limit its usage. You can do this by accessing the SharePoint site settings, going to "Site permissions," and then "Access Request Settings."

    5. Manage User Permissions: If you find users who were granted access inappropriately, immediately remove them from unauthorized groups or sites.

    6. Break Inheritance: For sensitive sites or document libraries, consider breaking inheritance from parent sites and manually managing permissions. This way, changes in parent sites won't automatically affect the child sites' permissions.

    7. Regular Audits: Perform regular security audits to identify any potential security loopholes and unauthorized access. It will help you stay on top of potential issues and mitigate risks.

    8. Educate Users: Ensure that all users are aware of SharePoint's permission structure and the importance of handling sensitive information responsibly. Offer training if needed to help users understand how to request access properly.

    9. Involve IT/Administration Team: If you are still unable to determine the cause of the issue or find a suitable solution, involve your IT or SharePoint administration team. They might have deeper insights into the configuration and can provide more targeted assistance.

    By following these steps and making necessary adjustments to your SharePoint permissions, you should be able to mitigate the default type=user permission issue and enhance the overall security of your SharePoint environment. Always remember to monitor the system regularly and be proactive in addressing any potential security concerns to maintain a secure collaboration platform for your organization.

  • SvenSieverding's avatar
    SvenSieverding
    Bronze Contributor

    Hi Erik63 

     

    could you elaborate a little bit more on your site structure and what three access request links you created?

    I assume that you have a main site and some subsites below that. And that you give some user access to elements somewhere below in the page structure.

    "Limited Access" means that something somewhere below that level has been shared with that user and that user gets the minimum permissions on the upper levels he needs to get that element.
    If you for example shared a document library with a user that has no access to the site, then the user will be automatically added with "Limited Access" permission on the above site in order for the user's browser to render the document library (The browser needs to have access to some js, css and somethingsomthing files in the site to render the document library). It does not give the user access to the parent site itself.


    My suggestions to minimize this effect and to keep your permission setup clean in general are:
    1) Don't use subsites at all, just use sites and link them together.
    2) Don't share folders, always try to share at least document libraries, even better only whole sites that contain just one document library.
    3) Share Top-Down: Add all users to a site and just take their permissions away on specific document libraries. Do not give people access to document libraries that do not have access to the parent site. If you need to give a person access to a document library that that does not have access to the site then move that document library into a new site.

    Best Regards,
    Sven

Resources