Inheritance--problems caused by bidirectionality

Iron Contributor

Is there any way to inherit permissions downward to child subsites without also generating permissions upward to the parent site?  when a group must be given access to a subsite?

 

There are multiple scenarios when (a) it is administratively necessary to have uniform permissions cascade from one site to all subsites, while also (b) having some unique permissions on a child site. For example, I might need to add a new security group, or to remove a security group, from one level below the root site down through all subsites below that level; I might also need to provide a specific security group with access only to a few subsites or lists. With bidirectional inheritance as it appears to exist now, if I am going to give a specific security group access to only a few subsites or only a few lists, then the only way to do that is to break inheritance on those subsites or lists. Once I do that, I can no longer add/remove a group to the entire tree. Is there any solution to this?

2 Replies
Only suggestion I have for this scenario is use AD groups inside of your SharePoint groups. Create your basic SharePoint groups if they don't exist already, then add the AD groups to the SharePoint groups if they need to be propagated since all your sites have the original SharePoint security groups. Then if you need to have an exception, add the AD group to the subsite directly.
thanks. that is what i do currently, but the problem arises like this: i want an AD group to have access to one subsite but not the entire tree. to effectuate that, i have to break inheritance for that subsite. then, if i want to add or delete an AD group to the entire set of site and subsites, i have to manage the broken-inheritance sites separately. that's actually less of a problem than figuring out which sites--or document libraries--have broken inheritance; there doesn't seem to be a way to report that.