2013 – SharePoint permissions for the intranet site

I was wondering if anyone could help me choose the best way to implement SharePoint permissions for the site I'm working on. I use SharePoint Classic on Office365. This is an intranet site with various departments, which means that we will have unique permissions to almost every level or level subsystem. Here is an example of a site structure with the required permissions:

0-Home: Admins (Group AD); All employees (AD group)

1-Employees: Admins (AD group); All employees (AD group)

2-HR: Admins (AD group); Human Resources Managers (AD Group); HR employees (AD group); user name1 (user); adhocemployee1 (user)

3 managers: administrators (AD group); HR Managers (AD Group)

3 staff members: administrators (AD group); HR employees (AD group); All employees (AD group)

2-IT: Admins (AD group); IT employees (AD group)

1-Non-Employees: Admins (AD group); All employees (AD group) All non-employees (AD group)

where 0,1,2 and 3 are the different levels of sites, where 0 is the top level site and 3 is the level 3 subsite. Since the main permissions we will use are Play, Contribute, and Full Control, I plan to have 3 SharePoint groups each for each subsite. So 3 for employees, 3 for human resources, etc. I'm not sure that's the right approach. Would it be better to assign individual permissions to all AD users / groups instead of organizing them into groups? We will also have permissions at the library level assigned to AD users / groups because of the way in which people in our organization have access to them, which complicates the management task and makes it difficult to manage ad hoc requests for users. access to certain sub-users. sites / libraries.

My approach:

Permissions for the HR subsite
HR Administrators (Group) -> Full Control -> Users: Administrators (AD Group)

HR readers (group) -> Read -> users: human resources managers (AD group); HR employees (AD group)

HR Contributors (Group) -> Contribute -> Users: Human Resources Managers (AD Group); username1 (user)

The other approach I'm not inclined to do is:

HR Managers (AD Group) -> Contribute

username1 (user) -> read

HR Employees (AD Group) -> Read

Admins (AD Group) -> Full Control

adhocemployee1 (User) -> Read

Hopefully someone can tell me which approach is best for my scenario.

Thank you!

In user management in Google Analytics, what does "no (the user has permissions at a lower level)" mean?

I am currently browsing our analytics account and deleting old accounts. I have about 20 where permissions says "none (the user has permissions on a lower level) "

However, when I try to find other information about what "lower level permissions" actually means that the help link does not explain anything and nothing helps to clarify what does this authorization actually consist of?

I have gone through all the documentation and I have not found anything that explains the "none"

Does anyone have any idea what this really means, and if I can delete these accounts?

Edit: Simply expand the question to say that these users do not have any privileges for the properties of the account.

Is tagging an acceptable way to indirectly add or remove user permissions in a role-based system?


  • Our users can have only one role by Account (internally an IAM domain), but may have roles on multiple accounts.
  • Each role is defined as a list of authorized actions.


  • In some cases, such as failed payments or suspicious activity, we want to limit some of their actions.
  • We can also imagine cases in which we could give trusted or controlled users additional permissions, such as higher budget limits.

My minds

  • Although these circumstances revolve around permissions, I do not think that they make sense as "roles" per se, and I also think that "roles" can become complicated if a user can have multiple roles in an account (but maybe that's okay too, I'm not sure).
  • And because of the mutual exclusivity of such circumstances, I thought maybe marking was the best way to represent these subtractions and additions of permissions.

I wonder though if I just add unnecessary complexity. Does it really mean extra "roles", and should I allow users to have multiple roles per account? Or, on the other hand, has my system completely outgrown the "roles" and should it migrate entirely to the tags? If both options are practically used, what are the decisive factors, in your opinion?

The rest is optional. Simply describing current architecture preemptively.

OPTIONAL: Current Architecture

We rely on an external system to store and serve user permissions. (We can influence it, but it's not easy to change it because the system serves a much larger ecosystem than our product.) We can ask this system,

Hey, can the user Alice do some action GetUsersInDomain in the IAM domain org/6c1b5c24/75247aeb?

and he will answer yes or no. But he can not answer questions such as,

Hey, who are all the users who can do GetUsersInDomain in the IAM domain org/6c1b5c24/75247aeb?

This is suitable for most applications, but not for creating an administrative user interface that should display, for example, all "administrators" of a certain account.

Now, in the external system, there is a concept of models (sorry if it's obvious and fundamental) Just a list of actions that basically results in what our product calls a role (for example "admin"). Suppose there are some roles:

In order to query users by role, we have created a service that reflects and extends the external permission system, with a schema such as:

| user | iam_domain            | role   | template |
| 1    | org/6c1b5c24/75247aeb | admin  | b7a3fe18 |
| 2    | org/6c1b5c24/75247aeb | viewer | 29416fe6 |
| 3    | org/5e02bab7/dd389a37 | admin  | b7a3fe18 |

Right here, user, iam_domain, and template are already concepts stored in the external system. And technically, we do not really need role since we still know, for example, that the model "admin" is "b7a3fe18". But after reproducing the permissions in this way, we can now query by role as we like.

The new challenge however is: How do we implement many, independent roles by user and IAM domain?

There, my proposal is:

| user | iam_domain            | role   | template | tags
| 1    | org/6c1b5c24/75247aeb | admin  | b7a3fe18 |
| 2    | org/6c1b5c24/75247aeb | viewer | ???*     | failed_payment
| 3    | org/5e02bab7/dd389a37 | admin  | ???*     | suspicious_activity

as this would allow for independent subtractions and additions of permissions (as long as we have an appropriate hierarchy of affection and correctly code the logic and resulting models).

* To do this, we need to generate combinatorial models in the external system because there is no concept of exclusions or inclusions yet. But as the set of actions to exclude or include will not change frequently, it is correct at the moment.

Permissions – Delete all roles assigned to a user

I use Sentinel from cartalyst.com, but in a stand-alone environment outside of Laravel, although the conditions are more or less the same within Laravel, I have to provide the opportunity to change the role of one. user, but under certain circumstances, the user has more than one role and what I want is to delete all the possible roles to which the user was assigned at a time, without having to ask one to one and delete where it appears

The suggestion to do it one by one would be:

$user = Sentinel::findById($userId);
$role = Sentinel::findRoleByName('Subscribers');

What I have specifically tried is:

$user = Sentinel::findById($userId));
$roles = Sentinel::getRoleRepository();

and do not return anything.

… An idea?

permissions – If the library is not visible to you, why do you see the automatic link in the current navigation?

I remembered that if you stop inheriting permissions from above and display the automatic link in the current browsing of a library, deleted users should NOT see the library link at all. Now they can see the library link but when they click on it, they see an empty library. I was waiting at the access page denied but no to the library without content (they can see all metadata columns).

Do I remember badly or something changed? The only way to "hide" the URL is to use audience targeting in Settings – Browsing?

I'm using a classic site.

Setting group permissions

I have a lot of users and two groups. Some of them are members of group1 and others are members of group2. I want to allow group 1 to access all directories and group 2 to access specific directories. I did some research but I could not fix it. How can I do that?

Thank you.

csom – Access denied to the list after granting permissions to a group in a list

After granting View / Add / Edit / Open / Delete ListItems to a group on a list, users in the group always have access denied while attempting to access the list.
Here is the code I used to grant permissions:

var group = clientContext.Web.SiteGroups.GetById(id);   

 BasePermissions permissions = new BasePermissions();

 RoleDefinitionCreationInformation rdcInfo = new 
 rdcInfo.Name = "roleDefName";
 rdcInfo.Description = "Description";
 rdcInfo.BasePermissions = permissions;
 RoleDefinition roleDefinition = 

 RoleDefinitionBindingCollection RoleDefinitionBindingColl = new 

 List targetList = web.Lists.GetByTitle(listTitle);
 targetList.BreakRoleInheritance(true, false);
 RoleAssignmentCollection collRoleAssign = targetList.RoleAssignments;
 RoleAssignment rollAssign = collRoleAssign.Add(group, 

 web.RoleAssignments.Add(group, RoleDefinitionBindingColl);

sharepoint online – error "The object is used in a context different from that associated with the object." when assigning permissions to an element of the subsite

I am currently working on assigning permission groups to the list item that is at the subsite level.

the same code works correctly for the top-level site, but errors occur at the subsites level.

SetPermissionsToDocSet function
param ($ context, $ docSetobject, $ groupName, $ role)


    $roleDefBinding=New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($context)

    #Assign permissions 



    Write-Host $_.Exception.Message



The above code works fine if $ context is root site context.getting the error above if $ context is under context.unable site to add a group to the sub-level list item. site.
Please provide a solution as soon as possible.

security – How to dynamically create and assign user permissions for a group-based service

tldr: How to create a platform allowing users to create private groups and invite other people to these private groups? How to secure these groups?

I build a platform around private groups and communities. I'm not sure about the most appropriate model / mechanism for securing groups so that only invited people can read / write.

The technology is Okta and Spring Security.

Should I create groups and use the role claim in an oauth token? So when I create a new group, I have to create this group on the authentication server and add it to each guest user. I think it would work, but with Spring Security users had to log out and log back in to access the new group.

Are oscilloscopes another alternative? or should I use claims and each new group created would need the user to "authenticate" with the group?

Should I just limit / control access based on the groups the user profile has assigned to it? It sounds simple but does not seem the safest either.

I'm sure there is a fairly standard way to handle this, but I do not know what approach to take.

Problems with Firefox permissions on Ubuntu 18.04

I'm trying to make Firefox launch the transmission when I click on a magnetic link. I followed the instructions from https://support.mozilla.org/en-US/questions/1012864 and I managed to get the window "Launch Application". when I click on a magnetic link. However, when I try to navigate to the transmit directory to select it (which in my case is in /usr/bin/transmission-gtk), Firefox sends an error just after trying to access /usr. The error reads "Could not read the contents of usr. Error opening directory /usr: permission deniedHere's a screenshot showing the error:

Permissions Error

I am not an authorizations expert, but apparently /usr/ is the property of root and everyone has read permissions; it's what's a ls -l / results:

drwxr-xr-x  12 root root       4096 ago 15 23:23 usr

Firefox processes belong to me too (hulahop is my username), according to ps aux:

hulahop  23113  8.1  4.1 3456980 684420 tty2   Sl+  ago15   2:18 /snap/firefox/243/firefox

There are other child processes but their owner is the same user. How could I get Firefox to send magnetic links to Transmission? I'm using Firefox 68.0.1 (64 bit) on Ubuntu 18.04 LTS. Firefox has been installed directly from the Software Center and its permissions are set as follows

Software Center Permissions for Firefox

Another problem that I encounter with Firefox, which I suppose could be related to the previous one, is that Webgl pages do not work anymore. I have webgl activated by force in the about:config page (as shown in https://www.sitepoint.com/firefox-enable-webgl-blacklisted-graphics-card/), but still nothing. I'm sure this is not a problem with my graphics card or its drivers, because Webgl pages work perfectly well on Chromium, which is also installed on this computer.

The funny thing is that Firefox worked well until (I think) the certificate expiration maneuvers that killed all the add-ons a few months ago. Before that, I could use the 3D satellite view of Google Maps without any problem (which requires Webgl) and manipulate the magnets with the Transmission function. But when this certificate expired, I had to replace Firefox with the Nightly version for a few days, then go back to the stable version. A few weeks later, I started to notice all these problems …

Does anyone have an idea? Any help will be appreciated.

Thanks and best wishes,

PS: Another funny thing: I just discovered that I can not really change the permissions set for Firefox in the Software Center. Whenever I press one of the switches, I am prompted for the root password, then I can change all the options to my liking. But when I close the window and reopen it, I do not see any of the changes I've made … My Ubuntu is terribly broken, is not it?