Security Issue With Denying Access To
Content Subfolders
By: Brien M. Posey
Reprinted with permission from
The whole point of SharePoint Portal Server is to make
documents from a variety of sources available to your users. It goes without
saying though that you probably don’t want all of your users to have access to
every single document. This is probably especially true in the Announcements,
News, or Quick Links folders, and the sub folders beneath them. The problem is
that even if you deny access to a particular sub folder beneath the
Announcements, News, or Quick Links folder to a particular user, there’s a good
chance that the user will still be able to access the document, or at least see
a link to the document.
The problem is related to the way that SharePoint caches
the News, Announcements, and Quick Links Web parts. By default, SharePoint uses
a program level cache for these Web parts, which means that the same cache is
used for every user.
Because the cache is the cause of the problem, the obvious
solution would seem to be to flush the cache after denying access to someone.
However, this only causes more problems. The reason is that after flushing the
cache, the next user who accesses the folder determines the access level for all
subsequent users. For example, if the user that you’ve denied is the next person
to access the Web part after the cache has been flushed, then they won’t have
access to the restricted folders. The problem is that neither will anyone else.
If on the other hand, the first person to access a Web part after the cache has
been flushed has access to the restricted folder, then everyone will have access
either to the folder itself or to the link (depending on how security has been
implemented elsewhere). The solution to this problem is to configure the Web
part to use user level caching rather than program level caching.
To correct this problem, you’ll have to configure
SharePoint to cache the content on a per user basis rather than on a program
level basis. Only a coordinator is capable of performing this action, so the
first step is to logon as a coordinator.
After logging on, open the server’s dashboard site and
click on the Content link in the upper right hand corner of the dashboard. When
you do, you’ll see the Content in “Home” page. This page lists the various Web
parts that make up the dashboard site, as shown in Figure A. Now, select the Web
part that you need to modify. Typically, this will be Announcements, News, or
Quick Links.
Figure A
When you select the Web part that you need to secure,
you’ll see a settings page. For example, if you chose Announcements, you’d see
the Settings For Announcements page. At the bottom of this page is a link for
Show Advanced Settings. Click this link to reveal the Advanced Settings portion
of the page. The Advanced Settings will be appended to the bottom of the
Settings For page.
Toward the bottom of the Advanced Settings section is an
option called Should The Content of This Web Part be Cached? By default, this
option is set to Yes All Users 900 Seconds. The caching is what’s causing the
security problem. Disabling the caching completely tends to degrade performance.
Therefore, rather than disabling the caching, set the caching to Per User, as
shown in Figure B. Click Save twice to return to the main dashboard. You should
now be able to deny access to documents in the subfolder for specific users.
Figure B
If you've found this article helpful then please consider making a donation to
help with the cost of keeping this site going. To make a donation, please click on the
PayPal link below.
