Situations arise where it may make sense to allow a group of people access to a single list or library within a site collection without giving them access to other resources on the site collection, including the site’s home page. It is easy to break inheritance to the library, create a security group for the library and add the people to the group. However, this has side effects that may not be intended.
When a person who is not included in a security group for the site collection is added to a list or library within the site, SharePoint automatically gives that person a special permission level called “Limited Access”. This permission is applied at the level above the library, which means that they have Limited Access to the site and therefore Limited Access to all lists and libraries that inherit permissions from the site. If the current site is a subsite under a site collection, the person is given Limited Access to the site collection as well. SharePoint does this so they have the proper permissions to navigate to the library. It is not possible to prevent this from happening. If the Limited Access permission level is removed at the site or site collection level, the person’s access is also removed from the list/library.
Limited Access allows the person to see the site’s Quick Launch (if it has not been hidden by the site administrator) and links to lists and libraries that are included on the Quick Launch and inherit their permissions from the site. They cannot see the contents of the list and libraries. They cannot navigate to the site’s home page. They cannot navigate to “All Site Content” even though the link is available in the Quick Launch and the Site Actions menu.
If the person is given read access to the home page, they can get to the top level of the site if:
- The URL that they are given includes the name of the home page (e.g. https://share.usask.ca/sitename/SitePages/Home.aspx)
- They click on the name of the site in the Top Links bar
They get an “Access Denied” error if:
- The URL does not include the name of the home page (e.g. https://share.usask.ca/sitename/)
- They click on the name of the site in the breadcrumb
Note that if, when you add the person’s NSID to the list/library security group, you leave the “Send welcome e-mail to the new users” prompt checked, the default e-mail that gets sent includes the URL to the top level site, not to the list/library. When they click on the URL in the message expecting to be able to access the list/library upon login, they will receive the “Access Denied” message. It is preferable to uncheck this checkbox and send e-mail manually with the correct URL and other information.
This situation is not ideal and will be confusing to people, especially those who are not familiar with SharePoint. If you need to give a group of people access to a single list/library without giving them access to the entire site, there are some options:
- To prevent them from seeing the names of other lists and libraries, break inheritance on the lists and libraries and remove their Limited Access. This create additional configuration work both now and in the future as you will have to edit permissions on each list and library separately.
- If you don’t want them to see the names of other lists and libraries in the site, hide the Quick Launch (Site Settings -> Tree View -> uncheck “Enable Quick Launch”). If you do this, you will need to provide a different navigation method for other people so they can easily locate the items that they need.
- Consider putting the list or library in a subsite under the main site collection and give them read access to the entire subsite including the list or library. Even though they have Limited Access to the main site collection, they won’t be able to see it unless you give them read access to the home page. If they know the URL of a specific list or library in the site collection, they can go to it but won’t see its contents.
- If this is a document library and the source of the documents in the subsite is in a protected area, use the “Send to” command to create a copy in the subsite’s library for each document that needs to be available. They will be able to view the copy and also update it if they have sufficient privileges. However, this will only update the copy, not the original document. Changes to the original document can be copied over using the “Send to -> Existing copies” command in the original site. Or if the original library has major and minor versioning turned on, changes can be sent to the copies when a new major version is published.