Sharepoint 2010 Permission level Full Control and explicit deny

I am facing a very frustating permission level issue with Sharepoint 2010. First, everything worked as expected up to few days ago.

I have a user on my sharepoint 2010 env (publishing portal) named rjo who is site collection administrator and has also Full Control permission level.

When I execute the Check Permission command from the ribbon I get the following:

Permission levels given to xxxx\rjo

Full Control
Given through the "xxx Owners" group.

The following factors also affect the level of access for xxx\rjo (xxx\rjo)

Deny
Manage Permissions
Create and change permission levels on the Web site and assign permissions to users and groups.

Deny
Create Subsites
Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.

etc.. Seems like all the individual permissions are set to deny.

If I remove the user rjo from the Full Control permission level, all the deny permissions disappear. I have tried creating a brand new permission level with Allow permission on al items but I still get the deny when I check the permissions. Notice that this happens for all the users.

Does anyone experienced a similar issue? I suspect some kind of Windows update to have messed up the permissions but I cannot find a way to get proper permissions to my users.

May 21st, 2012 12:23pm

The only place in SharePoint that you can apply a deny permission is at the Web Application level in Central Admin.  Those web app permissions take precedence over any permissions at the site collection level or below.  You need to check the permission policy that is applied to the web application in Central Admin.  That's where you will find the Deny permission level.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 1:29pm

This is indeed the first place I checked but unfortunatly all the permissions are set to Grant for the Full Control level.

May 21st, 2012 2:58pm

There are 4 Permission Policies defined by default at the Web applicaiton level in Central Admin.  Make sure that Deny All hasn't been assigned to the user or a group that they are a member or.  This is the one that would apply Deny permisisons to everything.  the Full Control permission level here isn't connected to the one that your site collection admin has.

Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 6:16pm

Thanks Paul, I have removed all the permission assignments in "Manage Permission Policy Levels" and recreated them.
This seems to have solved my issue.

May 22nd, 2012 7:04am

Hi,

I have same issue but cannot remove "Deny all" from "Manage Permission Policy Level": how have done you? In this moment all permission management are blocked on my Site collection :(

Free Windows Admin Tool Kit Click here and download it now
February 13th, 2013 11:40am

I found the solution on this blog:

http://neelb.wordpress.com/2012/01/18/additions-to-this-web-site-have-been-blocked-sp2010/

Very useful :)

February 13th, 2013 12:01pm

There is another reason this symptom (the inexplicable "deny" on everything, even though appropriate permissions are given) can happen...

In my case, the site had become locked under the quotas and locks section of central admin.  I can't explain why this particular site got locked, because there wasn't enough content to exceed the storage quota, and no webparts had been configured that could have violated the sandboxed solutions quota.  Nevertheless, the site was locked and exhibited this behavior.


Free Windows Admin Tool Kit Click here and download it now
August 9th, 2013 3:19pm

Awesome, Thank you, saved me so much time!  I don't know how the hell my quota got switched to the locked position, maybe when I did some upgrades last week, anyway, problem solved!

I can now edit a page, now I need to figure out why I cant get the context menu when trying to edit a web part even though it no longer shows permission denied.

I never seen the bottom 3 security groups that are set to limited access, its greyed out, so I cant remove that permission, but I added full control to it, and still cant edit the web part.


December 31st, 2013 9:33pm

I had a similar issue.  When checking user permissions on any member of the site collection Owners group, the results were similar to those posted above.  Also noticed that some buttons on the ribbon were missing.  Also found that no user could add content to Library.  The Add button was missing.  Issue was only happening on one site collection in the web application, so it was not a Web App Policy issue.

Eventually discovered that the site collection was locked as read-only.

Central Administration > Application Management > Configure Quotas and Locks
change the web application and site collection as needed to view setting for the affected site collection

Found lock set to 'Read-only'  Changed to 'Not Locked'

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 9:06pm

You have no idea how hard it was to find this in search results in both Bing and Google.  Thank you.  
February 12th, 2015 6:07am

Thanks!!

Same resolution for me.  I suspect my problem was due to a failed backup locking the site.

Free Windows Admin Tool Kit Click here and download it now
July 8th, 2015 3:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics