MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Hiding files from even the Site Collection Administrator

  Asked By: Marilyn    Date: May 15    Category: MOSS    Views: 5295

We run V3.0 with MOOS 2007.

I have a request from our Top Managment to dissallow anyone from
seeing any sensitive files or folders in their SharePoint site.

I tried lots of normal ways to prevent site collection admins from
seeing sensitive folders, but to no avail. I tried restricting files
and folders, but each time the Site collection admin can see it.

Then I stumbled upon the use of MY SITE, and experimented with it.
When created it has a Document Library with two document folders in
it. One is PERSONAL, and the other is SHARED. Neither the personal
folder (nor its contents) can be seen by anyone in IT, even the Site
Collection Administrator. Only those people the site owner allows in
the document library permissions will see it.

It seems that the MY SITE has some kind of special permission level
no one can enter except those who the owner allows.

If true, how does a MY SITE do this? and while this method is OK, is
there a better way to do this on a regular sub site?



5 Answers Found

Answer #1    Answered By: Anthony Rutledge     Answered On: May 15

It's not a special permission. Its just that every MySite is a Site
Collection itself and the person whose site  it is is the Site Collection
Administrator. There is no one in IT who is the Site Collection
Administrator of that MySite. IT is probably the Site Collection
administrator of the My Site Provider, but that is a seperate Site
Collection. Site Collection Administrator's cannot be restricted from
seeing the files  in a Site Collection. But you are mistaken about who
is the Site Collection administrator  of a My Site.

Answer #2    Answered By: Heena Nagori     Answered On: May 15

I follow you. Now that you mention it, I seem to recall that a MY
SITE is really a new site  Collection. I got confused because when I
look at the path of MY site, it is under the Main TOP site; example -

So, from that, I assumend MY site was nested under the Main TOP site
as just another subsite.

Answer #3    Answered By: Aishwarya Karmarkar     Answered On: May 15

In the Application Management of Central Administration, there is an
item called "Policy for WebApplication". This item enables you to
give or DENY explicit rights to all site  collections that belong to a
WebApplication. For example: if you have a portal at https://portal
and have site collections at https://portal.company.com/sites/...
then an account that has Full Control through the Policy for
WebApplications for the webapplication of the
https://portal.company.com site also includes Full Control to all of
the site collections under /sites/..! This account does not even have
to be member of the Site collection  Administrators or "Owner" group
to be able to access everything!

The policy can also include a specific DENY permission for an account
or security group. Keep in mind that the policy is for EVERY site
collection the WebApplication serves.

It is a best practise to give the MySites a WebApplication (using a
URL like https://my.company.com) of their own and every MySite is its
own Site Collection. The user creating the MySite is the Site
Collection Administrator, but by default NT Authority\Authenticated
Users is a Reader on the MySite. Your management can remove the
reading right from their MySite, thus blocking other people from
reading content. The policy for WebApplication cannot be used here to
block 'normal' people from accessing the MySite of the management, as
the policy is for the WebApplication and would block access to
peoples own mysite as well.

My Suggestion is to create a specific WebApplication for the upper
management sites and use the Policy for Webapplcation to DENY access
to the normal folks. The url could be something like
You have to think about indexing the content of this site and if
administrator or even farm administrator  has access to this site...

Note: my example URLs use HTTPS on purpose. Please implement the
portal using secure HTTPS! I also urge you to implement Kerberos as
the authentication scheme.

Answer #4    Answered By: Janell Camacho     Answered On: May 15

I will utilize your explaination and put it in a
folder on my Technical SharePoint site.

Didn't find what you were looking for? Find more on Hiding files from even the Site Collection Administrator Or get search suggestion and latest updates.