Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Any way to grant "read" permissions to all sites in all site collect

  Asked By: Dominique    Date: Jan 10    Category: Sharepoint    Views: 3650

I just found out that our CSOs want to have "read" access to our entire intranet
(possibly including each personal site, public and "private" info). Since this
is not something they had ever requested before, we never really had anything in
place (a global "read" group) to accomodate this.

For IT folks who need to get in and do maintenance and support others, we have
site collection admins and farm-level accounts that can do basically anything in
any site. BUT I want something *like* that, but only w/ read access. The CSOs
sometimes have trouble checking out and editing docs, so I would NOT want them
to give them more power and risk all kinds of screw ups.

Help! Any ideas? I don't want to go into each site (we have only 4 site
collections, so most subsites have broken inheritance, and several
lists/libraries, too) and add a "CSO" group w/ read permissions. One, it would
take a long time to do this, but I would also be concerned that each site admin
would have the ability to remove that group. And each new site and personal site
would need to add them in. Just too much to manage at such a granular level.



5 Answers Found

Answer #1    Answered By: Upendra Bordoloi     Answered On: Jan 10

Create a Policy for Web Application that grants them read  access to the Web
Application. this will give  them read access  to all material located in that
web application.

Answer #2    Answered By: Ali Javed     Answered On: Jan 10

On the Application Management tab in the Central Admin web site  in the
Application Security section click on the link for Web Application Policies.

You can use this to grant  a specific AD user or group  a permission policy level
to a web application zone that overrides the permissions  set at the site
collection level. Set up a Policy for each web application in your environment
assigning the CWO 'Grant Read' access. This will give  him read  access to
everything in the web app. You will need to setup a policy for each web
application in your SharePoint farm and remember to add new web applications to
the policy list as they are created.

Answer #3    Answered By: Karrie Wooten     Answered On: Jan 10

So, when you say it overrides the permissions  set at the site  collection level,
does that mean that they will no longer have the contributor permissions they
already have in several team sites? Or does this simply add "read" to all sites
w/out taking away any higher permission levels made at the site level?

Thanks! This should work very well! I think we only have one web app in our
environment (not sure- I'm not in IT, so I'll check w/ them).

I really appreciate your help! I actually had a dream last night that I found  a
solution for this issue, so it's definitely been on my mind too much! And you
literally made my dream come true!

Answer #4    Answered By: Alan West     Answered On: Jan 10

This is the one place in SharePoint where you can set either grant  or Deny in
reference to permissions. Since you are talking about granting read  access in
this case it would be additive. But it can also be used to Deny a specific set
of permissions  for a whole web application. In that case the individual
permission setting of Deny will override the individual permission setting in
the permission level set at the site  collection level or lower. But it only
overrides the individual permission in the permission level. Any permission not
set in the policy at the web application level will still be in effect.

For example. Let's say you Deny the Edit Item permission in the policy and the
user has contribute at the site collection  level. They won't be able to edit
items, but would still have the ability to read items based on their permissions
as a contributor.

Answer #5    Answered By: Maribel Todd     Answered On: Jan 10

This won't take away any of their current permissions, it simply adds a
higher level of permission.