Smile Man Codex: Beyond the site of the Rights Management, Userpolicy

SharePoint2013 in MySite added a new feature called SkyDrive Pro, Laughing Man before the time to study, already have customers have encountered problems:

There is a notification on the SkyDrive Pro page:

"Welcome to your SkyDrive Pro, the place to store, sync, and share your work. Documents are private until gkfx. Learn more here. Dismiss"

That said, the folder you created in SkyDrive Pro by default is not shared with other people, which means that if you don't share to someone else, then he should be invisible to other people.

Now that the problem has arisen, the client confirms that her SkyDrive Pro private folder is still visible to others without sharing it to anyone. Also, she can see private folders inside other customers ' SkyDrive Pro.

The first thing to do, of course, is to go to the site Permisson inside, using permission check to examine the permissions, it is strange, and there is no content can show the exception of permissions. Is it the permissions of SkyDrive Pro that you can display private folders to others by default? This is Microsoft Big Brother self-pendulum oolong?

Permissions for SharePoint can be chased down like this (in parentheses, purely personal fiction, for understanding only):

1. Site collection Administrator, website collection Administrator (site collection-level permissions);
2. Site Onwer, the website owner and the corresponding Member,visitor (site-level permissions);
3. List/library Independent permissions (site content level permissions);
4. Folder/item Independent permissions (Content-level permissions);

For this SkyDrive Pro private folder, I checked all the permissions above the four levels and didn't find anything unusual.

The above four levels of permissions are the user or even the superuser can control all the permissions, but nothing has been found, then there is only one place left: WEB application Permissions!!!

It was a bit of a surprise that the story was here. Because few people at the Web application level to do permission change operation, of course, only farm administrator can do.

After the examination, stunned to find that someone in MySite's Web application User policy added a "Everyone fullRead" (Tick One):

Well, we found the killer. MySite's private folders can be looked at casually because the Web application level is defined as "everyone has read" permission.

After a round of inquiries, the original customer added, but this permission to the SkyDrive Pro to override a feature.

Well, it turns out that on top of the level four permissions that everyday customers can edit, permissions on the WEB application level need to be taken into account, although it's rarely possible to have problems at that level.

Reference:

Http://blogs.msdn.com/b/sharepoint_chs/archive/2012/11/27/skydrive-pro-5.aspx

Smile Man Codex: Beyond the site of the Rights Management, Userpolicy