Web collaboration consultant, public speaker and Microsoft Press Author. @resing on twitter

What is Limited Access? And how do I remove it?

Update 8/6/2014: 2 new links: A warning on removing limited access and another “What is Limited Access” post.

Do you ever forget things that you’ve learned before? I do.

Case in point, last week I was looking at a page similar to this:

image

begging the question at the top of the post. The above snip of a SharePoint 2010 site gives me almost no clue what that permission level, Limited Access, might mean. In my case, it was a SharePoint 2007 site, but they act very similar.

Drilling down to edit the user’s permission gives a little more information, as shown below, but I’m still left wondering, how miwise was given this Limited Access. More to the point, How do I remove it? I clearly can’t use that greyed out checkbox to take Limited Access away.

image

The answer to why is clear when you read the documentation

  • Limited Access    Can view specific lists, document libraries, list items, folders, or documents when given permissions.

Note   You cannot assign this permission level to users or to SharePoint groups. Instead, Office SharePoint Server 2007 automatically assigns this permission level to users and to SharePoint groups when you grant them access to an object on your site that requires that they have access to a higher level object on which they do not have permissions. For example, if you grant users access to an item in a list and they do not have access to the list itself, Office SharePoint Server 2007 automatically grants them Limited Access on the list, and also on the site, if needed.

In other words, if you’re looking to understand why a user or group has limited access, look first at the places permission inheritance has been broken, then you may find an escalated permission.

To remove limited access, restore inheritance or remove the higher level permission given to the item or items.

19 Comments
  1. To explain in another way – limited access happens when you give users access to a specific document or document library, (as apposed to adding them to the default Members, Owners or Visitors groups).

    You can’t just delete limited access. If you do that you will revoke the access of everyone who had limited access assigned to them.

    You first need to determine where they had this access so you can fix it by possibly creating a new group, placing the users into that group, then assigning the Group to the document library.

    If you have SharePoint 2007, you’ll need to go into each and every document library / list and check the permission levels under the Settings.

    If they are all inheriting permissions, it means that the users have been given access on an item level instead, ie: to specific documents. (And this is why its a bad idea to do this).

    Now you’ll need to go into each and every single document’s settings to see who has special access.

    When you find the source, then yes, you need to inherit permissions again to remove the limited access thing. The more documents you have on your site, the longer this is going to take you.

    It comes down to planning. If you are granting permissions on a document level, your planning is wrong. It is near impossible to manage your sites like this. You need special 3rd party software in order to do that. SharePoint 2010 is alot better as it has better built in reporting.

    Worst case, break permissions on a Library (or list) level. Best case, don’t break permissions at all and keep special users on their own site – especially if you are new to SharePoint or don’t understand how permissions fits together. It takes lots of experience to get this under the belt properly.

    Kind Regards,

    Veronique Palmer

    Lets Collaborate

  2. Veronique,

    Thanks so much for your contribution to the post. I love how your comment adds more text, and arguably, more value than my original post!

    Inheriting permissions is a tricky topic. There is a great discussion in the Microsoft SharePoint 2007 Administrator’s Companion. Even there, it basically boils down to a failing in the User Interface and the need for 3rd party tools just to keep track of where these suggested practices might not be followed.

    SharePoint 2010 is 100 times better in identifying and reporting on inheritance breaks, but it will continue to be relevant until at least v15.

    Tom

  3. Very nice site!

  4. I always appreciate comments. Especially positive ones!

  5. This is good information to know as we are upgrading our sites to SP2010 in a few weeks.

    What is the impact of having both permissions levels assigned to a user or group?

  6. Hi Kiah,

    When an item has multiple permissions granted to a user or group, the permissions are combined.

    For example, in the screen shot above, miwise has Contribute and Read. Combining the permissions of both groups really results in Contribute permission since Contribute already has the permissions of Read.

    -Tom

  7. I have taken your advice and changed the site permissions to remove the limited access restrictions. However, the limited access is still visible and prevents me in my admin and user profiles from changing views in lists.

    What puzzles me is my spAdmin login is restricted with limited access too which makes no sense.

  8. Andy,

    If your site owner can not change views in a list, most likely, permissions are not inheriting from the site for that list.

    I recommend the following office.com article on permission inheritance in lists. There is a section on restoring permission inheritance that may help: http://office.microsoft.com/en-us/sharepoint-help/edit-permissions-for-a-list-library-or-individual-item-HA102833689.aspx

    Tom

  9. I understand what this permission level means. I don’t think it belongs on this screen, though. It’s difficult to get a good picture of who has access to what, when the list is cluttered with ‘limited access’ lines.

  10. Chris,

    I agree with you that it is difficult. I recommend you avoid this situation unless it is necessary. As I wrote above, “to remove limited access, restore inheritance or remove the higher level permission given to the item or items.”

    In other words, this happens when a user has a permission granted on this specific list or list item when they otherwise wouldn’t have that permission through inheritance from the site or list.

    Tom

  11. I would prefer to remove this from my screens because it obscures the main information about who has permissions to access a resource. I can see how this information might be useful if you’re trying to find an obscure problem, but it makes it much more difficult to get a quick picture of permissions.

    I’m constantly revisiting security on my sharepoint items because on our sharepoint 2010 installation, we have the lovely bug where people randomly disappear from permissions lists, and I suspect I will be repairing our sites every week for the next 7 years (then we can move on, and find out the permanent bugs associated with Sharepoint 2020).

  12. Is there any way to determine inheritance breaks without a server script? I work for a larger organization with many sharepoint sites. I’m a local resource and inherited my department’s site.

  13. @Judy Yes. If you go to Site Settings > Site Permissions, you should see a link that says Show me uniquely secured content

  14. Hi Tom,

    I have created a new user group and need to assign that user group with access to a sharepoint list. All the other list that are available shouldnt be accessible for them..

    How to go about it.

  15. Hi Karthi,

    Go to the list settings > Permissions for this list, break inheritance and add the group. More detail here: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/edit-permissions-for-a-list-library-or-individual-item-HA102833689.aspx

    Tom

  16. Still relevant today – thanks…

  17. Does anyone have a recommendation for a product or script to clean up Limited Access permissions that are no longer used? i.e., there are no lower level items uniquely permissioned for the user/group which is granted limited access.

Leave a Reply