Permissions modified on sub-sites, items when changing inheritance of parent sites, items
This post describes a by-design behavior. The following site gives you deeper information regarding this behavior: https://blog.krichie.com/2007/04/05/beware-of-cascading-deletes-in-wssmoss/
Detailed Description of the Issue
This behavior appears when permission inheritance of site in the hierarchy of a site collection has been changed. People suddenly are able to access private documents of other people.
When the inheritance permission, on a site, is set the its original value, the permissions on all children (and grand children, grand grand children, and so on) are set to the original value, i.e. “Use same permissions as parent site”.
Deeper Information - Imagine the Following Scenario
Sites Hierarchy
Step by Step to Repro the Scenario
- Create the following users: "user1", "user2", "user3", "user4", "user5", "limiteduser"
- Hover over DocumentA1, choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the item
- Add user1 to the item with contribute permission
- Navigate to the Shared Documents library in SubsiteA1
- Hover over FolderA1 and choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the folder
- Add user2 to the folder with contribute permission
- Navigate to SubsiteA
- Hover over DocumentA, choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the item
- Add user3 to the item with contribute permission
- Hover over FolderA and choose "manage permissions" and use "Actions" - "edit permissions" to break permission inheritance for the folder
- Add user4 to the folder with contribute permission
- Navigate back to SubsiteA
- Select "site actions" - "site settings" - "Advanced permissions" - "actions" - "edit permission" to break permission inheritance for subsiteA
- Add user5 to the site with read permission
- Navigate to the root site of the collection
- Add user "limiteduser" to the rootsite with read permission
- Navigate to SubsiteA
- Select "site actions" - "site settings" - "Advanced permissions" - "actions" - "inherit permission" to enable permission inheritance for subsiteA
- Verify the permissions for the following items, folders and lists:
/SubsiteA/Shared Documents/FolderA
/SubsiteA/Shared Documents/FolderA/DocumentA
/SubsiteA/SubsiteA1/Shared Documents/FolderA1
/SubsiteA/SubsiteA1/Shared Documents/FolderA1/DocumentA1
Result / Notes
- Permission inheritance for all child sites, lists, folders and items has been enabled again.
- That causes users who have been given access to these sub "sites/lists/folders/items" to be no longer able to access the items.
- This also causes users who should not have access to these sub "sites/lists/folders/items" to be able to access the items if they had permissions on the site above the site where permission inheritance had been enabled again.
How to Reapply the Permissions?
The only way, out of the box, to get them back is a database restore.
Third Party Solution
You can find tools on the Internet to restore/import permissions from a database restored in parallel.
For example, a search on Bing with the following keywords will give you interesting results (security permission sharepoint clone).
By Yamine Taïeb - SharePoint escalation engineer