1

In our SharePoint 2010 Enterprise internal company website, we have a SharePoint Admin group, say, CompanySP_Admin. We have created a 'Full Control permission level' that is a SharePoint permission level (as explained in MSDN here).

As explained in the last section of above MSDN article, users can assign this permission level to other users or groups. We want only the members of the CompanySP_Admin group to be able to assign this permission level to other users or group. How can we achieve this?

Thanks.

nam
  • 21,967
  • 37
  • 158
  • 332

1 Answers1

1

You can't. SharePoint uses discretionary access control, and this is just the way it is. I'm not going to argue that this isn't seriously annoying - in fact, this is the one of the most frequently asked for things by clients in my ten years of SharePoint consulting.

That said, what you really need to do is figure out if these other groups really need Full Control. Look closer at the various rights and revisit the requirements - I'll bet they don't actually need full control, just contributor plus some extra rights. If they really do need full control, then it's a question of training and following established company policies.

x0n
  • 51,312
  • 7
  • 89
  • 111
  • Could you create an event receiver that listens for that specific permission level to be assigned and cancels if it's done by anyone that's not a member of the admin group? – Ola Ekdahl Dec 16 '13 at 04:52
  • Well, event receivers are coupled to lists. They don't fire for arbitrary containers like sharepoint groups. If you really, really want to do that, you should use MSQQL triggers to watch for it in the database but this is mostly undocumented. – x0n Dec 18 '13 at 20:20
  • It's not an arbitrary object. Most evrything is stored in lists in SharePoint including groups, users, permission sets, etc. It's just a matter of finding the list. People and Groups is stored in a list called User Information List. – Ola Ekdahl Dec 18 '13 at 23:20
  • @OlaEkdahl - The User Information list is not an authoritative source for anything. It contains user info (not full users - just login, name, email) about users that have visited the site, but are not explicitly part of any groups belonging to that site. SPGroup, SPUser, SPPermission instances etc are part of the database - they are NOT in lists. You are mistaken. – x0n Dec 19 '13 at 21:36
  • You're 100% correct about SPGroup, SPUser, etc. I was thinking that the user<->permission level relationship was in a hidden list somewhere. By the way I found out that User Information List doesn't fire events like other lists, http://msdn.microsoft.com/en-us/library/aa979520.aspx. – Ola Ekdahl Dec 20 '13 at 01:48
  • Well, I'm glad the twelve years working with sharepoint hasn't been for nothing ;) Yes, hidden lists like the UIL will never waste cycles by triggering events. MSSQL or nothing, sorry. Can you please mark my answer as correct? :) – x0n Dec 21 '13 at 03:24
  • I would but I don't have enough rep to mark answers to questions asked by others as correct. – Ola Ekdahl Dec 31 '13 at 22:39