2013 – SharePoint permissions for intranet site

I was wondering if anyone could help me decide how to best implement SharePoint permissions for the site I'm working on. I am using SharePoint Classic for Office365. It is an intranet site with different departments, which means that we have unique permissions at almost every level, or at least at the first level. An example structure of the site with the required permissions is as follows:

0-Home: Administrators (AD group); All employees (AD group)

1 employee: administrators (AD group); All employees (AD group)

2-HR: Admins (AD group); HR Manager (AD Group); HR staff (AD group); Username1 (user); adhocemployee1 (User)

3-Manager: Administrators (AD-Group); HR Manager (AD Group)

3 employees: Admins (AD group); HR staff (AD group); All employees (AD group)

2-IT: administrators (AD group); IT staff (AD group)

1-Non-Employees: Administrators (AD Group); All employees (AD group); All non-employees (AD group)

Where 0,1,2 and 3 are the different levels of locations, where 0 is the top level and 3 is the third level of the child site. Since the most important permissions we will use are Read, Contribute, and Full Control, I plan to create 3 SharePoint groups for each subsite. So 3 for employees, 3 for HR and so on. I am not sure if this is the right approach. Would it be better to assign permissions to all users / AD groups individually than to organize them into groups? We also have library-level permissions assigned to users / AD groups because users in our organization access them. This makes it a bit complicated and difficult to manage requests and send ad-hoc queries that repeatedly come in to access specific subordinate groups. Websites / Libraries.

My approach:

Authorizations for the HR base
HR administrators (group) -> full access -> users: administrators (AD group)

HR reader (group) -> read -> user: HR manager (AD group); HR staff (AD group)

HR employee (group) -> Contribute -> User: HR Manager (AD Group); Username1 (user)

The other approach to which I am not inclined is this:

HR Manager (AD Group) -> Participate

Username1 (User) -> Read

HR staff (AD group) -> reading

Administrators (AD Group) -> Full Control

adhocemployee1 (User) -> Read

I hope someone can tell me which approach suits my scenario better.

Thanks a lot!

8 – Media field permissions

I have a specific use case. I have an entity with a "media" reference field. I want users to be able to add, edit, or delete assets without passing them on Edit any media or Delete any media Permissions. I want the media field to inherit permissions from the parent entity, just as the Paragraphs module does.

Any ideas how this can be achieved? Many thanks.

Is tagging an acceptable way to cumbersomely add or remove user permissions in a role-based system?


  • Our users can have one role Per account (internally an IAM domain), but can have roles for multiple accounts.
  • Each role is defined as a list of allowed actions.


  • In certain cases, z. For example, in the case of failed payments or suspicious activity, we would like to restrict some of their actions.
  • We can also imagine cases where we grant additional privileges to trusted or verified users, such as: Eg higher budget limits.

My thoughts

  • Although these circumstances are about permissions, I do not think they are meaningful as "roles" per se, and I also feel that "roles" can become chaotic when a user can have multiple roles in an account (but maybe that's alright, I'm not sure).
  • And because of the mutual exclusiveness of such circumstances, maybe I thought tag was the best way to illustrate these subtractions and additions to permissions.

But I ask myself, am I just adding unnecessary complexity? Are they really just additional "roles" and should I allow users to have multiple roles per account? Or has my system grown out of the "roles" and should I completely migrate to tags? If both options are used in practice, what are the key factors?

The rest is optional. Only preventively describe the current architecture.

OPTIONAL: Current architecture

We rely on an external system to store and provision user permissions. (We can influence it, but it's not easy to change it because the system serves a much larger ecosystem than just our product.) We can ask this system

Hey, can user Alice Do action GetUsersInDomain in the IAM domain org/6c1b5c24/75247aeb?

and it will answer yes or no. But it can not answer questions like

Hey, who are all users who can do that GetUsersInDomain in the IAM domain org/6c1b5c24/75247aeb?

This is fine for most applications, but not for creating a management interface in which, for example, all "administrators" of a particular account need to be displayed.

Now there is a concept in the external system templates (Sorry, if this is obvious and fundamental). Just a list of actions that are essentially related to what our product calls a role (e.g., "admin"). Suppose these are some roles:

To query users for roles, we have created a service that mirrors and extends the external authorization system with a schema such as the following:

| user | iam_domain            | role   | template |
| 1    | org/6c1b5c24/75247aeb | admin  | b7a3fe18 |
| 2    | org/6c1b5c24/75247aeb | viewer | 29416fe6 |
| 3    | org/5e02bab7/dd389a37 | admin  | b7a3fe18 |

Here, user. iam_domain, and template already concepts are stored in the external system. And technically we do not really need that role For example, we always know that the "admin" template is "b7a3fe18". After mirroring permissions in this way, we can now query for them role as we want.

The new challenge, however, is: How do we implement? several, independent roles per user and IAM domain?

There is my suggestion:

    | user | iam_domain            | role   | template | tags
    | 1    | org/6c1b5c24/75247aeb | admin  | b7a3fe18 |
    | 2    | org/6c1b5c24/75247aeb | viewer | 29416fe6 | failed_payment
    | 3    | org/5e02bab7/dd389a37 | admin  | b7a3fe18 | suspicious_activity

This would allow independent subtractions and additions of privileges (as long as we have a proper hierarchy of affection and properly code the logic and resulting templates).

Permissions – Remove all roles assigned to a user

I use Sentinel from cartalyst.com, but in an autonomous environment outside Laravel, although the conditions in Laravel would be more or less the same, I have to provide the option to change a user's role, but in some circumstances the user has more I want that all possible roles to which the user has been assigned are deleted at once, without having to ask and delete successively where they are displayed

The suggestion to do it one after the other would be:

$user = Sentinel::findById($userId);
$role = Sentinel::findRoleByName('Subscribers');

What I specifically tried is:

$user = Sentinel::findById($userId));
$roles = Sentinel::getRoleRepository();

and returns nothing.

… any ideas?

Permissions – If the library is not visible to you, why is the automatic link displayed in the current navigation?

I used to remember that the users who were removed should NOT see the library link if you stop inheriting permissions from above and display the automatic link in the current navigation of a library. Now you can see the library link, but if you click on it, you will see an empty library. I expected the page to have no access, but no, only the library with no content (but it can see all the metadata columns).

Do I remember wrong or has something changed? The only way to "hide" the URL is to use audience targeting in Settings – Navigation ?.

I use a classic page.

Set group permissions

I have many users and two groups. Some of them are members of Group1 and others are members of Group2. I want to allow group1 to access all directories and allow group2 to access certain directories. I did some research but could not fix it. How can I do that?

Many thanks.

csom – Denied access to list after permissions have been granted to a group in a list

After giving View / Add / Edit / Open / Delete ListItems for a group in a list, the users of the group continue to be denied access when they try to access the list.
Here's the code I used to grant permissions:

var group = clientContext.Web.SiteGroups.GetById(id);   

 BasePermissions permissions = new BasePermissions();

 RoleDefinitionCreationInformation rdcInfo = new 
 rdcInfo.Name = "roleDefName";
 rdcInfo.Description = "Description";
 rdcInfo.BasePermissions = permissions;
 RoleDefinition roleDefinition = 

 RoleDefinitionBindingCollection RoleDefinitionBindingColl = new 

 List targetList = web.Lists.GetByTitle(listTitle);
 targetList.BreakRoleInheritance(true, false);
 RoleAssignmentCollection collRoleAssign = targetList.RoleAssignments;
 RoleAssignment rollAssign = collRoleAssign.Add(group, 

 web.RoleAssignments.Add(group, RoleDefinitionBindingColl);

Linux Apache: Script PHP files do not inherit permissions from the top folder

I've created a PHP script that copies a bunch of image files to a shared folder on another server.

The shared folder has the following RWX permissions for all users / groups:

drwxrwxrwx  59 www-data  www-data  2006 19 ago 10:15 Z_LISTADO

The script is logically executed by the web server with its standard user WWW data.

The problem I have is that when copying the images, they do not inherit the permissions of the top directory Z_LISTADO, but get the following permissions:

drwxrwxrwx  6 www-data  www-data       204 19 ago 10:27 .
drw-r--r--+ 8 www-data  www-data       272 16 ago 16:05 ..
-rw-------  1 www-data  www-data   9389509 19 ago 10:27 03940.jpg
-rw-------  1 www-data  www-data   4629716 19 ago 10:27 04758.jpg
-rw-------  1 www-data  www-data  11524286 19 ago 10:27 14306.jpg
-rw-------  1 www-data  www-data   3358720 19 ago 10:27 23530.jpg

Later I can no longer use it with a user other than www-data 🙁

Has anyone had a similar problem? I do not know if I can create an umask on Apache user level or if details are missing.

Thanks in advance.

sharepoint online – Error "The object is used in a different context than the one associated with the object." Assign permissions to the item in the child site

I'm working on assigning permission groups to the list item, which is at a subordinate site level.

The same code works for top-level sites, but it does show a bug at the child site level.

Function SetPermissionsToDocSet
param ($ context, $ docSetobject, $ groupName, $ role)
To attempt


    $roleDefBinding=New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($context)

    #Assign permissions 



    Write-Host $_.Exception.Message



The above code works fine if $ context is the context of the root site. The above error is displayed if $ context is the context of the subsite.
Please state the solution as soon as possible.

python 3.x – How to change the description of Django permissions

I want to know how I can change the description of the permissions that Django automatically creates, and can list only the permissions you want.
I think it would be better for me to create a model for "Other Premises" and automatically add those I need, but I do not know how to do it

Other awards (permissions):
permission = models.CarField ()
description = models.CarField () & # 39;

Note: My lack of knowledge is how to insert permissions from here