Microsoft KB Archive/297697

= You Can Access Unpublished Drafts Even Though You Have Only Been Granted a Reader Role =

Article ID: 297697

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft SharePoint Portal Server 2001

-



This article was previously published under Q297697



SYMPTOMS
If you are granted the Reader role on a folder, you may be able to access unpublished draft versions of documents in that folder. You also may be able to set security on documents and folders. This behavior is unexpected.



CAUSE
This behavior can occur if you are a member of the local Administrators group on the server.



RESOLUTION
If you are an administrator and you want to restrict the permissions, remove the user from the local Administrators group.



MORE INFORMATION
SharePoint Portal Server has a role-based security model. The following roles are available:
 * Coordinator
 * Author
 * Reader
 * Approver
 * Deny

All role memberships are scoped to the folder except for the Deny role that is set at the item level. When you remove all role members, you can configure the security membership on a folder so that no one is allowed access. You cannot reset permissions on this kind of folder because the concept of ownership that is used in the NTFS file system does not exist in SharePoint Portal Server.

To address this scenario, members of the local Administrators group are granted the non-revocable right to view and set security on every item in all workspaces on the server. These users also have the ability to add themselves to a role at the workspace level in the SharePoint Portal Server Administration Console. These users do not have permissions to check in and check out documents, unless they are explicitly granted the Author or Coordinator role on the folder.

If SharePoint Portal Server is installed on a domain controller, there is no way to recover from lockout because there is no local Administrators group on the server. For this reason, it is not recommended that you install SharePoint Portal Server on a domain controller.

Additional query words: sps shadow folder url

Keywords: kbprb kbprod2web KB297697

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.