(UPDATED 11/29 to explain how to access web application policy settings via the UI)
I had one of those "why is MOSS doing this to me????" moments today. In the end, it’s all my fault.
We have an enterprise MOSS project going on and we want to secure "place holder" sites so that no user may access it or see it. That’s easy:
- Go to the site.
- Break the security inheritance.
- Remove every user/group from site permissions.
The above should leave just the site collection administrator with permission to see the site.
If anyone else logs in, they should no longer see the site and it should be security-trimmed from all the usual places.
But … it was not. At the same time, I suddenly realize that my "Joe User" standard user test account with no priv’s other than restricted read access has a "Site Actions" choice everywhere he goes. I double check one thing and double check something else. I pick up the phone to call a colleague, but put it down and check something else. I go for a walk and try everything all over again. I call a colleague and leave a message. And then, finally, I find that at Ethan’s blog, his opening graph makes it quite simple:
MOSS 2007 has a new feature called Web Application Policies. These are security permissions that is tied to a Web Application. These security settings override any security setting that is set at the Site Collection or Site (Web) level for that user.
A quick visit to web application policies shows that "NT Authority\authenticated users" had been granted Full Read. I removed them from the list and everything finally started working as expected. I believe they were added in the first place by someone with the mistaken impression that that is best method to grant read access to everyone in the enterprise. It does, but, to strain a quote, "It does not mean what you think it means."
Access web application policies this way:
- Go to Central Administration
- Select Application Management
- Select "Policy for Web Application"
- On that screen, make sure you pick the correct web application. For me, it defaults to the web application of central admin which may not be the one you want.
When I had this problem, I searched for the following phrases and got surprisingly little in terms of direct help on this issue:
Site actions visible for all users
Site actions visible to all users
site actions are not security trimmed
secure a MOSS site
introduction to moss security