by Dan Matthews
3. July 2007 10:23
I've found a little glitch (by design?) in ADXSTUDIO 2006. The scenario is this... I want to give an 'Approvers' group access to approve across the whole site except for a 'Sensitive' folder, that can only be approved my managers.
According to ADXSTUDIO, the way to do this is to explicitly GIVE permissions to the Approvers group everywhere except where I don't want them to have permissions. Yeah right. It's a big site :)
You might think 'no probs, I'll just DENY them access to that one folder'. Nice, in theory... but in practive it spams out a nasty error when you try to do that. I guess it can't handle deny-access being added to an object with grant-access set on it as well (albeit inherited).
Solution? Resort to ADSIEdit. Locate the Sensitive folder within the AD object hierarchy (no, not easy) and take off the inheritance of permissions. I suggest copying the existing permissions otherwise you'll have fun adding them all in. Then just strip everything but read permissions away from the Approvers group.
Now, when someone in the Approvers group tries to edit pages in the Sensitive folder, they get an Access Denied error. In the rest of the site, they are able to edit pages.
Subscribe