SharePoint 2013 has a new and improved search results page functionality:
- Users can see a fly-out with a preview of the document type by resting their cursor over the search result.
- Microsoft Office documents will display the application icon in front of the title of the search result.
- Search will remember, and learn from, what the user has previously searched on and clicked, thereby improving the user search experience.
Another aspect of search that has been around since SharePoint 2007 and its Enterprise Search Security Model is the concept of security trimming. According to Microsoft:
By default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. When results are returned for a user’s search, the Query engine performs an access check for the user’s identity against the security descriptor stored in the content index for each item in the search results. The Query engine then removes any items in the search results that the user does not have access to, so that the user never sees these results.
What this means is, if you don’t have, at the minimum, Read privileges for a certain document/list/library, then nothing in that document/list/library will show up in the search results of a query.
There was a curious situation on someone’s test environment at work recently where several restricted items were being displayed in the search results of a query, but the fly-out displayed a message that said the user didn’t have the necessary privileges to see the document. This was not the expected behavior, and my task was to figure out why.
My first step was to understand how to restrict an item so that it doesn’t appear in a search result. I began by uploading a document to see if I could restrict access. Let’s click on the ellipses and see if this is going to be intuitive or not:
Hmmm, so there’s no “Restrict this document” choice. So much for an intuitive interface. Well, then “I’ll take ‘Edit Properties’ for $200, please Alex.”
Not much help there. Let’s go back to the previous screen and try “Shared With”.
This looks more promising. As the person who uploaded the document, I am the owner of said document. That makes sense. But how did Everyone get view (AKA Read) privileges? Maybe the “Advanced” link will tell me more.
Okay, this is starting to make more sense. I can’t set the permissions on an item to something like “Restricted” or “You can’t read this, Fool!” This concept reminds me of an old Tumbleweeds comic strip (a spoof of the old west), from many years ago. Deputy Knuckles can barely keep his eyes open. The Sheriff asks “Tired, Deputy?” The Deputy replies: “Yeah, the mosquitos kept me awake all night.” The Sheriff says: “Use mosquito netting.” To which the half-witted Deputy replies: “I *do*, but I can’t get it around all of ‘em.” To wit, instead of creating a read-restrictive group that we add people to, we’ll just restrict access to everyone except users who have been given explicit permission.
That’s logical, but if I just uploaded this document, how did Everyone get Read permission? I didn’t explicitly give Everyone any permissions. What’s that all about?
Permission Inheritance
This is where the concept of permissions inheritance comes into play. When I uploaded my document, it inherited the permissions of the list/library/site collection it was uploaded to (its parent).
The first step in restricting access is to break the inheritance from the parent. That’s easy to do, just click the “Stop Inheriting Permissions” icon in the Ribbon.
That will remove Everyone from having Read permissions, right? Not exactly. At this point the document is not inheriting permissions from its parent, because you broke that inheritance. But the permissions it does have, happens to be a duplicate of its parent. It is assumed you will customize the permissions, so from now on, this document will have unique permissions. Note: If after customizing permissions you would like to revert back to the parent permissions, just click Delete unique permissions in the Ribbon.
How to Find Members of a Group
In this screen with the Group names listed, we could click on each name and see who the members are. But there is a more efficient way; just click Check Permissions:
Type in Everyone:
Click “Check Now”.
This screen tells us Everyone has Read permissions granted through the “Team Site Visitors” group. Now we know which group to edit.
Click on Team Site Visitors:
There’s Everyone!
Check the box next to Everyone, select Actions, then Remove Users from Group:
A window will popup warning you that you are about to remove Everyone from the group. Click OK.
Share the Document with Others
At this point you, as the document owner, are the only one who can see this document. This means if someone searches for your document, Enterprise Search will trim your document from everyone else’s search results except for yours, and you effectively have a secure document. But having a document that no one else can see isn’t any fun. This is *Share*Point after all. So let’s spread the love and share the document with a select few.
The easiest way is to go to Site Settings > Site Contents > double-click on Documents > click on the ellipses next to the document you want to share > click Share.
Enter the names of everyone you would like to invite to access your document, and assign a permission level. Once they have been invited, your document will appear in their search results.
Security Trimming a Library
So far we have security trimmed a document so that it will only appear in search results for people we have explicitly invited. All the other documents in the library are available to everyone. But what if we want to restrict access to all of the documents in that library? Or that sub-site? Or that site collection? The process is a little bit different, but it’s the same idea. Let’s start out by security trimming the library. Go to Settings > Site Contents:
Hover your cursor over the Documents library…
Click the ellipses, then click on SETTINGS:
Click on Permissions for this document library:
Remember, the first step is to give your list a set of unique permissions, so click on the Stop Inheriting Permissions icon. Your screen will now look like this:
Let’s start clicking through each Group name to see who the members are.
The only group with members other than myself is the Team Site Members group. Let’s get rid of ATEL Staff and Gail Kinney. Put a checkmark by their names, click Actions, then Remove Users from Group.
Click OK. Now the contents of this document library will only surface as a search result from a query made by Steve Albrecht or me.
Conclusion
The concept that users are excluded from a document or site collection unless they are given explicit permission is key to the understanding of how security trimming search results works. Once this concept is understood, along with an understanding of how inherited permissions work, the user is well on their way to mastering SharePoint user permissions. This can be a tricky concept to understand at first, but once it sinks in, securing anything in SharePoint becomes easier.