User groups at the site level
https://sharepoint.stackexchange.com//questions/24068
-
06-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I have a created two side by side sites, A and B, and wanted to create a group in site A and another unrelated group in site B.
But then discovered that in the page "A > People and Groups > All Groups" (http://localhost/A/_layouts/groups.aspx) I can see all groups from both site A and B.
Also the case for the page "B > People and Groups > All Groups" (http://localhost/B/_layouts/groups.aspx).
The subtitle of the page says:
Use this page to view and manage all groups for this site collection.
I would have imagined that, based on the URL of the page, its each site with its own groups. But seems not!
This won't work for me. I want a group at the site level. Group A should not be seen from site B and Group B should not be seen from site A.
Is there a way to do that?
Solución
To clarify SharePoint's permission behaviour:
Sites collections contain the people (users, AD groups) and groups (SharePoint groups) that are available for all sites within the site collection. The idea is a site collection contains sites that have some overlap in user membership or business function. They are a collection of like-minded sites (in some aspect).
This is confusing to many users as we like to think of sites as being self-contained when in reality they are not. It works very much like the Windows security model. Your computer has users and groups (for this example imagine a standalone workstation and not a computer attached to a domain). These users and groups are available to all drives, folders, and files on the computer. Say you have two disk drives: C: and D:. If you check the security tab for both you can look up and use the same set of users and groups for both. Same thing if you go deeper into folders and files. In SharePoint imagine your computer is a site collection and your sites are the drives (libraries = folders, list items = files). The behavior is consistent.
The security boundary for your computer is your computer. Because you have a user account on your computer does not mean you automatically have a user account in your friend's computer. In SharePoint, the security boundary is the site collection. If you add users to Site Collection ABC they are not automatically members of Site Collection XYZ.
You can break inheritance to Site A and Site B but if you look at People and Groups you will still see any groups and users you have added to either site in the other site. It doesn't mean they have permissions to each other's sites (just like breaking NTFS inheritance and setting different permissions to folders or files means different users have different access) but you can still see the users and groups.
This is by design. If you don't want either group to see each other then you need to create separate Site Collections instead of Sites.
Otros consejos
If A & B are subsites under a same site collection, you can stop inheriting permissions from the parent. Then create & configure separate groups for both the sites
As @AmitKumawat said, you can break inheritance, but understand you are masking the groups here not seperating them (i.e. inheritance and security trimming). Users that are members of both groups will see both groups regardless of the site they are in.
Groups are created at the site collection level so if you need to have these security groups isolated you neet two site collections.
