SharePoint only shows users the links to which they have access. Correct? Well, kind of.

When you create a list or document library in SharePoint, one option at creation is to display a link in the Quick Launch menu to the left.

The default is “Yes” and your list, in this example, will appear under the Lists heading in the Quick Launch menu.

If you then restrict access to a list, as I have done in the case of the For Admins list above, when logged in as a normal user, the link to For Admins will be security trimmed, that is, it will simply not be visible to users other than those with Admin (Owner) permissions.

However, imagine that you want to customize the Quick Launch menu and remove the default headings, such as Lists and Libraries? You can just create the links again and due to the permissions which have already been set, the security trimming will come into play, right?

So for Owners, they will see links to both lists.

And for normal users? Oops, unfortunately security trimming has not been applied:

The security trimming has been lost along the way. Users now see links that they cannot access. Though security is in no way compromised, as ordinary users will get an Access Denied error if they click the link, this is not good design or practical from a usability point of view.

So what is the solution? In a normal SharePoint site with Quick Launch navigation, it is possible to re-establish security trimmed links, by deleting the links from the Quick Launch and then re-establishing the Quick Launch display in the settings of each list (found under Title, description and navigation of the List Settings page).

But then you will be back at square one!

The only workaround is to enable the SharePoint Server Publishing Infrastructure feature, which allows for more fine-grained management of navigation and will retain security trimming when links are re-organized.

You can then use the Navigation Settings page. But wait a minute, as the Navigation Settings page is just a standard system page on the SharePoint server and it does not actually use any of the other things that form part of the SharePoint Publishing Infrastructure, perhaps we can just call the page directly and get to use it without enabling the Publishing Infrastructure.

Try putting a link to the page somewhere on a standard site with the following syntax:

http://yourserver/yoursite/_layouts/AreaNavigationSettings.aspx

You should then be able to re-organize your navigation to your heart’s content without losing any security trimming.

Advertisements