We want a policy whereby permissions must be managed through sharepoint groups. We want to allow site owners to add and remove users from groups in order to manage their permissions to resources, but we don't want them to be able to create the groups or to add user's explicitely to the resource. Is this possible? I don't see any permissions that relate to restricting explicit access to a resource as opposed to access via a group, but I could be overlooking something.
0
votes
1 Answers
0
votes
No, this is not possible out of the box. Either a user is able to manage permissions or not, there is no more granular settings to only allow managing in groups.
Unfortunately there also isn't an event receiver you could use e.g. PermissionAdded or PermissionModified, so the only way for you to check these things would be to write a timer job which checks every X minutes whether anything has changed you didn't want to change. Or another possibility is to not allow users to manage permissions, but write your own permission manager which only allows working with groups. Then you could use RunWithElevatedPriviliges to perform your actions.
