Interesting Difference Between “View Only” & “Read” Permission Levels
As the saying goes, the devil is in the details! This meant to be a note to self, but I thought it might be helpful for some of you too. Here we go:
If John has “Read” permission level to a document named sales.docx, John is able to search and find this document and view it either in Office Web App on the server (in the browser), or in Office client on his computer.
If John has “View Only” permission level to sales.docx, John *can* browse to the document library and see the document, however John cannot open the document in Office Word client on his computer. Lucky John, if Office Web App is installed, John is able to see the document online. Ok, I get it! John has “View Only” permission level and this level doesn’t have “Open Items” permission (See the product documentation here). So far so good…
Interesting part is here –> If John has “View Only” permission level to sales.docx, he is not able to find it using search. Furthermore, if he types the URL of the document in the browser address bar (http://SharepointSite/doclib/sales.docx), he receives an Access Denied error. Now, I don’t get it! John has “View Only” permission level. He should be able to find the document via search, and see it using Office Web app just like how he’s able to do so when he browses to the document library and clicks on it!
This leads to two different security access behaviors:
- If a user has “Read” permission level to a document, they can always find the document using search or browser and open it in the browser or their Office client app.
- If a user has “View”Only” permission level to a document, they can only find and open the document in the browser. In that case, Search doesn’t show the document!
Conclusion: Looks like “Open Items” permission plays an important role in search security trimming on the core search result. This makes people with “View Only” permission level ( With No “Open Items” Permission) not to be able to search for the documents they are already authorized to view. Obviously, you can go ahead and change the OOTB View Only permission level , but then again, that’s not “View Only” permission level anymore!
Make sure you are aware of this difference when planning your site permissions.