Web Part Gallery Permissions – Something to think about…

A common configuration for my clients is to have an external facing site collection, which aggregates project sites for their vendors and customers that they interact with to collaborate on projects, for example: https://partners.company.com. Where each of the sub-sites below the top level site have specific permissions configured to only allow the external users related to a particular project only into those sites, so those users have no idea what other clients, vendors, etc., you are managing sites for.

There are some sites which are extremely customized from a basic project style template, and/or site definition, and for those sites, there may be quite a few sub-sites. In those cases, it usually makes sense to put reusable web parts into the web part gallery for that site collection, to make them easy to access.

For instance, a Content Query Web Part which displays data out from a source list with data that is relevant to all of those sites, or filtered to display some of the content out to different sites. Instead of rebuilding, or exporting/importing the web part each time, dropping it into the web part gallery makes access to it easy.

If you then give control to the external users of that site to add web parts to that site, they can then see those web parts, and even add them to their pages when attempting to add web parts to their sites. If you have these web parts grouped or named based on the client/partner/vendor/project, they will be able to see those names. Unless they have access however, they will not be able to view the content from those sites if the web part is pulling any data from them, thanks to security trimming.

So, if you are using those sorts of naming and grouping conventions with the web part gallery under this type of scenario, you may want to modify the permissions of those web parts in the gallery to only users who should be seeing them.

This can be done by going to the Web Part Gallery at the Site Collection Level, selecting the edit link of the web part, and clicking on the Manage Permissions link within the toolbar at the top of the edit page:


From there, select Edit Permissions from the Actions menu


And you can then add/remove permissions as needed, thus allowing you to limit exposure of clients/partners/vendors to those sites that should be seeing them.



About Geoff Varosky
Geoff Varosky is a Senior Architect for Insight, based out of Watertown, MA. He has been architecting and developing web based applications his entire career, and has been working with SharePoint for the past 15 years. Geoff is an active member of the SharePoint community, Co-Founder and Co-Organizer of the Boston Area SharePoint Users Group, co-founder for the Boston Office 365 Users Group, co-organizer for SharePoint Saturday Boston and speaks regularly at SharePoint events and user groups.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: