After several big acquisitions in the company and we are starting to apply some security restrictions to the some sensitive site collections. Many efforts have been taken place as described earlier. The first step is to remove some open groups such as compony.all to those sites. One of the request from security group is to remove “NT AUTHORITY\AUTHENTICATED USERS” to those sites.
After we remove the “NT AUTHORITY\AUTHENTICATED USERS” from the sites, users reported that metadata column not visible for users other than site collection administrators. The reason for this is that this account is allowing users to read the hidden list called hidden “Taxonomy” list that is added while activating the "TaxonomyFieldAdded" feature required to add a managed metadata column.
The url is something like this: http://…SITEURL…/lists/taxonomyhiddenlist. If we remove “NT AUTHORITY\AUTHENTICATED USERS” read permissions on this list, users except site collection administrators will no longer see metadata column.
Solution to the issue: Add “NT AUTHORITY\AUTHENTICATED USERS” read permissions on this list even if you remove the permission to the site.
The question to Microsoft is how to prevent this happen to other sites? If you are the users who is managing the sites with sensitive information, are you going to remove the “NT AUTHORITY\AUTHENTICATED USERS” from your site? It seems likely you would. However, this account will be added automatically when you active some features. If it has been removed, it may cause I unpredictable side effect. If we implement any solultion such as preventing to add this group may cause issues.
As a result, you should be careful while using metadata services and columns. Some customizations such as preventing people to remove necessary permission should be in governance plan. Please refer to other blog on managed metadata service.
Utilize the Managed Metadata Service application tip #7 – How to read managed metadata column relationship
It's great that you describe this topic
ReplyDeleteLaura