Monday, September 19, 2011

Utilize the Managed Metadata Service application tip #2 - Metadata column not visible for users other than site collection administrators


After several big acquisitions in the company and we are starting to apply some security restrictions to the some sensitive site collections. Many efforts have been taken place as described earlier. The first step is to remove some open groups such as compony.all to those sites. One of the request from security group is to remove “NT AUTHORITY\AUTHENTICATED USERS” to those sites.



After we remove the “NT AUTHORITY\AUTHENTICATED USERS” from the sites, users reported that metadata column not visible for users other than site collection administrators. The reason for this is that this account is allowing users to read the hidden list called hidden “Taxonomy” list that is added while activating the "TaxonomyFieldAdded" feature required to add a managed metadata column. 

The url is something like this: http://…SITEURL…/lists/taxonomyhiddenlist. If we remove “NT AUTHORITY\AUTHENTICATED USERS” read permissions on this list, users except site collection administrators will no longer see metadata column. 

Solution to the issue: Add  “NT AUTHORITY\AUTHENTICATED USERS” read permissions on this list even if you remove the permission to the site.

The question to Microsoft is how to prevent this happen to other sites? If you are the users who is managing the sites with sensitive information, are you going to remove the “NT AUTHORITY\AUTHENTICATED USERS” from your site? It seems likely you would. However, this account will be added automatically when you active some features. If it has been removed, it may cause I unpredictable side effect. If we implement any solultion such as preventing to add this group may cause issues.

As a result, you should be careful while using metadata services and  columns. Some customizations such as preventing people to remove necessary permission should be in governance plan. Please refer to other blog on managed metadata service.


Utilize the Managed Metadata Service application tip #1 - How to resolve "The required feature is not enabled for this column type" error 

Utilize the Managed Metadata Service application tip #2 - Metadata column not visible for users other than site collection administrators

Utilize the Managed Metadata Service application tip #3 – Impact of message “Earlier versions of client programs might not support this type of column” on Document Library

Utilize the Managed Metadata Service application tip #4 – How to workaround "Deletion of this user as a contributor failed" for local term store 

Utilize the Managed Metadata Service application tip #5 – Be aware of "Deletion of this user as a contributor failed" error on AD groups for local term store

Utilize the Managed Metadata Service application tip #6 – How to fix "The default termstore for this site cannot be identified " error

Utilize the Managed Metadata Service application tip #7 – How to read managed metadata column relationship 

Utilize the Managed Metadata Service application tip #8 - How to resolve error "This operation cannot be completed. The term store may be unavailable."




1 comment: