SharePoint 2013 : Certain sites have lost unique perms and Sharepoint won't allow inheritance to be broken

  • Article

We have recently come across the following symptom with Sharepoint 2013.

In a SharePoint 2013 farm, some of the sub sites within multiple site collections have lost their unique permissions. When attempting to break inheritance the UI shows that it succeeds, but going back to the user.aspx page, inheritance is not broken.
At the same time, if we go to any list and try to delete unique permissions, we cannot browse to the site and looks like all the content is deleted including the home\start.aspx , finally throwing an http 500 error.

Possible Cause:
------------------
Somehow the FirstUniqueAncestorWebId property was incorrectly set for the affected webs.

Resolution:
-------------
As per https://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spweb.firstuniqueancestorsecurableobject.aspx
SPWeb.FirstUniqueAncestorSecurableObject property
An ISecurableObject interface that represents the first unique ancestor website. This is the object where the ACL is defined. For a web with unique permission the First Unique Ancestor is itself. For a web that inherits permissions the First Unique Ancestor is one of the ancestral webs.

We can run a SQL Query like below to find this out. Please replace the content DB name and web URL accordingly

Use <Content_DB_Name>
select id,siteid,FirstUniqueAncestorWebId,ScopeId from dbo.AllWebs(nolock) where FullUrl = '<Web URL>'
Somehow the FirstUniqueAncestorWebId property was incorrectly set for the affected webs so we have to set FirstUniqueAncestorWebId correctly for these affected webs.

FirstUniqueAncestorWeb cannot be overridden as it is a get (read only) property.
HasUniquePerm cannot be overridden as it is based off of FirstUniqueAncestorWeb which again is read only.

The only option left is to use an Update query on the content database. As we know that direct DB edits are not supported, we encourage to have a support case created with Microsoft Support teams before proceeding.

Use <Content_DB_Name>
UPDATE AllWebs
SET FirstUniqueAncestorWebId = '<Web ID from the above Select Query>' , ScopeId= '<Scope ID from the above Select Query>'
WHERE Id = '<Web ID from the above Select Query>' and SiteId = '<Site ID from the above Select Query>'

[Caution] For understanding the supportability of SQL update command , please refer https://support.microsoft.com/en-us/help/841057/support-for-changes-to-the-databases-that-are-used-by-office-server-pr

Once this is done, browse to : <web URL>/_layouts/15/user.aspx

Click on the "Delete unique permissions" to clean up the permissions scopes abandoned in the DB, then clicking "Stop Inheriting" and setting the correct groups back for Vistor, Member and Owner this corrected the issue of unique perms.

 

POST BY : Anoop Prasad [MSFT]