Anonymous Access

Earlier today, I was asked if a site could display a certain set of information to the public and company specific information to authenticated employees without having to create two sites. The answer is yes. One way to accomplish this is to use anonymous access.

In this post, I'm going to show you how to give your site anonymous access and how to lock down other pages (webs) and lists.

First, go to the Application Management tab in Central Administration. Find the section titled "Application Security" and click on the "Authentication providers" link.


When this page loads, select your zone. In my case, I'm selecting Default.


The Edit Authentication page will load and you'll want to make sure that "Enable anonymous access" is checked. Once that's done, click the save button and go back to your site.


What we just did in Central Administration was to tell our site that it can go ahead and make data public. Now we're going to go to the site and set what we want public. Now, in this example, I want you to notice the top navigation bar. I have two tabs (Home and Private). Also notice in the quick launch (the navigation on the left side of the page) that I have four lists showing. When we're done, I'm going to make the the "Private" web and the Audit list only accessible to authenticated users.


Go to the Site Actions menu and click on Site Settings. Under the Users and Permissions section, click on the "Advanced permissions" link.


In the permissions page, click on the Settings button in the menu and you'll see a new menu item for Anonymous Access. Click on that link you'll be redirected to a page with 3 options.

  1. Entire Web Site - gives full access to unauthenticated users.
  2. Lists and Libraries - gives unauthenticated users access to only those lists that allow access to unauthenticated users.
  3. Nothing - Access is only granted to authenticated users.



We're going to select Entire Web site and click OK. At this point, an unauthenticated user can now go to my site and access everything (sort of). They won't have access to the Site Actions menu, they can view items in a list but by default they can only view. They can't edit or add unless the list is specifically setup to allow then to add/edit/delete items.

Now its time to start locking content down. The first thing that I want to do is lock the private site. To do this, I go to the Site Actions menu in the Private site and select Site Settings. I will again go to the Users and Permissions section and select Advanced permissions. So far, these are the same steps we followed earlier. When we get to the Permissions page, the Settings menu item is missing. The reason being that it's inheriting permission from the parent site. Click on the Actions button and select Edit Permissions.



You're going to be prompted with a message telling you that you're about to create unique permissions. Click OK.



When you do this, the Settings button will return. Click on Settings and select Anonymous Access.

This time, Entire Web site will be selected. Change this selection to Nothing and click the OK button to save your changes.

At this point, unauthenticated users can come to my site and they will not be able to see the Private page. They won't see a link for it in the top nav and they won't be able to go directly to the site using the url unless they gave provide a valid username and password.

Now we want to go back to the Home page and remove the unauthenticated user's access to the Audit list.

I'm going to go to the Audit list and click on the Settings button then click on the List Settings menu item.



When the Customize page loads, click on the "Permissions for this list" link under "Permissions and Management"


When the page loads, click on Settings in the menu and select "Anonymous Access". On this page, you will be able to specify what Anonymous users can do with your list. You'll notice that by default the View Items checkbox is the only one selected. Uncheck this option and click OK.



Now we're all set. The Home page is now available publicly; except for its Audit list and the Private site which are now available only for authenticated users. The image below shows what an unauthenticated user will see. You'll see that the Private site link is missing and the Audit list's link is also missing. Again, even if the user knows the url, they won't be able to access the site or the list. They will be immediately prompted for credentials.

Labels: