SharePoint: Communications Sites missing links in Site Settings – DenyPermissionsMask

Posted On November 16, 2022

Problem:

When you browse to site settings within a Communications site, you see that certain links under Web Designer Galleries are missing, such as:

  • List Templates
  • Themes
  • Solutions
  • Composed Looks

For example, Communications site on the left, and Teams site on the right:

Also, if you browse directly to the Themes gallery by appending _catalogs/theme/Forms/AllItems.aspx to the URL and try to upload a file, it fails with the following error:

“The documents cannot be uploaded because different permissions are needed.  Request the necessary permissions.”

If you review the ULS logs, you find the following permission mask check failure:

w3wp.exe (0x2E94)         0x3064  SharePoint Foundation  Authentication Authorization     aztz1      Medium                Permission check failed. Asking for 0x00040802, have 0x7FFFFFFFFFFBFFFF 

Decoding those permission masks shows that the missing permission is AddAndCustomizePages.

Notes:

  • This even occurs for site collection administrators and users with full control web app policy.
  • If you log in as the application pool account (system account), it will NOT occur.

Cause:

By default, sites created with the “Communications Site” template have site-level property “DenyPermissionsMask” set to “AddAndCustomizePages“, which means that no one, not even site collection administrators have that permission within the site.  This is by-design, and is the same behavior in SharePoint 2019, SharePoint Server Subscription Edition, and SharePoint Online.

You can check the value of DenyPermissionsMask for a site with this PowerShell:

(get-spsite https//YourSiteURLHere).DenyPermissionsMask

For most site templates, the value should be “EmptyMask”, which means that there are no permissions denied at the site level.  If there is any other value there, it means that permission is denied within the site collection, and no one, not even site collection admins will have that permission.

Resolution:

You can remove this restriction by running the following PowerShell:

$site = get-SPSite https://YourSiteURLHere
$site.DenyPermissionsMask = [Microsoft.SharePoint.SPBasePermissions]::EmptyMask

Add a Comment