SharePoint – Intermittent error: “Sorry, this site hasn’t been shared with you”

Posted On April 7, 2021

Consider the following scenario:

Randomly, when a user browses to a resource (site, list, etc) that they are supposed to have access to, they receive “Sorry, this site hasn’t been shared with you” (access denied).

The users continue to get “Access Denied” for a period of time, and then it starts working again after making no changes.

You check site permissions and the user appears to have the appropriate permission on the site.

Important: In this case, the user shows correct permission and automatically gets access again, which is in contrast to a similar, but different behavior I wrote about here:
https://joshroark.com/sharepoint-users-randomly-lose-permission-are-deleted-from-site/

Odd behavior… Why?

This issue occurs on Publishing sites where permission inheritance is broken, and the affected users have access only to a sub-site, and not the top-level site in the site collection.

It occurs when the built-in SharePoint group “Style Resource Readers” has been messed with in some way.

When a user browses to a sub-site within a Publishing site collection, the Master Page, CSS files, etc that are stored in the top-level site are used to render the sub-site page. Therefore, users at the sub-site level must have access to (at least) these items in the top-level site.

The “Style Resource Readers” group is used to give that limited permission to the required resources on the top-level site. These resources include the Master Page Gallery, Style Library, Site Collection Images. Quick Deploy Items, and Published Links.

Fix: Verify Style Resource Readers group permissions and membership are intact:

Note: In this example, affected users have permission only at sub-site http://team.contoso.com/sites/TL/Stuff. They have no permission at top-level site http://team.contoso.com/sites/TL.

Make sure the Style Resource Readers group is in place and has proper permission:
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- Go to Site Settings | People and Groups.
- There should be a group called “Style Resource Readers”.
- That group should contain “Everyone” and “NT AUTHORITY\authenticated users”. If it doesn’t, add those back.
- If the group has been deleted entirely, that not great, but is fixable. You just need to re-create it, add the proper groups (“Everyone” and “NT AUTHORITY\authenticated users”), and give it the proper permissions (detailed below).
Make sure Style Resource Readers has proper permission to the “Master Page Gallery”.
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- Go to Site Settings |Master Pages and Page Layouts | Library Settings | Permissions for this document library.
- Verify that “Style Resource Readers” is listed there with “Read” permission. If it isn’t, add it back.
Make sure Style Resource Readers has proper permission to the “Style Library”.
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- Go to Site Contents | Style Library | Library Settings | Permissions for this document library.
- Verify that “Style Resource Readers” is listed there with “Restricted Read” permission. If it isn’t, add it back.
Make sure Style Resource Readers has proper permission to the “Site Collection Images” library.
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- Go to Site Contents | Site Collection Images | Library Settings | Permissions for this document library.
- Verify that “Style Resource Readers” is listed there with “Restricted Read” permission. If it isn’t, add it back.
Make sure Style Resource Readers has proper permission to the “Quick Deploy Items” list.
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- This library is hidden, so you need to browse to it directly, for example: http://team.contoso.com/sites/TL/Quick Deploy Items/
- Browse to List Settings | Permissions for this list.
- Verify that “Style Resource Readers” is listed there with “Restricted Read” permission. If it isn’t, add it back.
Make sure Style Resource Readers has proper permission to the “Published Links” list.
- Browse to top-level site, for example: http://team.contoso.com/sites/TL
- This library is hidden, so you need to browse to it directly for example: http://team.contoso.com/sites/TL/PublishedLinks/
- Browse to List Settings | Permissions for this list.
- Verify that “Style Resource Readers” is listed there with “Restricted Read” permission. If it isn’t, add it back.

Explanation of why this access denied behavior may be intermittent:

The affected users don’t have any access to the top-level site in the site collection: http://team.contoso.com/sites/TL
There are publishing controls at the sub-site level: http://team.contoso.com/sites/TL/Stuff that occasionally require access to items in the top-level site.
These controls are cached, so the user does not need access to the top-level site on every request. – That’s why it works some of the time.
The application pool for the site recycles, usually sometime between 1am and 3am, local server time.
These controls are no longer cached. It now fails because the end-user doesn’t have any permission to the top-level site.
Then a user that does have permission to the top-level site logs in and the controls are cached again, making it work for all users.
This continues to work until the app pool recycles again.

A few other “Style Resource Readers” references:

DO NOT DELETE “Style Resource Readers” Group | Microsoft Docs

brett’s blog: SharePoint Permissions Tip: Leave the Style Resource Readers group alone (brmorris.blogspot.com)

https://docs.microsoft.com/en-us/sharepoint/default-sharepoint-groups

Add a Comment

You must be logged in to post a comment.