Author: John White

At one point or another, if you design or modify SharePoint sites, particularly public facing web sites, you’ll have a need to show some design elements to some people, and not to others. SharePoint itself does a very good job of security trimming most elements based on your security level, but there are some cases where it just isn’t designed to do what you want it to do.

Take a public facing SharePoint site for  example. Designers need to be able to work with pages, and have access to all of the tools, the ribbon, etc. You of course don’t want public users to see any of these things.

If you log in as an anonymous user, SharePoint knows that you’re not an editor, so it trims out all of the editing controls.

The trouble is, not all of the controls that I want to hide from the anonymous user are trimmed. In this case,the navigation breadcrumb on the left,and the login control on the right. In fact, in may cases, the entire blue bar at the top will need to be hidden from the anonymous user.

As an aside, the sign in control is interesting. This is the same control that you see in the first image that gives the logged in user access to their profile, my site, etc. It turns into a login control for anonymous users, which is great when you have both public and secure areas of your site. The trouble is, that control shows up whether or not it’s even possible to log in. As part of locking down a public facing SharePoint site, I always extend the application into an internet zone, turn on anonymous access, and disable both basic and Integrated authentication.

In this case, clicking on the login control simply results in an error. It would be nice if SharePoint could detect that authentication wasn’t even possible, and hide the control completely. Of course I digress, but this brings us back to the main point – how do we hide the offending elements from those with low or no privileges? It turns out that it’s actually pretty simple – we use the spSecurityTrimmedControl.

This control is simply a container that will either show or hide it’s contents based on a users security level. Simply edit the master page that the site uses (or better yet, create a new one based on your current one and then tell the site to use it). Below is an example of using the control to hide a link to the current site page when the user is not an editor.

The important attribute of the control is the permissions attribute. It basically acts as a switch, so if you have at least the permission listed, you will see the control. A complete list of the allowable values can be found here on MSDN.

Exercise caution however when hiding the ribbon. Don’t hide the ribbon’s container, because it needs to be seen in order to calculate page positioning, instead, hide only the contents of the container.  You can hide ContentPlaceHolders quite successfully though, because the server can still see them.

Use of this control is by no means limited to public facing web sites, but it is particularly handy for them. In fact, when requested, I use this control to hide the “View All Site Content” and “Recycle Bin” links in team sites.

3 Comments