I have spent a month troubleshooting a crazy problem with SharePoint 2010, stumping everyone that worked on it. The problem was just resolved, and it involves something I’ve never seen before, so I thought I would share so that the solution is out there on the intarwebs 🙂
I have a large document library, using managed metadata columns and metadata navigation. I had created some custom term sets at the site collection level, which were consumed by site columns in my document library. My users were all granted contributor permissions to the library, and could successfully upload documents into the document library.
Although users could upload to the library, they could not edit the properties of documents they had just uploaded. When trying to do so, they would receive an IIS 403 (access denied) error as below. Strange, as they had the right permissions, and this was an IIS 403 error, not a standard SharePoint access denied message.
Users would also be able to browse the document library with no problems, but if they tried to navigate via the metadata navigation, they would again receive the 403 access denied error. Strange… users could see ALL documents, but not a filtered view.
Everything worked fine for site collection administrators (one of the support folks just suggested that I make all site collection users to be site collection admins, but I did not think that was a very good idea 😉
The common thread for both of these issues was the managed metadata. Users did have permissions in the library, and to the managed metadata service. It turns out that SharePoint 2010 has a hidden list at the site collection level called… appropriately enough, “TaxonomyHiddenList”. You can access this by going to http://servername/sitecollectionname/Lists/TaxonomyHiddenList/. As near as I can figure, this list holds all of the taxonomy items at the site collection level. You can visit and see all sorts of back-end information that probably means something to a programmer, but absolutely nothing to me.
In any case… my issued was caused by the fact that this list was not inheriting permissions from the site collection. Once I changed the permissions for this list to inherit from the site collection, everything started working. Good times! Hope this helps someone.
*Update: I spoke with the developer in charge of this feature (make sure to add the Microsoft Enterprise Content Management (ECM) team blog to your RSS reader BTW). This list should not inherit permissions from the site collection, but it SHOULD have read permissions for all authenticated users (this permission was missing in my case).