SharePoint – Intermittent "Sorry, this site hasn't been shared with you"
Consider the following scenario:
Randomly, when a user browses to a resource (site, list, etc) that they are supposed to have access to, they receive "Sorry, this site hasn't been shared with you" (access denied).
The users continue to get Access Denied for a period of time, and then it starts working again after making no changes.
You check site permissions and the user appears to have the appropriate permission on the site.
Important: The user shows correct permission and automatically gets access again, which is in contrast to a similar behavior I wrote about here:
https://blogs.technet.microsoft.com/spjr/2017/07/12/sharepoint-users-randomly-lose-permission-are-deleted-from-site/
Odd behavior… Why?
This issue occurs on Publishing sites where permission inheritance is broken, and the affected users have access only to a sub-site, and not the top-level site in the site collection.
It occurs when the built-in SharePoint group "Style Resource Readers" has been messed with in some way.
When a user browses to a sub-site within a Publishing site collection, the Master Page, CSS files, etc that are stored in the top-level site are used to render the sub-site page. Therefore, users at the sub-site level must have access to (at least) these items in the top-level site.
The "Style Resource Readers" group is used to give that limited permission to the required resources on the top-level site. These resources include the Master Page Gallery, Style Library, and Site Collection Images.
Fix: Verify Style Resource Readers group permissions and membership are intact:
Note: In this example, affected users have permission only at sub-site https://team.contoso.com/sites/TL/Stuff. They have no permission at top-level site https://team.contoso.com/sites/TL.
Make sure the Style Resource Readers group is in place and has proper permission:
- Browse to top-level site: https://team.contoso.com/sites/TL
- Go to Site Settings | People and Groups.
- There should be a group called "Style Resource Readers".
- That group should contain "Everyone" and "NT AUTHORITY\authenticated users". If it doesn't, add those back.
Make sure Style Resource Readers has proper permission to the Master Page Gallery.
- Browse to top-level site: https://team.contoso.com/sites/TL
- Go to Site Settings |Master Pages and Page Layouts | Library Settings | Permissions for this document library.
- Verify that "Style Resource Readers" is listed there with "Read" permission. If it isn't, add it back.
Make sure Style Resource Readers has proper permission to the Style Library.
Browse to top-level site: https://team.contoso.com/sites/TL
Go to Site Contents | Style Library | Library Settings | Permissions for this document library.
Verify that "Style Resource Readers" is listed there with "Restricted Read" permission. If it isn't, add it back.
Explanation of why this access denied behavior may be intermittent:
- The affected users don't have any access to the top-level site in the site collection: https://team.contoso.com/sites/TL
- There are publishing controls at the sub-site level: https://team.contoso.com/sites/TL/Stuff that occasionally require access to items in the top-level site.
- These controls are cached, so the user does not need access to the top-level site on every request. – That's why it works sometimes.
- The application pool for the site recycles, usually sometime between 1am and 3am, local server time.
- These controls are no longer cached. It now fails because the end-user doesn't have any permission to the top-level site.
- Then a user that does have permission to the top-level site logs in and the controls are cached again, making it work for all users.
- This continues to work until the app pool recycles again.
A few other "Style Resource Readers" references:
https://brmorris.blogspot.com/2012/04/access-denied-editing-or-creating-pages.html