Some SharePoint permissions need to be disabled for low-trust groups in order to enforce DRM settings. This concept is explained more in the sections Low-Trust & High-Trust User Groups and SharePoint Features Affected by DRM.
The steps below walk through the process of creating a new permission level with limited permissions which will later be used to assign permissions to a low-trust group.
To create this permission level, we will copy the built-in Read permission level in SharePoint and then remove the 'Use Remote Interfaces' and 'Use Client Integration Features' base permissions from this permission level.
It is not required to copy the Read permission level. What is important is A) to deny the Use Remote Interfaces and Use Client Integration Features base permissions, and B) to choose the appropriate level of permissions for browsing, viewing, contributing, and managing. |
Create a new permission level set:
- Open the SharePoint site and browse to Site Permissions:
- Select Permission Levels:
- Click on the Read permission level:
- Scroll down to Copy Permission Level:
- Give a Name, for example: "DocumentViewOnly".
- Uncheck the Use Client Integration Features and Use Remote Interfaces checkbox's:
- Review the selected permissions for this new group, which should be:
- View Web Application Pages
- Browser User Information
- Open
- View Items
- View Versions
- Create Alerts
- Use Self-Service Site Creation
- View Pages
- Click Create.