Note: If you want to get a bit more background information about the issue at stake, please refer to our Your SharePoint extranet may have a serious security hole blog post.
To tackle this rather arcane SharePoint security issue, I thought a video would be more informative than a long post:
To summarize, here are the issues with the Browse User Information permission in SharePoint:
- The Browse User Information permission is by default enabled on all out-of-the-box SharePoint permission levels (Read, Edit, Contribute…) so removing it from permission levels will almost always involve creating new permission levels on all site collections where that might be necessary.
- Having the Browse User Information permission on a sub-site actually gives access to the user profiles at the site collection level, not just the sub-site level, which requires extra attention when granting higher privileges to external users on sub-sites (that’s also why separate site collections are recommended)
- The Browse User Information permission is by default enabled on the Limited Access permission level, and that permission level can’t be modified (at least not in the SharePoint UI). Since the Limited Access permission level is typically granted to users that have broken security permissions on lists, breaking security inheritance can have unintended side effects, such as restoring access to the User Information page for users who shouldn’t have access to it. Even worse: reverting to inheriting security does NOT the Browse User Information permission!
- Removing the Browse User Information permission prevents users from accessing their own profile or clicking on person’s names as they get redirected to the SharePoint Access Denied page. The user experience is thus highly degraded for users who don’t have the Browse User Information permission, which can be perceived as a malfunction of a SharePoint extranet site.