Skip to main content

Exceptions Report

The Exceptions report at the on-premise farm and online instance levels provides a list of exceptions that were found within the selected farm/instance. This report includes a Details table.

Exceptions report at the on-premise farm and online instance levels

An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This report will be blank if no exceptions were found on the selected farm/instance. It is comprised of the following columns:

  • Server Name – Single server name representing the entire SharePoint on-premise farm or SharePoint Online instance
  • Name – Type of exception found
  • Description – Description of the exception type
  • Count – Number of this type of exception found on the server

There is one table at the bottom displaying Details for the selected exception:

  • Trustee Name – Owner of the trustee account
  • Path – Location of the resource where the exception exists

Exceptions Report

The Exceptions report at the site collection, site, list, library, and folder levels provides a list of all trustees with access that are causing exceptions on the selected resource. This report includes a Permission Source table.

Exceptions report at the site collection, site, list, library, and folder levels

An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This table is blank unless an Exception icon is attached to the resource in the Resources pane, indicating exceptions were found. See the Resources Pane topic for additional information.

This report is comprised of the following columns:

  • Name – Type of exception found
  • Trustee Name – Owner of the trustee account
  • Path – Location of the resource where the exception exists

There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource.

Permission Source table

The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns:

  • Source Path – Location for which the trustee was granted rights to the selected resource, which can be represented two ways:

    • Directly Applied – Rights granted directly to the selected trustee
    • Access through another trustee, path starts with trustee assigned the direct rights and shows all nested groups leading to the selected trustee

  • Source Type – Source of the permission (for example, Site Permission, Web Application Policy, Site Collection Administrator, and so on)

  • Source Name – Name of the resource where the permission is assigned

The following rights are a normalized representation of the SharePoint permission levels (SharePoint Roles) granted to the trustee:

  • List – Right to view list of SharePoint resources
  • Read – Right to view/read SharePoint resources
  • Write – Right to add or modify SharePoint resources
  • Delete – Right to delete SharePoint resources
  • Manage – Equivalent to full control over SharePoint resources

The following columns display the combined direct and inherited rights:

  • Allow Mask – Bitmask corresponding to Windows ACE permission bits for combined direct and inherited allow rights
  • Deny Mask – Bitmask corresponding to Windows ACE permission bits for combined direct inherited deny rights

Exceptions Report

The Exceptions report at the SharePoint node provides a list of exceptions that were found across the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table.

Exceptions report at the SharePoint node

An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This table will be blank if no exceptions were found within the targeted farm/instance. This report is comprised of the following columns:

  • Server Name – Single server name representing the entire SharePoint on-premise farm or SharePoint Online instance
  • Name – Type of exception found
  • Description – Description of the exception type
  • Count – Number of this type of exception found on the farm/instance

There is one table at the bottom displaying Details for the selected exception:

  • Trustee Name – Owner of the trustee account
  • Path – Location of the resource where the exception exists

Exceptions Node Report

The following report is available at the Exceptions node:

The Exceptions node displays when exceptions have been identified on the selected farm/instance. When it is present, it can be expanded to view the exception type level reports. The following nodes may show under the Exceptions node for a SharePoint resource when that exception type has been identified:

  • Disabled Users – Site collections, sites, libraries, lists, or folders where disabled users have been granted access
  • Open resources – Site collections, sites, libraries, lists, or folders that are openly accessible
  • Stale Users – Site collections, sites, libraries, lists, or folders where stale users have been granted access
  • Unresolved SID – Site collections, sites, libraries, lists, or folders where the trustee is an unknown SID, not matched to a known trustee account within Active Directory for on-premise farms or Entra ID for online instances, have been granted access

The Exceptions report for each exception type level displays filtered exception information. See the Exceptions by Type Report topic for the report details.

Exceptions Report

The Exceptions report at the Exceptions node provides a list of exceptions found on the farm/instance. This report includes a Details table.

Exceptions report at the Exceptions node

An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This report is comprised of the following columns:

  • Server Name – Single server name representing the entire SharePoint on-premise farm or SharePoint Online instance
  • Name – Type of exception found
  • Description – Description of the exception type
  • Count – Number of this type of exception found on the farm/instance

There is one table at the bottom displaying Details for the selected exception:

  • Trustee Name – Owner of the trustee account
  • Path – Location of the resource where the exception exists

Exceptions by Type Report

The Exceptions report at the exception type level provides details on the selected exception type. An exception is defined as a problem or risk to data governance security. This report includes a Permission Source table.

Exceptions report at the exception type level

This report is comprised of the following columns:

  • Trustee Name – Owner of the trustee account
  • Path – Location of the resource where the exception exists

If the selected trustee in the top section of the report is a group, the Group Membership pane displays the group membership, including nested groups.

There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource.

Permission Source table

The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns:

  • Source Path – Location for which the trustee was granted rights to the selected resource, which can be represented two ways:

    • Directly Applied – Rights granted directly to the selected trustee
    • Access through another trustee, path starts with trustee assigned the direct rights and shows all nested groups leading to the selected trustee

  • Source Type – Source of the permission (for example, Site Permission, Web Application Policy, Site Collection Administrator, and so on)

  • Source Name – Name of the site collection, site, library, list, or folder where the permission is assigned

The following rights are a normalized representation of the SharePoint permission levels (SharePoint Roles) granted to the trustee:

  • List – Right to view list of SharePoint resources
  • Read – Right to view/read SharePoint resources
  • Write – Right to add or modify SharePoint resources
  • Delete – Right to delete SharePoint resources
  • Manage – Equivalent to full control over SharePoint resources

The following columns display the combined direct and inherited rights:

  • Allow Mask – Bitmask corresponding to Windows ACE permission bits for combined direct and inherited allow rights
  • Deny Mask – Bitmask corresponding to Windows ACE permission bits for combined direct inherited deny rights