What are the default permissions for the FBA users?
By default they have no permissions. They have to be assigned permissions by either assigning them to SharePoint groups, or by assigning a role they belong to to a SharePoint group.
Is there documentation regarding this? I've got an install that I did not do and it looks as if the set up is backwards. The FBA users have full access across the entire site once they are approved.
If the users are being added by the membership request web part, you choose which SharePoint group they should be added to. Check the web part to see what group they are being added to. Then you can either change it to a group with less/no permissions, or you can adjust the permissions of the group they were added to.
I guess I'll have to play around with this a bit. Looks like FBA Access Request Members need read permission to the site in order to send out the approval email and I would assume password recovery email.
The password recovery and membership request web parts will work with anonymous users. All of the pages accessible from the site setting page require the user to be a site collection administrator.
Let me back up a bit. Does the FBA Access Request Members group need access to the "root" site in the environment or just /RequestAccess? In the current config the FBA Access Request Members group has "read" access the root site in turn the entire environment. If I remove the read access for the group to the root the approval emails do not go out and they do not move into FBA User Management, they sit in FBA Membership Request Management with a status of Approved in turn the users can not access the site.
Actually, there is no FBA Access Request Members group or /RequestAccess associated with the FBA pack. They must have been created by whoever did the install.
Do you have anonymous access turned on for the site? If you're going to have users self registering, you'll have to either allow anonymous access or create an application page with the membership request web part that allows anonymous access.
Yes anonymous access is turned on. As you suggested I believe FBA Access Request Members group and RequestAccess page are the items created during the initial config. What I'm trying to figure out is how to limit the FBA Access Request Member permissions. Currently they have Read access to the entire site. If I remove read access to the entire site they are unable to join the site, they just sit in FBA Memebership Request Management.
More investigation is showing that roles don't look to be working.
Sorry, I guess I don't understand the purpose of the Access Request members group, and why it's needed at all. I would think the RequestAccess page would have anonymous access turned on, so no special group would be needed.
Maybe the best would be a conference call + screen sharing session to get all this worked out and get you going. You can check out my support plans here: