I have a fairly standard requirement – when an item is created, I want to remove the ability for normal users to edit/delete it, but retain permissions for admin users to remove and edit it.
Nintex Workflow has an action “Update item permissions”, which sounds like just the ticket.
This action can basically do three things:
- Remove item permission inheritance
- Clear all item permissions
- Assign one group to one permission
So here’s my first attempt:
- Add an action that a) removes inheritance b) removes all permissions c) assigns full control to my admin group
- Add an action that a) assigns read control to my users group
This fails because step 2 can’t run. The user that invoked the workflow no longer has permission to see or edit the item at this point, thanks to stripping the permissions in 1).
So, refine it a bit:
- Wrap the above steps in an app step, so it runs in the context of the app permissions
This also fails because step 2 can’t run, since the app doesn’t have permission to see or edit the item, thanks to stripping the permissions in 1). The error is that the item doesn't exist on step 2).
The closest I can get is:
- Add an action that a) removes inheritance b) removes all permissions c) assigns read control to a user group
But this leaves the item in a state where it can’t be edited or deleted by anything other than Site Collection Admins. Not ideal.
Unless I’m missing something obvious, it seems that this action (Update Item Permissions) is of limited use, only useful for adding extra permissions. The inability to remove individual permissions, or to assign multiple permissions in one action means that you have to resort to removing all of the permissions and adding them back in one at a time. But the act of removing the permissions prevents you doing anything else with the item at all.
What am I missing?
I think that it happens because you are changing permissions for the user that created the item ( and started the workflow ) that should the owner of that instance. This user should keep the permission to Contribute during all instance.
Yes, this is the problem. The "remove all permissions" in step 1 renders the item invisible to the initiating user - whether the user is a real human or the app (as in an app step).
This means that you can never use it to make the item read only for certain users, because the only option for removing permissions is to remove all, and you can only grant one permission at a time while doing this.
Dave, You could create a SharePoint page, then add the listview web part function to it for the list in question. Then to display the data just for that user filter on user = [Me] . You can remove the edit function in your list by deselecting it when selecting the fields to show. This way the user can see the data but not modify it.