I have a fairly standard requirement – when an item is created, I want to remove the ability for normal users to edit/delete it, but retain permissions for admin users to remove and edit it.
Simple, right?
Nintex Workflow has an action “Update item permissions”, which sounds like just the ticket.
This action can basically do three things:
- Remove item permission inheritance
- Clear all item permissions
- Assign one group to one permission
So here’s my first attempt:
- Add an action that a) removes inheritance b) removes all permissions c) assigns full control to my admin group
- Add an action that a) assigns read control to my users group
This fails because step 2 can’t run. The user that invoked the workflow no longer has permission to see or edit the item at this point, thanks to stripping the permissions in 1).
So, refine it a bit:
- Wrap the above steps in an app step, so it runs in the context of the app permissions
This also fails because step 2 can’t run, since the app doesn’t have permission to see or edit the item, thanks to stripping the permissions in 1). The error is that the item doesn't exist on step 2).
The closest I can get is:
- Add an action that a) removes inheritance b) removes all permissions c) assigns read control to a user group
But this leaves the item in a state where it can’t be edited or deleted by anything other than Site Collection Admins. Not ideal.
Unless I’m missing something obvious, it seems that this action (Update Item Permissions) is of limited use, only useful for adding extra permissions. The inability to remove individual permissions, or to assign multiple permissions in one action means that you have to resort to removing all of the permissions and adding them back in one at a time. But the act of removing the permissions prevents you doing anything else with the item at all.
What am I missing?
