Solved

Person or Group SP column with Group selected restricts access to Edit/View Form


Badge +4

Nintex Forms 2013 Ver 2.10.2.0

WIndows7, IE11

 

1) Created a SP list that has a Person or Group column set to Choose a Group.

2) The Nintex Form has a control connected to the column, so that the user can select an individual from only that group.  The group is significant and needed, as this control/field is used to drive WFs and email notifications.  Selecting a user not included in the group would cause mnajor problems with persons receiving emails and alerts intended for other persons.

3) After the user has selected a person from the Group and saved the record (item), whenever anyone tries to access that record, only members of the group can edit or view that record.

4) it appears that once a member of the SP group has been associated with the record, users who are not members of the group have no access to the record

5) However, users with "Full Control" are allowed access.

6) If I change the Person or Group column to select "All Users", the restriction is lifted.

 

This looks like a permissions issue, but is also seems to be related to Nintex not managing the use of SP Groups correctly.  Trying different combinations of permissions has not solved the problem.

 

An insight or assistance would be appreciated.

icon

Best answer by markd 9 April 2018, 15:08

View original

13 replies

Userlevel 5
Badge +14

do you have configured list permissions so that only members of the specific group (apart from admins/full control) have read/edit permissions granted?

Badge +4

Thank you for your reply and question.

Yes, I did create permissions so that only group members can enter/edit certain controls on the form.

This issue is a bit complex as there are multiple variables that seem to affect the outcome (undesired results)

1)  Created a SP column Person or Group "Change Manager Assigned" that references a SP group OpRisk Change Managers containing 5 members

  • Purpose was to have group members names, addresses, etc from the Active Directory available for tasks, emails, etc.

2) Used the SP People control (not the Nintex People control) on my form.

  • The control "Change Manager Assigned" is connected to the SP Person or Group column

3) Once the person (Change Manager) is selected for its own control, I then use that value to manage who can enter values in several other controls, using a Rule that disables the control when any user other than the Change Manager is the Current User.

4) When the form is complete, the form and connections back to the SP list all work as intended.

5) WFs use those value effectively

6) The problem arises when attempting to Edit/View the records (items) from SP.

  • Certain unintended behaviors occur "when a user who is not a member of the Group goes to Edit or View the item
  • When attempting to View the item, SP returns an Access Denied message

  • When opening the item in Edit mode, the field that contains the "Change Manager" value  is presented with a representation of the value from the Active Directory that is related to the person, but is their corporate user code (that is to say, it's not their name which is normally represented in that value.

This is the way the value is presented (same item) when the item is opened to Edit by a member of the Group.

7) After much trial and error experimentation, the problem is remedied when the SP Column is changed to "All Users"

8) That solves the Edit/View problem, but now I cannot restrict the selection of the persons in the form to only that group of 5 persons.  That exposes the risk of selecting persons in the Active Directory who have similar names.

9)  I've been experimenting with the Nintex People control thinking I should not be using the SP People control, but have not finished that testing yet.  One problem with the Nintex People control - if I want to use the SharePoint Group setting under Advanced, the control cannot be connected (bound) to the SP column, thereby rendering the control useless for anything other than displaying the value on the form.

Badge +4

Another note on the above.

Before I built the Rule to Disable the control if the Current User was not the Change Manager, I controlled enablement of the Control to only the Group (not the specific member of the Group) by using the Control's Appearance Setting and

"fn-IsMemberOfGroup"  runtime in the formula.  That worked well also, but the problems with Edit/View function in SP still presented itself. Changing the SP Person or Group setting to "All Users" was again, the only way around that. I tried to Rule approach as an attempt to solve the problem.

I appreciate any assist that knowledgeable folks might offer.

Also, meant to mention earlier, the permissions assigned to the group are similar to the generic "Contribute", which I have named "Contribute (No delete - Personal Views enabled). I have removed permissions for deleting items and versions and managing web parts, and couple of site permissions.

.

Userlevel 5
Badge +14

could you as well post configuration of 'Change Managers" SP group?

I'm specially concerned on who can enumerate group membership setting. if you have it set to group members only it may cause this behaviour.

Badge +4

Marian

Thank you for looking at this with me.  Below is a screen shot (3) of the Group Permissions in question.  The screen shots above are from my own spreadsheet matrix of all the permissions I've created or using for various lists/libraries.  In order to keep users from inadvertently deleting records or versions, and lock down public views, I used the OTB "Contribute" permissions and then modified it slightly.  The setting for "Enumerate Permissions  -  Enumerate permissions on the Web site, list, folder, document, or list item" was unchecked in the "Contribute" permission, so I thought I would be safe in continuing that in my new customized permission setting.

Userlevel 5
Badge +14

this is setting of (your custom) Contribute permission level.

I've meant setting of Change Managers" SP group.

go to site settings >> people & groups >> select group >> group settings

Badge +4

Of course - thank you.  Here you are:

Userlevel 5
Badge +14

as I suspected, you have configured the option " Who can view the membership of the group?" to "Group members" only.

try to change it to Everyone. I believe it will solve your problems.

Badge +4

Marian

Made the changes and tested - Thank you! Thank you!

I could not see that as a potential issue.  Mistakenly assumed it was related to being able to view group membership or something like that,  Nagging at me for 3 months.

 I have 3 lists being used for 3 different change tracking and/or employee submissions and each one had the same problem as I was using the different User Groups to manage a range of controls, rules permissions, etc.

A virtual cup of coffee or dinner to you at the least

Mark

Userlevel 5
Badge +14

a mug of beer would be very fine

consider marking as correct answer the post that answers original question/problem, so that others can easily match the two.

Badge +7

This was exactly what I needed! Thank you Marian Hatala

Userlevel 5
Badge +14

one another mug of beer  

Just wanted to drop a thank you for this answer! I was so stuck on how to resolve and this was the key. Adding another virtual beer for you @emha!

Reply