We've implemented your basic time off vacation request form and approval workflow with lazy approval. I'm guessing I broke permissions because people who are approvers on list items can't go to the list and view the items they've approved. In other words, I'd like all managers to be able to see their staff's requests in the list. Instead, the managers are currently only seeing their own requests.
So without using item level permissions, which I read has long term performance impact, what permissions am I missing that will allow this? I have the "approvers" group with approval permissions, and I tried giving them read permissions but no change.
I don't think there is a solution not including single item permissions. Without item permissions you only have site or list item permissions that are affecting all items the same way, thus making everything visible to the same people.
In addition to that you have a switch in the list settings that lets you enable the option to everyone only seeing their own elements which is too sharp for most HR-processes.
To get around this you will need single item permissions and giving the initiator, the manager and HR staff the permissions to view their elements.
Single item permissions are bad when they come in masses, this is correct. However they are a valid approach if you also go with a good life cycle concept too. For example you can add retention rules to the list that delete elements in the list that are 12 months older than the vacation ended (or you can also use the creation date).
If you need to maintain the elements for a longer period you can move them after a specific time to a list that only a limited group of people has access too (means list permissions again) and keep the items in that archive.
Hi Enrico, sorry for the late reply. This list in question could easily have 3000 items in a given calendar year and we'd want items to remain for at least 18 months. I think this exceeds the recommendations for unique item permissions.
I've decided to take a different approach and I'll describe it here in an effort to help others.
The list contains a "created by" field which is the user requesting the time off. We've added an "approver" field (person type) and within the workflow we populate that field with their manager. I've then created a filter on the view that filters on "Created by Equals [Me]" OR "Approver Equals [Me]". Thus, if the manager is viewing the list that manager will see all of his/her staff's requests and all of his own. If a staff member is viewing the list, they'll continue to see their own. The view is the default view for the list. I've then created a hidden view for HR which does not contain this filter so that HR will be able to see everyone.
Yes, security through obscurity but in this case workable. This isn't highly confidential data.