Hi guys, I'm looking a way to accomplish this task.
I would like that my users can upload documents to a document library, but they can't access their files until a manager has given the approval. They should be able to upload into a "buffer" restricted area, and receive their document only after the manager has approved the document.
I know that It's a strange behavior, if I can upload a document I already have access to it. This is a company policy that every document going out from the company must have and approval status. At the moment we use some MFC printers to scan documents, and users can access these functions after the authentication. The MFC scans the document into a Sharepoint document library, and a Nintex workflow starts on each new document. A flexy task action with a form request some more attributes/info and ask also who is the approver. Everything is working, because after the approval, I can attach the pdf document to a mail and return to the initiator. But in this kind of design there is a big hole, because the initiator could have access to the uploaded file even before the manager approval. We hide the document library for scans, but the item that starts the workflow has the initial user as owner, and looking on the workflow status/history, he could click on the item link and easily view/download the document.
I've tried modifying permission on the item, just after the upload, but without success. The task created by nintex into "my workflow tasks" reference an object that it has no more access (changed permission) and therefore cannot continue.
At the moment the workaround has been to disable the href on the <a> link that reference the uploaded PDF file.
Would be better if I could find a solution to implement only with Nintex workflow actions.
PS. At the moment I'm working on a separate list 1 to 1 with the uploaded pdf into the document library, with a workflow that copies metadata from one item to the other. But it isn't an elegant solution.
thinking about your requirements has generated this scenario in my mind:
You can do all the change permission or the updates because you know the id of the item in the document library,
Items in the auxiliary list may be deleted at the end of the workflow, so all the data can live in the document library.
Does this scenario fit your needs?
SharePoint 2013, if that's what you're using, has a built-in tool that can help with most of this process - the Content Organizer. It allows you to specify documents that are uploaded to a site to be filtered, and if necessary - redirected to another location on the site. From there they can wait approval before being copied (via a workflow) to their final destination. In this process you can incorporate a workflow for the approval portion. If you require certain attributes before accepting the document into your system, the Content Organizer has rules to check against. If these rules are not satisfied, the documents are stored in a Drop Off library - a holding queue - until corrections are made. Once corrected they automatically proceed on their intended course.
The one workflow snag in this OOTB tool, is that all the document handling (on the back end) appears to be handled by system accounts. This however, creates problems when you want to have workflow runs on items created in a library. The OnCreate workflow won't run if its created by a system account. It will require some customization to get over this "feature" in SharePoint.
Here's a link to office site with info on Content Organizer: Configure the Content Organizer to route documents