rszabo

List item and column level permission and security

Discussion created by rszabo on Apr 2, 2016
Latest reply on Jun 11, 2018 by rszabo

I post this, because I couldn't find these information at one place when I needed it, and I think it might be useful for somebody in the future. Please feel free to challenge or extend it. I'm happy to learn more or correct my errors.

 

We had quite a huge issue with different levels of permissions in different roles, different levels of access to the same data...

 

Few basics we need to be aware:

  • Workflows will run with the Initiator's permissions, so that the initiator needs Edit rights all through the  life-cycle of the workflow.
  • Initiators usually part of a SharePoint / AD group so they need the same permissions
  • You can set Item level permission in SharePoint but there's no Column level, So if somebody can edit an Item they basically can edit every column in that item.
  • With Nintex workflow you can set up the item level permissions, automate it. (Set Item Permissions)
  • A user who takes part in the workflow need edit rights not just on the Item list, but on the Workflow Taks list too.
  • Only the assignee can edit the Task form.

 

Different approaches to cover every possible weak-points on List level...

 

List Form:

  • Create a User Permission level for workflow user in which they have "Contributor" rights without deleting items and create/modify Views rights. So that you can be sure they can't accidentally delete items and they can't access to those columns you don't want (which they can't see through forms).
  • Make the limited view the only public, default view.
  • We Edited the List Form by using IsDislayMode, IsNewMode, IsEditMode properties in Formatting Rules and We put the controls into panels, and assigned the Rules. Hide what you don't want on New Mode, Deny Edit Mode (No controls available).
  • New form had limited available fields, just what's necessary.
  • On the Display Mode form, we used the fn-IsMemberOfGroup("YourSharePointGroupName") function in the Panel/Control's Visibility settings (Visible: Expression)
  • If you're really scared that they still can edit the list's page (webpart settings > Advanced > Target Audiences). Put webparts onto pages with different views.
  • Full control freak: You can edit the List's page, select the list's webpart and set the Target Audience.

 

Workflow:

  • When the workflow starts you can put a "Set item permission" node in the workflow and remove all the existing rights and create your own.
    • Remove the existing rights
    • Give the Initiator the Contributor like rights (mentioned above)
    • Set the respected groups, people the necessary rights if they need to see (Read) the item all the time)
    • Hint 1: Put a the Site Owner like (Full access) group (which you're part of) to the item with Full access, so later you can still help your users if they make mistakes.
    • Hint 2: sometimes the workflow dies If there's a user task after a Set item permission. Then it's a good solution to put a "wait for 1 minute" action between the two.

  • On the Taks nodes (Flexi task, Data request, etc), you can set extra right for the assignee while he/she needs to work on the respecting item/task.
    • You can give the Contributor like rights while she has the task, then you can take it back. Revoke the rights.

Outcomes