AnsweredAssumed Answered

Permission handling for leave requests

Question asked by feede on Feb 1, 2018

Dear all,

 

a time ago I designed a leave request workflow. On the leave request list, the workflow was running on, all users had contribute permissions initially to create their leave requests. As soon as a new item was created, I broke the inheritance of the item and gave the initiator of the workflow only read permissions on the item. That way I wanted to prevent them changing the item. Afterwards I have 3 Flexi-Tasks in the workflow for approval and registration of the the leave request. In the Flexi-Tasks, I added contribute permissions for the assigned users to the item in order they can process their tasks. The workflow worked fine for the last 2 years and a lot leave requests were created already. Currently we have about 8000 items in the list, although we keep only the ones from the last 6 months.

 

Since last week the site, were the workflows were running started to behave strange. It took up to a minute to open up the site. At the end it turned out, that this was because of the individual permissions on the items. Microsoft recommends to have a maximum number of unique security scopes of 5000. This value we definitely exceeded...

 

I restored the inheritance of the items and now everything is fast again but now users can change their items and read items of other users if they would navigate to the item directly via the URL. Because the items contain sensitive data this is not the behavior we want to have.

 

So my question would be if anyone has an idea how to setup the permissions in a correct way without breaking the inheritance on every item.

 

Thanks in advance!

Markus

Outcomes