Supporters of End User
Web

SharePoint 2010 - Configuring List Item Permissions with Workflow

Item is currently unrated. Press SHIFT+ENTER to rate this item.1 star selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+ESCAPE to leave rating submit mode.2 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.3 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.4 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.5 stars selected. Press SHIFT+ENTER to submit. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.
Categories:MOSS; WSS; 2007; 2010; Site Manager/Power User; Security; Workflow

 

I had a pretty "simple" requirement from the client where:

  1. We want to create a Request list where different people in the company can add requests, but assign it to a department.
  2. Once created, only members in that department has access to this request item

Permission Groups

You can use Active Directory groups here as well. Here are my four security groups matching each department.

2011-01-07-SP2010ListPermissions-01.png
Figure 1: 4 different security groups

Department Lookup List

I plan to use re-usable workflows later to configure the list item permissions. So I need to create a few site columns, here's the first one DepartmentGroup. This is basically a People or Groups field.

2011-01-07-SP2010ListPermissions-02.jpg
Figure 2: Site Column for people and groups

I create a list for the department, thus:

2011-01-07-SP2010ListPermissions-03.jpg
Figure 3: Departments Lookup list

Request List

Here's the second site column. This is a lookup column to the Department list. I'm bringing over the ID field as an additional field. This is using SharePoint 2010’s additional fields capability.

2011-01-07-SP2010ListPermissions-04.jpg
Figure 4: ID as Additional field

Add a few records:

2011-01-07-SP2010ListPermissions-05.jpg
Figure 5: Creating a new item in my request list

 2011-01-07-SP2010ListPermissions-06.jpg
Figure 6: See the Department:ID

Remove List Permissions

By default, at this point my Request list would be inheriting permissions from parent site. So first stop inheriting permissions from parent, and do a bit of house cleaning and remove the unnecessary groups to keep it simple.

Remember if you are not the site administrator, don’t remove your own permissions otherwise you lose ability to modify the list!

Let's Work on that Workflow

The idea of the workflow is that:

  1. Whenever an item is updated
  2. Look up the group based on the selected Department (via the additional ID field)
  3. Assign item-level security to the list item
  4. Remove permissions to modify the item, and grant the department group permission to view and modify that request.

Let’s get started. First create a re-usable workflow. Target any content type.

We'll need the lookup site column, so associate that. This uses SharePoint 2010’s reusable workflows.

2011-01-07-SP2010ListPermissions-07.jpg
Figure 7: Associate just a site column in SP2010 reusable workflow

The permissions steps need to be run as impersonated steps. The impersonated steps can not be mixed with the normal steps (such as Step 1). This is a new workflow capability in SharePoint 2010.

2011-01-07-SP2010ListPermissions-08.jpg
Figure 8: Create an impersonation step

Remove (unused) Step 1, and add "Replace permission" action. This workflow action is only available within an impersonation step.

2011-01-07-SP2010ListPermissions-09.jpg
Figure 9: Add replace permission workflow

Start with the second parameter which is the easier one. Click on "this list" and select Current Item

2011-01-07-SP2010ListPermissions-10.jpg
Figure 10: Select current list item

2011-01-07-SP2010ListPermissions-11.jpg
Figure 11: Replace permissions on the current list item

Click on "these permissions" and we want Contribute and Read permissions

2011-01-07-SP2010ListPermissions-12.jpg
Figure 12: Add permissions

Click on "Choose" and set who we'll be granting Contribute/Read to

2011-01-07-SP2010ListPermissions-13.jpg
Figure 13: Select the user - use workflow lookup

Select "Workflow Lookup for a User…" and click Add

We want to do a look up on the Department list.

2011-01-07-SP2010ListPermissions-14.jpg
Figure 14: Lookup from the departments list

The field we want is DepartmentGroup (our Person and Group site column). Return the field as Login Name

Set the filter Field below to ID

2011-01-07-SP2010ListPermissions-15.jpg
Figure 15: lookup permission group

Set the filter Value field to Current Item.Department:ID

(You can also use the DepartmentLookup field here, just return it as Integer)

2011-01-07-SP2010ListPermissions-16.jpg
Figure 16: Select department:ID from current item

Final result:

2011-01-07-SP2010ListPermissions-17.jpg
Figure 17: Check everything

OK everything. Remember to save and publish

2011-01-07-SP2010ListPermissions-18.jpg
Figure 18: Save and publish

Go back to SharePoint list

Configure the workflow and make sure it runs when a list item is created or modified

2011-01-07-SP2010ListPermissions-19.jpg
Figure 19: Workflow settings

Verify Results

Check the permission of our first request (before we build the workflow)

2011-01-07-SP2010ListPermissions-20.jpg
Figure 20: Old item before workflow

It is inheriting from list. This is really nothing special.

2011-01-07-SP2010ListPermissions-21.jpg
Figure 21: inheriting from list

Create a new request for our Network department - see the workflow has completed

2011-01-07-SP2010ListPermissions-22.jpg
Figure 22: Create a new request and check workflow completed

Check its permissions

2011-01-07-SP2010ListPermissions-23.jpg

"NetworkHeroes" has been assigned "Contribute" and "Read" permissions to the list item - everyone else has been stripped out.

The List Item has also stopped inheriting permissions from the parent list.

Summary

So the solution works and is relatively elegant.

The following features in SharePoint 2010 make this example a little bit cleaner (or possible) than with SharePoint 2007:

  • "Additional Fields"
  • Impersonation Step
  • Re-usable Workflows
  • Replace Permissions Action

Comments

Claire

Very useful!

Great post--it's something we definitely needed and I wasn't quite sure how to do! Screenshots were helpful too :)

Posted 11-Jan-2011 by Claire
FearTheSwamp

similar request

We have a similar request. We need to prevent site owners from adding users to their site who are not already in a specified AD group.

Posted 01-Nov-2011 by FearTheSwamp
Thomas

Assigning item permissions to multiple AD groups at once

Great article!
 
I have a need to assign item permissions to multiple AD groups at once. I tried to modify your example by making the "DepartmentGroup" site column allow multiple values and assigned several AD groups to one "Department" item, but the workflow ended up displaying "Error occurred". With only one AD group per "Department" item, the workflow completed succesfully.
 
Any suggestions how to make this work?
 
Thanks!

Posted 10-Nov-2011 by Thomas
Alison

Also looking for muli groups

I have the same question as the person above me. This workflow is awesome and is just what I needed, only I want to allow multiple departments to be selected. My workflow doesn't show error occurred - it completes, but it doesn't grant permissions to the groups when it runs on a multi-selected item - only to the first group alphabetically. Any help would be supremely appreciated!

Posted 16-Nov-2011 by Alison
Brandy O'Neal

Also looking for Multiple Group Selection

I set the site columns to allow multiple values. The workflow runs without error, however, permissions are only granted to the first department selected. I would appreciate any guidance you can provide in helping with this issue. Thank You!!

Posted 30-Jan-2012 by Brandy O'Neal
John Wong

Need help

Hello John, Thank you very much for a useful post. My co-worker and I try to follow each step of your instructions and we have to stop at Figure 17 because we are not able to get Value as CurrentItem:Department:ID I appreciate your time. Thanks,

Posted 26-Feb-2012 by John Wong
Todd

Figure 17

I'm stuck at 17 too.  I don't have the Department:ID as a choice either.

Posted 04-Oct-2013 by Todd
saber ghanmi

SharePoint Rules Permissions

http://permissionmanagement.codeplex.com/ this feautre allow you manage item permission dynamically

Posted 22-Nov-2013 by saber ghanmi
alksdsajdksfs

alksdsajdksfs

Infinity Symbol and completeness Replica Watches uk, 8, a figure of fetish Jaquet Droz-so prized by the Chinese-has always been Audemars piguet replica present on the dial of the second war. A permanent source of inspiration Omega Replica Watches, invited for the first time on the field and a loop model very feminine, "who seduces the page at the same time funny and jewellery.

Posted 17-Apr-2014 by alksdsajdksfs

Notify me of comments to this article

E-mail:
   

Add Comment

Title:

 
Comment:
Email:

   


Name:

 
Url: