SharePoint 2007: Fine grained permission control

Posted on 4/10/2007 @ 9:10 AM in #SharePoint by | Feedback | 55321 views

Consider this scenario -


You are trying to setup a document approval workflow in your Sharepoint installation. At the bare minimum, you have two users, one that starts the workflow, and second who approves the workflow. Now, if you are insisting that these could be the same user, yeah, in demonstrations they could be the same user, but never in the real world. And it is these real world scenarios that will come bite you in the ass, not the demos.

So, you have a document library, in which you have one user who starts workflows with "Contribute" permissions setup. A third user, the administrator, has already setup the approval workflow. So let us give these users appropriate names.

- Administrator
- Sahil, who starts the workflow
- Captain America, who approves/rejects the document

At the minimum, you have a task list, and you have the document library.

Now, out of the box, you have various permission levels, "Full Control", "Design", "Contribute", "Read" etc. So, in order for this workflow scenario to work, I would have to give Design rights to both Sahil and Captain America.

Now, what happens in the real world is, Captain America, now has the rights to "Delete" as well as "Approve". What a shame, because the dufus captain America is, he will definitely accidentally delete the assigned tasks, or (shudder) even the document, and complain that your system is broken.

What you need here, is fine grained permission control, to restrict Captain America from deleting, but still allowing him to view pending approval documents, and approve them, and edit rights to the task list, so he can't create new tasks but he can edit existing tasks.


So, now that I've made the case for why you must have fine grained permission control, here is how you'd do it.

There are 2 ways to give fine grained permission control in SharePoint.

At a global level, you can deny certain permissions to everyone in an application. Go to Central Administration > Application Management > User Permissions for Web Application, and uncheck anything you'd rather not have users use. So, if you want users to not be able to delete, uncheck the "Delete Versions" checkbox under List Permissions. This page looks like as shown below:

There are a few important points of mention regarding setting such fine grained permissions at the global level -

  1. You can only deny. By default, everything is allowed, unless the site itself prevents the user from receiving a specific permission. This global deny will override the site level allow. In other words, even if you have contributer rights on the site, and you deny "delete" via this method, guess what, you still can't delete.
  2. Permissions are split into two halves - site level, and list level. This makes sense because, consider an example - while you can apply a theme to a site, you can't apply a theme to a list. So the permissions are different.
  3. This still doesn't help you solve the workflow scenario I described above :-/. For that, you need to come down to the even more granular site level.

At the site level, you can approve/deny permissions using the pre-existing permission groups, "Full Control", "Design", "Contribute", "Read" etc. But, in order to solve the above scenario, you have to create a new permission group level that lets you view/approve but not delete. In order to do so, go to Site Settings > Advanced Permissions >> Settings > Permission Levels. This page looks like this -

Here, when you click on "Add a permission level", you will see the following screen -

.. whoaa!! doesn't this look very very similar to the permissions you set under central administration?

As a matter of fact, the specific permissions you see here, are always a subset of permissions you see under central administration. So if you disallowed a site to have "Manage Lists" permissions allocatable (yuck, if that is a word), then, the fine grained permissions at the site level, won't even show that as an option.

In most non-demonstration scenarios, especially concerning workflows, if you wish to deliver a locked down system (thereby reducing your headache in the long run), you will probably see yourself meddling with this stuff often.

Sound off but keep it civil:

Older comments..

On 9/26/2007 6:35:32 PM dim us as SPFool said ..
What if user has contributor rights at site level.... and viewer rights on document library level....this is the situation that already took a part of my ass....

And coming back to your example I found that the initiator of workflow can approve the all the task for that workflow.....Is't that a great facility... :-)

On 9/27/2007 5:15:00 AM Sahil Malik said ..
SPFool - I have no idea WTF you're talking about man! Wanna try typing your message one more time?

On 10/9/2007 11:04:28 AM SIRA said ..
Will this work with SharePoint 2003?

On 10/25/2007 12:14:15 PM DHTexas said ..
I'm using Excel Services to display an Excel graph on a webpart.

Can I make the graph visible but somehow hide the entire Excel workbook that resides in the report library? Is this done with the "View Only" permission setting?

On 12/4/2007 9:28:43 AM yuriy said ..
Hi, is it possible to define my own permission (not permission level) and than just enable or disable it for each permission level? Thank you.

On 12/13/2007 5:22:15 PM Meredith said ..
Hi Sahil,

Any idea why site-level perms wouldn't work at all? Is this the infamous SharePoint Wierdness speaking? We have an internal-Microsoft SharePoint web site and if we add SharePoint Administrators, they are able to access the site prefectly fine (but have godlike control). If we add them to site-level perm user groups, the user can't access anything (and are considered dead in SP Land).

If you have any advice, it would be much appreciated.

Thank you!


On 1/6/2008 1:15:10 PM minnfinn said ..
I'm trying to keep the public from viewing portions of our external SP site. I removed the visitors group from the permissions in 3 separate subsites. They can still view 2 of them but not the third. What else should I do? This seems like it should be simple but I can't figure out why it won't work. Thanks!

On 1/18/2008 7:09:02 AM Jim Raley said ..

How do permissions affect workflows? If I have a workflow on a list library that edits fields after an item is added, does the user need to have editing permissions for that workflow to fire properly?

In my experience, it seems like "yes", but something definitive would be helpful.


On 1/18/2008 3:08:52 PM Sahil Malik said ..
Jim - the answer is - yes the user will need edit permissions.

You can always impersonate though (check out Ted Pattison's article in February's MSDN Mag).

On 1/22/2008 5:10:17 PM Guy said ..
Is there any way to allow users to manage some settings on a site (for example, manage the Quick Links order) but prevent some settings from being used (for example...the 'Delete Site'? I need to let users change the order of sub pages/sites links in a site's navigation but not allow them to delete the site!

On 2/25/2008 1:30:02 AM Rupali said ..
helo. can u tel me how can i restrict end user group to access Only authorized pages,in My site

so urgent


On 3/7/2008 4:28:13 PM Martin said ..
Is there any way to allow certain people to add items, but not view items in a document library?

On 3/7/2008 9:16:14 PM Fred Morrison said ..
For the guy who wants to make sure only the user a task is assigned to can mess with it, I offer the following code. It applies to the composite activity called WssTaskActivity that comes with the ECM Starter Kit, but it shouldn't be too tough to adapt it to the regular old SPWorkflowTask object:

#region RestrictWssTaskAccess

/// <summary>

/// Restrict access to a WssTaskActivity task to just the person it was assigned too.

/// </summary>

/// <param name="WssTaskInstance"></param>

private static void RestrictWssTaskAccess(WssTaskActivity



// make sure only the person to whom the task is assigned can mess with it.

HybridDictionary specialPermissions = new HybridDictionary();


ignedTo, SPRoleType.Administrator);

WssTaskInstance.createWssTask_SpecialPermissions1 = specialPermissions;



Now quit cussin' out my pal Malik and go play with some XML "goo" (as Sahil likes to call it).

On 3/7/2008 11:00:30 PM Sahil Malik said ..
Hey thanks Fred :)

On 3/26/2008 11:39:09 PM Marvin said ..
Hi guys.. im trying to create a new group with the permission that user can only access the people and groups site. Unfortunately i already did, the only problem is i cant add user to the visitors, members and owners group. tnx

On 3/26/2008 11:39:16 PM Marvin said ..
Hi guys.. im trying to create a new group with the permission that user can only access the people and groups site. Unfortunately i already did, the only problem is i cant add user to the visitors, members and owners group. tnx

On 3/28/2008 1:58:11 PM Cliff said ..
I'm trying to create a Bulletin Board / Classified Ad site based on a Custom List with simple Approval Workflow. I tried setting a custom permission so that the user could Add (via a link to the List's NewForm.aspx) and View the Site and List, but Not edit the Listings. When I click on the link to the NewForm I get a popup to request access. What Permission Levels have to be set to Add and View, but NOT Edit or Delete List Items?

On 4/8/2008 7:12:17 AM decatec said ..
how can I set permissions on single workflow (step) activity so that a CXO but nobody else can "sign" a purchase order

On 4/16/2008 7:28:18 AM Vuthy said ..
Hi Fred,

Can you let me know the detail steps to make sure that only the assigned-to user can mess up

that task. I am quite new to sharepoint and currently use SPD ("collect data from user").

All users who have edit permission to task list can edit everything, even tasks that not assigned to them.

Can you help showing me more on how to solve it. It's quite urgent for me.



On 5/8/2008 11:50:42 AM Danny said ..
Do you know how to restrict users from being able to do absolutely anything except read the pages in the site? No matter how I restrict them, they can still activate drop down lists to alter some items in a site. I would just like to present very static pages with access only by admins. thanks.

On 5/19/2008 4:57:01 AM 4u2cnnv said ..
Hi All

How would i go about allowing a user to add documents to a document library but deny them access to the site collection as in, they should not see the site totally when they try to open it. becos i am using infopath form to capture data in site collection x, but a copy of that document needs to be kept in site collection y, we tried using workflow to copy across site collections from x to y but didnt work so now we saving in both libraries, and in actual fact users in x are not allowed to see anything in other site collections

On 5/22/2008 10:05:18 AM Kiko said ..
Hi All,

Is it possible to grant a user "approval" permission but not "edit" permission?

Thanks in advance.



On 6/2/2008 1:48:18 PM achille said ..
how do restict users from different parts of the sharepoint portal?

On 6/4/2008 7:49:01 PM Tracy said ..
Is it possible to allow a user Full Control with the exception of adding users who can access the site?

I tried unchecking the "Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups" checkbox, but that still allows my user to create groups, add users to them, and assign them whatever permissions they'd like.

Then I tried unchecking the "Create Groups - Create a group of users that can be used anywhere within the site collection" checkbox, but unfortunately my users are still capable adding/deleting users from groups that already exist.

Any additional suggestions?



On 6/18/2008 8:53:05 AM gina said ..
The Add and Customize Pages permission level states "Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services-compatible editor."

How can I allow individuals to add/change/delete HTML and web part pages but not sure Sharepoint Designer (SPD)?

On 7/7/2008 8:54:29 AM Don Pease said ..
Iihave created .aspx files in designer for my site and now nw=eed to keep certain persons out of those areas is there a way to put permissions on the .aspx files?

On 7/17/2008 11:57:13 AM Marie Loranger said ..

We are trying to implement a workflow built with Sharepoint Designer. We want the worflow to update a column field of the Form Library. We get a workflow error at runtime, stating that "SHAREPOINT\system" does not have permission to update the field.

Do you know how I can resolve this ?

Thanks ! Marie Lo.

On 8/3/2008 3:46:41 AM AHA said ..

The user that run your workflow must have appropriate permission.

On 8/5/2008 5:43:01 PM Moni_NYC said ..
Hey Everyone. I cant seem to figure out why only some of my users can edit their profiles and other users are getting a big fat denied. They are all part of the same group which allows for profile editing. Any help would be appreciated.

On 8/10/2008 12:14:46 AM Trish said ..

I'm new to Sharepoint and we are being told our we must convert our custom workflow applications done in Lotus Notes to Sharepoint. I have two questions and it sounds like I might be able to get a good answer here -

1). Is it possible to load a list document with permissions set individually for each document loaded? In Notes, we load the readers field for a document to determine who can see and access the document.

2). Can permissions be dynamically updated during workflow? For example... initially one person has access and then when an workflow is selected, only then does the recipient of the email get added for permissions to that document.

Thanks for any advice or thoughts on this! Trish

On 8/11/2008 10:48:00 AM stepfull said ..
We have publishing site with workflow that uses many different groups for managing permissions. THe one thing I can't make sense of is how permissions determine which items are enabled in the workflow menu of the page editing toolbar. For example, on the main page for a subsite I see the 'Publish' button after the page is checked in. When I go to a page within subsite of the main subsite, I only see the "submit for approval" button after checking in the page - even though the sub-sub-site is inheriting permissions. Now, from what I'm reading, workflow isn't inherited the way permissions are. Fine and dandy, but I still can't figure out how the system determines which workflows to enable/disable. We haven't customized the page editing console, so it's not anything stemming from that.

On 9/8/2008 7:27:55 AM Anne said ..
Hi all,

Im new to sharepoint .Our users requirement is, to certain document library folder users should not upload or create new documents.They can only update existing documents. What USer permission should we give? I tried using Edit ,but didnt work out....Please help

On 9/11/2008 3:14:22 PM arshad said ..

I have full control on a complete collection. One site inside the same collection which is created by someone else. I need to change the site settings of the child site into edit permissions. I don't need inherited permissions from parent site. I am trying to change these permissions from inherited permissions but all in vain.

Anticipated thanks

On 10/22/2008 12:32:15 PM MJ said ..
How can I create a permission level with "Add Item" and NOT "View Item"?

I want to create two groups. One of the groups can only add items to a custom list but should not be able to view what he and other people have added. While the other group can Add as well as view the list.

On 10/26/2008 3:37:03 PM Nikhil said ..
Sahil you rock !!! just the thing i knew existed and NEEDED !!

but was lost in the world of sharepoint links...There must be atrillion links in sharepoint that a decent developer must remember...but i dont think it can be made any simpler :O

On 11/12/2008 3:19:00 PM Peter said ..
I am wondering if there is a role that will allow me to add and remove Owners in each site without having to be an owner myself? I have owners with full control of a site that I may have to delete in the future.


On 11/20/2008 3:46:26 PM Dave said ..
Is there any way to restrict ANY page within a SharePoint application or even finer, restrict access (view / edit /delete) to individual web parts on a page? Using WSS 3.0 I haven't found anything. Sure I can block users from accessing lists or such, but when I create a new web parts page there appears to be no way to restrict users from viewing only this page (but see all others) or set security rights on individual web parts. If that is not possible it is a major design flaw.

On 1/15/2009 10:59:03 AM ign said ..
Hi Salik, once more you've saved my life. Thankiu!!!

On 1/15/2009 3:11:31 PM Sahil Malik said ..
Huh? When did I last save your life?

On 1/23/2009 9:48:53 AM Shalini Ahuja said ..
I have created a permission group so that users only have permission to view, edit and create new, but no permission to delete. Still in a custom list these user can delete attachments to a list item. How can I remove set the permissions so that user can not delete an attachment?

On 2/2/2009 11:10:51 AM Diogo said ..
Hi all,

when i was set the permissions on sharepoint, i inserted a list of documents without full control.

I wonder if there is any chance of putting someone with full control now.

thanks to all.

On 2/9/2009 5:10:53 AM namzh said ..

I want to set permissions such that the user is able to delete his own items but not the items created by others. Though he can edit/modify all the item irrespective of he being the creator of the item or not.

Can anyone tell me how to do this???

On 2/19/2009 5:13:33 AM Katja said ..
I have the same question - I know it is possible to give permissions on item level, but is it possible to set a general rule, so everyone can modify his own items?

On 3/24/2009 10:13:06 AM Denise said ..
Is there a way to set perms on a web part so that it is visible by only certain users? I have perms set so they see "Access is Denied", but I would like them to not even see the web part at all.

On 3/26/2009 5:51:16 PM nagendra said ..
my problem is that the edit permission allows users to add and delete web parts from the pages... how do I prevent that last part?

On 4/30/2009 10:49:32 AM Muzammil Rajpurkar said ..
Can anyone help me with the below situation:

I have created a survey list. As of the whole site, I don't want users to create or edit any page, so when I placed the users in the Visitor role, but it seems that they now cannot participate in the survey too.

I want the users to participate in the survey list so want them to see the "Respond to this survey option", but do not want to have the "Site Actions" option available to them.

How can I do this?

On 5/4/2009 9:14:44 PM Alex said ..
HELP!!!!!PLEASE!!!!! Just like the post on 11/20/2008 - I'm looking to do the same. I need to restrict ONE PAGE from the MEETING SITE (essentially one of those TABS at the top of the site) to just a handful of the hundreds of users that have permission to the site.

On 11/20/2008 3:46:26 PM Dave said ..

Is there any way to restrict ANY page within a SharePoint application or even finer, restrict access (view / edit /delete) to individual web parts on a page? Using WSS 3.0 I haven't found anything. Sure I can block users from accessing lists or such, but when I create a new web parts page there appears to be no way to restrict users from viewing only this page (but see all others) or set security rights on individual web parts. If that is not possible it is a major design flaw.

On 6/25/2009 11:01:15 AM Tom said ..
Hello Muzammil Rajpurkar,

I am looking for the same.Did you get the answer how to solve it with your survey.

Please let me know.

On 7/7/2009 8:57:46 AM Larry Virden said ..
I was wondering how I would set permissions up for this sharepoint out of the box approval workflow scenario:

I have:

1. Large body of users - this group needs the ability to add a new item to the list, triggering a workflow. They should NOT be able to approve the workflow tasks.

2. Small group of users A - this group need the ability to approve a workflow task. However, only user 1 will actually have tasks assigned to them. The other users need the ability to approve a task assigned to user 1.

3. Small group of users B - this group need similar permissions to Small group A. This group will contain user 2, who will be the one assigned the tasks.

4. In both case 2 and 3, an email needs to go to user 1 or 2, and not the rest of the people in the group. This means that I can't use a group as the participant, because the two options with using a group is either send everyone an email, or send no one an email. Neither of these work for this case. Instead, user 1 and user 2 need to be listed as the participants of the workflow.

Is there a way to set up a workflow for this?

On 7/9/2009 4:29:07 PM Aurimas said ..
sorry for off topic, but I am looking for a product which can mange permissions for different parts of document, and assign different users to a specific parts of a document as responsible for those parts.

Then the administrator or someone with rights could filter out by user who is responsible for what parts of which docs etc..

can sharepoint do that?

On 12/3/2009 12:06:32 PM Erik said ..

I think documents (files) are atomic units in SharePoint permission-wise. For distributed editing of single documents you could try something like DOORS (designed for requirements and design documents).


On 2/9/2010 2:24:11 PM Dasarath said ..
Hello - I am new to Sharepoint and my question is not related to the above post.

We have a site in Sharepoint 2007 whose permissions are set editing rules in the xml file.I dont know which file it is.And if i try to edit permissions using site actions and advance permissions things are getting messed up.the whole site permisisons are getting wacky.By the way the site does not inherit permissions from the parent.

Can some body help me with this please

On 2/16/2010 6:37:00 AM jm said ..
Great post, Thanks

On 4/5/2010 2:34:46 AM alpa said ..
Hi All,

I have avery big issue with approval workflow. I have created a announcement workflow for a particular list with proper approver permissions.Now the proble arises is the one who initiates the workflow can also approve/reject his own item & others can that be possible...Plz provide me a solution to restrict that user to approve or reject the workflow

On 5/7/2010 2:20:38 AM saqib said ..

I have query that, i want to give default "view only" rights to one AD account. kindly help.

On 7/8/2010 1:34:36 PM Mari said ..
When a workflow is initiated, it runs under the permissions context of the user that started the workflow. How long does the user retain the permission context? I have a situation where a user is not part of a group that is allowed to view a document library, but after a workflow that has the persons name (as part of a contributor), the user is able to check items in etc... Are the elevated rights revoked after the workflow is complete?

On 8/10/2010 4:13:05 AM Nick said ..
I was wondering if a page displaying various category views of web pages can be restricted to read. At the moment anyone can delete the pages. Can a specific page be set to read only? Using links prevents this but views update automatically.

Reading this puts me off Sharepoint.

On 8/16/2010 9:48:59 AM Rich said ..
Back on 5/19/2008, 4u2cnnv posted a question that is very similar to what I am dealing with. I never did see an answer, so I am asusming that someone answered external to this forum.

Here's my situation. I have a document library (henceforth shortened to doc lib) of referrals where "anyone" can submit an InfoPath form, but I don't want "anyone" to be able to actually get into the doc lib and do anything at all. I limit that to users from the HR group that is managing the referrals. I've tried all sorts of silly things, like making the access point to the InfoPath form be a link on a totally different page on the company intranet, and creating a mirror doc lib that doesn't give "anyone" Contribute rights (which they have in the original doc lib) and creating a workflow that automatically copies the submitted for from the original doc lib to the mirror one. The link that I have on the intranet site is fine except that the location of the doc lib is part of the url, and anyone who had even the slightest clue about such things could copy/paste/edit/hack quite easily.

Needless to say, Sharepoint is making me jump throgh all sorts of hoops and still not letting me do what I want. It's real simple: I want users who are only in the permissions group 'NT AUTHORITY\authenticated users' (aka "anyone") to only be able to submit, but not to look at the doc lib or even get into it, much less do anything else. The workflow/mirror doc lib idea looked promising until it immediately started failing because SharPoint is using the permissions of the submitting user to determine whether or not it can submit to the mirror site via the WorkFlow. Sheesh!

Do you have any suggestions, clues to point me down the desired path, magic answers, etc.?

On 8/26/2010 9:58:43 AM Alan said ..

I have created an absence site using the absence template but amended it to suit our business needs. (i.e. an audit lists and annual leave count etc.)

My issue comes to permissions, I want all users to be able to view the workflow history of all items. This only seems possible by selecting 'Manage Lists' giving all users the ability to delete that list or delete columns within that list etc.

I also have a list of approvers and ticked 'Approve Items' on the permissions, they could not approve until I added 'Manage Lists' again giving them far too much access for that list.

Has anyone got round this issue before?



On 9/22/2010 4:01:12 PM Jim Adcock said ..
The right help at the right time! Thanks!

On 12/10/2010 6:29:02 PM Hadam said ..
I want my users to be able to create or delete lists, but NOT be able to modify columns. Changing column types has become a problem. Any ideas?

On 12/17/2010 1:59:34 AM balaji said ..
i need to upload the softwares(it will be in the .exe format) whether it can be possible in sharepoint

On 12/27/2010 6:03:37 PM Stan said ..
I would like to know the reason user is able to Delete an item in the doc library if I create custom level permissions and Disabled Delete permission right. How come when the use edits the record they can still Delete an item. I did make sure doc library permissions were adjusted such that all groups have Read access permissions and Viewers which is a built in group has the Read and Custom-Add=Update permissions.

On 1/4/2011 10:04:29 PM Larry said ..
Dear guys:

After workflow initiated,is there any setting to temporarily remove read access before document approved,or old version available to end user only before approved.


On 1/13/2011 5:38:45 AM RuthJ said ..
The post below has an excellent spreadsheet of the granular permissions in each of the MOSS 2007 groups. Great resource for planning your own granular permissions and then applying them to individual lists like the Tasks list.

On 1/17/2011 11:09:18 AM Melissa said ..
Thank you so much for this! I've been looking all over the web for something to edit the permission levels and I have finally found your article. Thanks for your great article. =]

On 3/8/2011 2:19:42 PM Gagan said ..
Hi guys I am using MOSS to deploy the reports and dashboards.

I got some links in the left navigation to access these objects.

Now I need to have restricted access to these left navi. links.

Any idea how to do this...Thanks

On 3/23/2011 9:14:34 PM Deepak Batra said ..
Hi. I want to create a new permission level to create only the meeting subsite. This should be achieved by out of the box, using the sharepoint UI. I am trying to create a cusotm level permission, however not sure how to break the permission called "Create Subsites - Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.". From this group, I need to pick only the "Meeting workspace", can anyone suggest.

On 4/26/2011 9:21:31 AM JoeMac said ..
I have a user who can create a document and upload the document into a library. He can then check the document out and edit it but when he attempts to check it back in he receives a message that he "doesn't have permissions to perform this task" yet he created the document and uploaded it. Any ideas where I can look as to why this is happening?

On 6/4/2011 3:41:05 AM Satish said ..
Hi, my senior ask me that in document library,a user have only rights to view documents. User cannot edit,delete any content in the document. How can i do this?

On 1/23/2012 1:36:04 PM Patrick said ..
This helped me IMMENSELY. Thank you!!

On 2/19/2012 12:42:03 PM vipin said ..
Hi Sahil,

A query on permissions..

need to have a custom permission which is non-edtiable similar to Full Control... i know how to create custom permission .. but have been trying to look on how to make it non-editable.

if you go to any site -> site actions -> site permissions -> permission levels from ribbon , you will find listing of permissions in a OOTB site .. and ther Full Control aand limited access cannot be edited...

any ideas here


On 5/3/2012 5:21:16 PM SPADMIN said ..
Please help!!!

I'm using sharepoint server 2007 and I want to setup or disable an option (if there is one)so that the user cannot activate the enterprise feature on their own for any site they create.

Please let me know

On 8/24/2012 11:08:01 AM Emily V. said ..
HELP! I set up Approval and Contribute roles. It appears that contributers can approve in the workflow. How can I make this not happen? For instance, if the workflow owner starts the workflow and sends an approval request to someone in a Contribute role, the contributer can still approve! This is bad! Do you have any advice?