SharePoint 2007: Fine grained permission control

blah!bLaH!BLOG!!

Posted on 4/10/2007 @ 9:10 AM in #Sharepoint | 36 comments | 21609 views

Consider this scenario -

__________________________________________________________

You are trying to setup a document approval workflow in your Sharepoint installation. At the bare minimum, you have two users, one that starts the workflow, and second who approves the workflow. Now, if you are insisting that these could be the same user, yeah, in demonstrations they could be the same user, but never in the real world. And it is these real world scenarios that will come bite you in the ass, not the demos.

So, you have a document library, in which you have one user who starts workflows with "Contribute" permissions setup. A third user, the administrator, has already setup the approval workflow. So let us give these users appropriate names.

- Administrator
- Sahil, who starts the workflow
- Captain America, who approves/rejects the document

At the minimum, you have a task list, and you have the document library.

Now, out of the box, you have various permission levels, "Full Control", "Design", "Contribute", "Read" etc. So, in order for this workflow scenario to work, I would have to give Design rights to both Sahil and Captain America.

Now, what happens in the real world is, Captain America, now has the rights to "Delete" as well as "Approve". What a shame, because the dufus captain America is, he will definitely accidentally delete the assigned tasks, or (shudder) even the document, and complain that your system is broken.

What you need here, is fine grained permission control, to restrict Captain America from deleting, but still allowing him to view pending approval documents, and approve them, and edit rights to the task list, so he can't create new tasks but he can edit existing tasks.

__________________________________________________________

So, now that I've made the case for why you must have fine grained permission control, here is how you'd do it.

There are 2 ways to give fine grained permission control in SharePoint.

At a global level, you can deny certain permissions to everyone in an application. Go to Central Administration > Application Management > User Permissions for Web Application, and uncheck anything you'd rather not have users use. So, if you want users to not be able to delete, uncheck the "Delete Versions" checkbox under List Permissions. This page looks like as shown below:

There are a few important points of mention regarding setting such fine grained permissions at the global level -

You can only deny. By default, everything is allowed, unless the site itself prevents the user from receiving a specific permission. This global deny will override the site level allow. In other words, even if you have contributer rights on the site, and you deny "delete" via this method, guess what, you still can't delete.
Permissions are split into two halves - site level, and list level. This makes sense because, consider an example - while you can apply a theme to a site, you can't apply a theme to a list. So the permissions are different.
This still doesn't help you solve the workflow scenario I described above :-/. For that, you need to come down to the even more granular site level.

At the site level, you can approve/deny permissions using the pre-existing permission groups, "Full Control", "Design", "Contribute", "Read" etc. But, in order to solve the above scenario, you have to create a new permission group level that lets you view/approve but not delete. In order to do so, go to Site Settings > Advanced Permissions >> Settings > Permission Levels. This page looks like this -

Here, when you click on "Add a permission level", you will see the following screen -

.. whoaa!! doesn't this look very very similar to the permissions you set under central administration?

As a matter of fact, the specific permissions you see here, are always a subset of permissions you see under central administration. So if you disallowed a site to have "Manage Lists" permissions allocatable (yuck, if that is a word), then, the fine grained permissions at the site level, won't even show that as an option.

In most non-demonstration scenarios, especially concerning workflows, if you wish to deliver a locked down system (thereby reducing your headache in the long run), you will probably see yourself meddling with this stuff often.

On 9/26/2007 6:35:32 PM dim us as SPFool said ..

What if user has contributor rights at site level.... and viewer rights on document library level....this is the situation that already took a part of my ass.... And coming back to your example I found that the initiator of workflow can approve the all the task for that workflow.....Is't that a great facility... :-)

On 9/27/2007 5:15:00 AM Sahil Malik said ..

SPFool - I have no idea WTF you're talking about man! Wanna try typing your message one more time?

On 10/9/2007 11:04:28 AM SIRA said ..

Will this work with SharePoint 2003?

On 10/25/2007 12:14:15 PM DHTexas said ..

I'm using Excel Services to display an Excel graph on a webpart.
Can I make the graph visible but somehow hide the entire Excel workbook that resides in the report library? Is this done with the "View Only" permission setting?

On 12/4/2007 9:28:43 AM yuriy said ..

Hi, is it possible to define my own permission (not permission level) and than just enable or disable it for each permission level? Thank you.

On 12/13/2007 5:22:15 PM Meredith said ..

Hi Sahil, Any idea why site-level perms wouldn't work at all? Is this the infamous SharePoint Wierdness speaking? We have an internal-Microsoft SharePoint web site and if we add SharePoint Administrators, they are able to access the site prefectly fine (but have godlike control). If we add them to site-level perm user groups, the user can't access anything (and are considered dead in SP Land). If you have any advice, it would be much appreciated. Thank you! Meredith

On 1/6/2008 1:15:10 PM minnfinn said ..

I'm trying to keep the public from viewing portions of our external SP site. I removed the visitors group from the permissions in 3 separate subsites. They can still view 2 of them but not the third. What else should I do? This seems like it should be simple but I can't figure out why it won't work. Thanks!

On 1/18/2008 7:09:02 AM Jim Raley said ..

Greetings,
How do permissions affect workflows? If I have a workflow on a list library that edits fields after an item is added, does the user need to have editing permissions for that workflow to fire properly?
In my experience, it seems like "yes", but something definitive would be helpful.
Thanks.

On 1/18/2008 3:08:52 PM Sahil Malik said ..

Jim - the answer is - yes the user will need edit permissions.
You can always impersonate though (check out Ted Pattison's article in February's MSDN Mag).

On 1/22/2008 5:10:17 PM Guy said ..

Is there any way to allow users to manage some settings on a site (for example, manage the Quick Links order) but prevent some settings from being used (for example...the 'Delete Site'? I need to let users change the order of sub pages/sites links in a site's navigation but not allow them to delete the site!

On 2/25/2008 1:30:02 AM Rupali said ..

helo. can u tel me how can i restrict end user group to access Only authorized pages,in My site
so urgent
Thanks

On 3/7/2008 4:28:13 PM Martin said ..

Is there any way to allow certain people to add items, but not view items in a document library?

On 3/7/2008 9:16:14 PM Fred Morrison said ..

For the guy who wants to make sure only the user a task is assigned to can mess with it, I offer the following code. It applies to the composite activity called WssTaskActivity that comes with the ECM Starter Kit, but it shouldn't be too tough to adapt it to the regular old SPWorkflowTask object: #region RestrictWssTaskAccess
/// <summary>
/// Restrict access to a WssTaskActivity task to just the person it was assigned too.
/// </summary>
/// <param name="WssTaskInstance"></param>
private static void RestrictWssTaskAccess(WssTaskActivity
WssTaskInstance)
{
// make sure only the person to whom the task is assigned can mess with it.
HybridDictionary specialPermissions = new HybridDictionary(); specialPermissions.Add(WssTaskInstance.createWssTask_TaskProperties1.Ass
ignedTo, SPRoleType.Administrator);
WssTaskInstance.createWssTask_SpecialPermissions1 = specialPermissions;
}
#endregion Now quit cussin' out my pal Malik and go play with some XML "goo" (as Sahil likes to call it).

On 3/7/2008 11:00:30 PM Sahil Malik said ..

Hey thanks Fred :)

On 3/26/2008 11:39:09 PM Marvin said ..

Hi guys.. im trying to create a new group with the permission that user can only access the people and groups site. Unfortunately i already did, the only problem is i cant add user to the visitors, members and owners group. tnx

On 3/26/2008 11:39:16 PM Marvin said ..

On 3/28/2008 1:58:11 PM Cliff said ..

I'm trying to create a Bulletin Board / Classified Ad site based on a Custom List with simple Approval Workflow. I tried setting a custom permission so that the user could Add (via a link to the List's NewForm.aspx) and View the Site and List, but Not edit the Listings. When I click on the link to the NewForm I get a popup to request access. What Permission Levels have to be set to Add and View, but NOT Edit or Delete List Items?

On 4/8/2008 7:12:17 AM decatec said ..

how can I set permissions on single workflow (step) activity so that a CXO but nobody else can "sign" a purchase order

On 4/16/2008 7:28:18 AM Vuthy said ..

Hi Fred, Can you let me know the detail steps to make sure that only the assigned-to user can mess up
that task. I am quite new to sharepoint and currently use SPD ("collect data from user").
All users who have edit permission to task list can edit everything, even tasks that not assigned to them. Can you help showing me more on how to solve it. It's quite urgent for me. Thanks, Vuthy

On 5/8/2008 11:50:42 AM Danny said ..

Do you know how to restrict users from being able to do absolutely anything except read the pages in the site? No matter how I restrict them, they can still activate drop down lists to alter some items in a site. I would just like to present very static pages with access only by admins. thanks.

On 5/19/2008 4:57:01 AM 4u2cnnv said ..

Hi All
How would i go about allowing a user to add documents to a document library but deny them access to the site collection as in, they should not see the site totally when they try to open it. becos i am using infopath form to capture data in site collection x, but a copy of that document needs to be kept in site collection y, we tried using workflow to copy across site collections from x to y but didnt work so now we saving in both libraries, and in actual fact users in x are not allowed to see anything in other site collections

On 5/22/2008 10:05:18 AM Kiko said ..

Hi All, Is it possible to grant a user "approval" permission but not "edit" permission? Thanks in advance. Regards. Kiko.-

On 6/2/2008 1:48:18 PM achille said ..

how do restict users from different parts of the sharepoint portal?

On 6/4/2008 7:49:01 PM Tracy said ..

Is it possible to allow a user Full Control with the exception of adding users who can access the site? I tried unchecking the "Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups" checkbox, but that still allows my user to create groups, add users to them, and assign them whatever permissions they'd like. Then I tried unchecking the "Create Groups - Create a group of users that can be used anywhere within the site collection" checkbox, but unfortunately my users are still capable adding/deleting users from groups that already exist. Any additional suggestions?
Thanks!
-Tracy

On 6/18/2008 8:53:05 AM gina said ..

The Add and Customize Pages permission level states "Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services-compatible editor." How can I allow individuals to add/change/delete HTML and web part pages but not sure Sharepoint Designer (SPD)?

On 7/7/2008 8:54:29 AM Don Pease said ..

Iihave created .aspx files in designer for my site and now nw=eed to keep certain persons out of those areas is there a way to put permissions on the .aspx files?

On 7/17/2008 11:57:13 AM Marie Loranger said ..

hello,
We are trying to implement a workflow built with Sharepoint Designer. We want the worflow to update a column field of the Form Library. We get a workflow error at runtime, stating that "SHAREPOINT\system" does not have permission to update the field.
Do you know how I can resolve this ?
Thanks ! Marie Lo.

On 8/3/2008 3:46:41 AM AHA said ..

Hi,
The user that run your workflow must have appropriate permission.

On 8/5/2008 5:43:01 PM Moni_NYC said ..

Hey Everyone. I cant seem to figure out why only some of my users can edit their profiles and other users are getting a big fat denied. They are all part of the same group which allows for profile editing. Any help would be appreciated.

On 8/10/2008 12:14:46 AM Trish said ..

HI,
I'm new to Sharepoint and we are being told our we must convert our custom workflow applications done in Lotus Notes to Sharepoint. I have two questions and it sounds like I might be able to get a good answer here -
1). Is it possible to load a list document with permissions set individually for each document loaded? In Notes, we load the readers field for a document to determine who can see and access the document.
2). Can permissions be dynamically updated during workflow? For example... initially one person has access and then when an workflow is selected, only then does the recipient of the email get added for permissions to that document.
Thanks for any advice or thoughts on this! Trish

On 8/11/2008 10:48:00 AM stepfull said ..

We have publishing site with workflow that uses many different groups for managing permissions. THe one thing I can't make sense of is how permissions determine which items are enabled in the workflow menu of the page editing toolbar. For example, on the main page for a subsite I see the 'Publish' button after the page is checked in. When I go to a page within subsite of the main subsite, I only see the "submit for approval" button after checking in the page - even though the sub-sub-site is inheriting permissions. Now, from what I'm reading, workflow isn't inherited the way permissions are. Fine and dandy, but I still can't figure out how the system determines which workflows to enable/disable. We haven't customized the page editing console, so it's not anything stemming from that.

On 9/8/2008 7:27:55 AM Anne said ..

Hi all, Im new to sharepoint .Our users requirement is, to certain document library folder users should not upload or create new documents.They can only update existing documents. What USer permission should we give? I tried using Edit ,but didnt work out....Please help

On 9/11/2008 3:14:22 PM arshad said ..

Hi,
I have full control on a complete collection. One site inside the same collection which is created by someone else. I need to change the site settings of the child site into edit permissions. I don't need inherited permissions from parent site. I am trying to change these permissions from inherited permissions but all in vain.
Anticipated thanks

On 10/22/2008 12:32:15 PM MJ said ..

How can I create a permission level with "Add Item" and NOT "View Item"? I want to create two groups. One of the groups can only add items to a custom list but should not be able to view what he and other people have added. While the other group can Add as well as view the list.

On 10/26/2008 3:37:03 PM Nikhil said ..

Sahil you rock !!! just the thing i knew existed and NEEDED !!
but was lost in the world of sharepoint links...There must be atrillion links in sharepoint that a decent developer must remember...but i dont think it can be made any simpler :O

On 11/12/2008 3:19:00 PM Peter said ..

I am wondering if there is a role that will allow me to add and remove Owners in each site without having to be an owner myself? I have owners with full control of a site that I may have to delete in the future. thanks

Please post your comments:

Your feedback will be submitted for moderation, and will appear after it is approved.

Name:

Email (optional): Your email address will not be posted.

URL (optional):

Comments: HTML will be ignored, URLs will be converted to hyperlinks

Enter the text you see in the box:

Microsoft MVP

Posts By Category

Hosted By

SharePoint 2007: Fine grained permission control

Please post your comments: