Consider this scenario -
__________________________________________________________
You are trying to setup a document approval workflow in your Sharepoint installation. At the bare minimum, you have two users, one that starts the workflow, and second who approves the workflow. Now, if you are insisting that these could be the same user, yeah, in demonstrations they could be the same user, but never in the real world. And it is these real world scenarios that will come bite you in the ass, not the demos.
So, you have a document library, in which you have one user who starts workflows with "Contribute" permissions setup. A third user, the administrator, has already setup the approval workflow. So let us give these users appropriate names.
- Administrator
- Sahil, who starts the workflow
- Captain America, who approves/rejects the document
At the minimum, you have a task list, and you have the document library.
Now, out of the box, you have various permission levels, "Full Control", "Design", "Contribute", "Read" etc. So, in order for this workflow scenario to work, I would have to give Design rights to both Sahil and Captain America.
Now, what happens in the real world is, Captain America, now has the rights to "Delete" as well as "Approve". What a shame, because the dufus captain America is, he will definitely accidentally delete the assigned tasks, or (shudder) even the document, and complain that your system is broken.
What you need here, is fine grained permission control, to restrict Captain America from deleting, but still allowing him to view pending approval documents, and approve them, and edit rights to the task list, so he can't create new tasks but he can edit existing tasks.
__________________________________________________________
So, now that I've made the case for why you must have fine grained permission control, here is how you'd do it.
There are 2 ways to give fine grained permission control in SharePoint.
At a global level, you can deny certain permissions to everyone in an application. Go to Central Administration > Application Management > User Permissions for Web Application, and uncheck anything you'd rather not have users use. So, if you want users to not be able to delete, uncheck the "Delete Versions" checkbox under List Permissions. This page looks like as shown below:
There are a few important points of mention regarding setting such fine grained permissions at the global level -
- You can only deny. By default, everything is allowed, unless the site itself prevents the user from receiving a specific permission. This global deny will override the site level allow. In other words, even if you have contributer rights on the site, and you deny "delete" via this method, guess what, you still can't delete.
- Permissions are split into two halves - site level, and list level. This makes sense because, consider an example - while you can apply a theme to a site, you can't apply a theme to a list. So the permissions are different.
- This still doesn't help you solve the workflow scenario I described above :-/. For that, you need to come down to the even more granular site level.
At the site level, you can approve/deny permissions using the pre-existing permission groups, "Full Control", "Design", "Contribute", "Read" etc. But, in order to solve the above scenario, you have to create a new permission group level that lets you view/approve but not delete. In order to do so, go to Site Settings > Advanced Permissions >> Settings > Permission Levels. This page looks like this -
Here, when you click on "Add a permission level", you will see the following screen -
.. whoaa!! doesn't this look very very similar to the permissions you set under central administration?
As a matter of fact, the specific permissions you see here, are always a subset of permissions you see under central administration. So if you disallowed a site to have "Manage Lists" permissions allocatable (yuck, if that is a word), then, the fine grained permissions at the site level, won't even show that as an option.
In most non-demonstration scenarios, especially concerning workflows, if you wish to deliver a locked down system (thereby reducing your headache in the long run), you will probably see yourself meddling with this stuff often.
On
9/26/2007 6:35:32 PM
dim us as SPFool
said ..
What if user has contributor rights at site level.... and viewer rights on document library level....this is the situation that already took a part of my ass....
And coming back to your example I found that the initiator of workflow can approve the all the task for that workflow.....Is't that a great facility... :-)
|
On
9/27/2007 5:15:00 AM
Sahil Malik
said ..
SPFool - I have no idea WTF you're talking about man! Wanna try typing your message one more time?
|
On
10/9/2007 11:04:28 AM
SIRA
said ..
Will this work with SharePoint 2003?
|
On
10/25/2007 12:14:15 PM
DHTexas
said ..
I'm using Excel Services to display an Excel graph on a webpart.
Can I make the graph visible but somehow hide the entire Excel workbook that resides in the report library? Is this done with the "View Only" permission setting?
|
On
12/4/2007 9:28:43 AM
yuriy
said ..
Hi, is it possible to define my own permission (not permission level) and than just enable or disable it for each permission level? Thank you.
|
On
12/13/2007 5:22:15 PM
Meredith
said ..
Hi Sahil,
Any idea why site-level perms wouldn't work at all? Is this the infamous SharePoint Wierdness speaking? We have an internal-Microsoft SharePoint web site and if we add SharePoint Administrators, they are able to access the site prefectly fine (but have godlike control). If we add them to site-level perm user groups, the user can't access anything (and are considered dead in SP Land).
If you have any advice, it would be much appreciated.
Thank you!
Meredith
|
On
1/6/2008 1:15:10 PM
minnfinn
said ..
I'm trying to keep the public from viewing portions of our external SP site. I removed the visitors group from the permissions in 3 separate subsites. They can still view 2 of them but not the third. What else should I do? This seems like it should be simple but I can't figure out why it won't work. Thanks!
|
On
1/18/2008 7:09:02 AM
Jim Raley
said ..
Greetings,
How do permissions affect workflows? If I have a workflow on a list library that edits fields after an item is added, does the user need to have editing permissions for that workflow to fire properly?
In my experience, it seems like "yes", but something definitive would be helpful.
Thanks.
|
On
1/18/2008 3:08:52 PM
Sahil Malik
said ..
Jim - the answer is - yes the user will need edit permissions.
You can always impersonate though (check out Ted Pattison's article in February's MSDN Mag).
|
On
1/22/2008 5:10:17 PM
Guy
said ..
Is there any way to allow users to manage some settings on a site (for example, manage the Quick Links order) but prevent some settings from being used (for example...the 'Delete Site'? I need to let users change the order of sub pages/sites links in a site's navigation but not allow them to delete the site!
|
On
2/25/2008 1:30:02 AM
Rupali
said ..
helo. can u tel me how can i restrict end user group to access Only authorized pages,in My site
so urgent
Thanks
|
On
3/7/2008 4:28:13 PM
Martin
said ..
Is there any way to allow certain people to add items, but not view items in a document library?
|
On
3/7/2008 9:16:14 PM
Fred Morrison
said ..
For the guy who wants to make sure only the user a task is assigned to can mess with it, I offer the following code. It applies to the composite activity called WssTaskActivity that comes with the ECM Starter Kit, but it shouldn't be too tough to adapt it to the regular old SPWorkflowTask object:
#region RestrictWssTaskAccess
/// <summary>
/// Restrict access to a WssTaskActivity task to just the person it was assigned too.
/// </summary>
/// <param name="WssTaskInstance"></param>
private static void RestrictWssTaskAccess(WssTaskActivity
WssTaskInstance)
{
// make sure only the person to whom the task is assigned can mess with it.
HybridDictionary specialPermissions = new HybridDictionary();
specialPermissions.Add(WssTaskInstance.createWssTask_TaskProperties1.Ass
ignedTo, SPRoleType.Administrator);
WssTaskInstance.createWssTask_SpecialPermissions1 = specialPermissions;
}
#endregion
Now quit cussin' out my pal Malik and go play with some XML "goo" (as Sahil likes to call it).
|
On
3/7/2008 11:00:30 PM
Sahil Malik
said ..
Hey thanks Fred :)
|
On
3/26/2008 11:39:09 PM
Marvin
said ..
Hi guys.. im trying to create a new group with the permission that user can only access the people and groups site. Unfortunately i already did, the only problem is i cant add user to the visitors, members and owners group. tnx
|
On
3/26/2008 11:39:16 PM
Marvin
said ..
Hi guys.. im trying to create a new group with the permission that user can only access the people and groups site. Unfortunately i already did, the only problem is i cant add user to the visitors, members and owners group. tnx
|
On
3/28/2008 1:58:11 PM
Cliff
said ..
I'm trying to create a Bulletin Board / Classified Ad site based on a Custom List with simple Approval Workflow. I tried setting a custom permission so that the user could Add (via a link to the List's NewForm.aspx) and View the Site and List, but Not edit the Listings. When I click on the link to the NewForm I get a popup to request access. What Permission Levels have to be set to Add and View, but NOT Edit or Delete List Items?
|
On
4/8/2008 7:12:17 AM
decatec
said ..
how can I set permissions on single workflow (step) activity so that a CXO but nobody else can "sign" a purchase order
|
On
4/16/2008 7:28:18 AM
Vuthy
said ..
Hi Fred,
Can you let me know the detail steps to make sure that only the assigned-to user can mess up
that task. I am quite new to sharepoint and currently use SPD ("collect data from user").
All users who have edit permission to task list can edit everything, even tasks that not assigned to them.
Can you help showing me more on how to solve it. It's quite urgent for me.
Thanks,
Vuthy
|
On
5/8/2008 11:50:42 AM
Danny
said ..
Do you know how to restrict users from being able to do absolutely anything except read the pages in the site? No matter how I restrict them, they can still activate drop down lists to alter some items in a site. I would just like to present very static pages with access only by admins. thanks.
|
On
5/19/2008 4:57:01 AM
4u2cnnv
said ..
Hi All
How would i go about allowing a user to add documents to a document library but deny them access to the site collection as in, they should not see the site totally when they try to open it. becos i am using infopath form to capture data in site collection x, but a copy of that document needs to be kept in site collection y, we tried using workflow to copy across site collections from x to y but didnt work so now we saving in both libraries, and in actual fact users in x are not allowed to see anything in other site collections
|
On
5/22/2008 10:05:18 AM
Kiko
said ..
Hi All,
Is it possible to grant a user "approval" permission but not "edit" permission?
Thanks in advance.
Regards.
Kiko.-
|
On
6/2/2008 1:48:18 PM
achille
said ..
how do restict users from different parts of the sharepoint portal?
|
On
6/4/2008 7:49:01 PM
Tracy
said ..
Is it possible to allow a user Full Control with the exception of adding users who can access the site?
I tried unchecking the "Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups" checkbox, but that still allows my user to create groups, add users to them, and assign them whatever permissions they'd like.
Then I tried unchecking the "Create Groups - Create a group of users that can be used anywhere within the site collection" checkbox, but unfortunately my users are still capable adding/deleting users from groups that already exist.
Any additional suggestions?
Thanks!
-Tracy
|
On
6/18/2008 8:53:05 AM
gina
said ..
The Add and Customize Pages permission level states "Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services-compatible editor."
How can I allow individuals to add/change/delete HTML and web part pages but not sure Sharepoint Designer (SPD)?
|
On
7/7/2008 8:54:29 AM
Don Pease
said ..
Iihave created .aspx files in designer for my site and now nw=eed to keep certain persons out of those areas is there a way to put permissions on the .aspx files?
|
On
7/17/2008 11:57:13 AM
Marie Loranger
said ..
hello,
We are trying to implement a workflow built with Sharepoint Designer. We want the worflow to update a column field of the Form Library. We get a workflow error at runtime, stating that "SHAREPOINT\system" does not have permission to update the field.
Do you know how I can resolve this ?
Thanks ! Marie Lo.
|
On
8/3/2008 3:46:41 AM
AHA
said ..
Hi,
The user that run your workflow must have appropriate permission.
|
On
8/5/2008 5:43:01 PM
Moni_NYC
said ..
Hey Everyone. I cant seem to figure out why only some of my users can edit their profiles and other users are getting a big fat denied. They are all part of the same group which allows for profile editing. Any help would be appreciated.
|
On
8/10/2008 12:14:46 AM
Trish
said ..
HI,
I'm new to Sharepoint and we are being told our we must convert our custom workflow applications done in Lotus Notes to Sharepoint. I have two questions and it sounds like I might be able to get a good answer here -
1). Is it possible to load a list document with permissions set individually for each document loaded? In Notes, we load the readers field for a document to determine who can see and access the document.
2). Can permissions be dynamically updated during workflow? For example... initially one person has access and then when an workflow is selected, only then does the recipient of the email get added for permissions to that document.
Thanks for any advice or thoughts on this! Trish
|
On
8/11/2008 10:48:00 AM
stepfull
said ..
We have publishing site with workflow that uses many different groups for managing permissions. THe one thing I can't make sense of is how permissions determine which items are enabled in the workflow menu of the page editing toolbar. For example, on the main page for a subsite I see the 'Publish' button after the page is checked in. When I go to a page within subsite of the main subsite, I only see the "submit for approval" button after checking in the page - even though the sub-sub-site is inheriting permissions. Now, from what I'm reading, workflow isn't inherited the way permissions are. Fine and dandy, but I still can't figure out how the system determines which workflows to enable/disable. We haven't customized the page editing console, so it's not anything stemming from that.
|
On
9/8/2008 7:27:55 AM
Anne
said ..
Hi all,
Im new to sharepoint .Our users requirement is, to certain document library folder users should not upload or create new documents.They can only update existing documents. What USer permission should we give? I tried using Edit ,but didnt work out....Please help
|
On
9/11/2008 3:14:22 PM
arshad
said ..
Hi,
I have full control on a complete collection. One site inside the same collection which is created by someone else. I need to change the site settings of the child site into edit permissions. I don't need inherited permissions from parent site. I am trying to change these permissions from inherited permissions but all in vain.
Anticipated thanks
|
On
10/22/2008 12:32:15 PM
MJ
said ..
How can I create a permission level with "Add Item" and NOT "View Item"?
I want to create two groups. One of the groups can only add items to a custom list but should not be able to view what he and other people have added. While the other group can Add as well as view the list.
|
On
10/26/2008 3:37:03 PM
Nikhil
said ..
Sahil you rock !!! just the thing i knew existed and NEEDED !!
but was lost in the world of sharepoint links...There must be atrillion links in sharepoint that a decent developer must remember...but i dont think it can be made any simpler :O
|
On
11/12/2008 3:19:00 PM
Peter
said ..
I am wondering if there is a role that will allow me to add and remove Owners in each site without having to be an owner myself? I have owners with full control of a site that I may have to delete in the future.
thanks
|
On
11/20/2008 3:46:26 PM
Dave
said ..
Is there any way to restrict ANY page within a SharePoint application or even finer, restrict access (view / edit /delete) to individual web parts on a page? Using WSS 3.0 I haven't found anything. Sure I can block users from accessing lists or such, but when I create a new web parts page there appears to be no way to restrict users from viewing only this page (but see all others) or set security rights on individual web parts. If that is not possible it is a major design flaw.
|
On
1/15/2009 10:59:03 AM
ign
said ..
Hi Salik, once more you've saved my life. Thankiu!!!
|
On
1/15/2009 3:11:31 PM
Sahil Malik
said ..
Huh? When did I last save your life?
|
On
1/23/2009 9:48:53 AM
Shalini Ahuja
said ..
I have created a permission group so that users only have permission to view, edit and create new, but no permission to delete. Still in a custom list these user can delete attachments to a list item. How can I remove set the permissions so that user can not delete an attachment?
|
On
2/2/2009 11:10:51 AM
Diogo
said ..
Hi all,
when i was set the permissions on sharepoint, i inserted a list of documents without full control.
I wonder if there is any chance of putting someone with full control now.
thanks to all.
|
On
2/9/2009 5:10:53 AM
namzh
said ..
hello,
I want to set permissions such that the user is able to delete his own items but not the items created by others. Though he can edit/modify all the item irrespective of he being the creator of the item or not.
Can anyone tell me how to do this???
|
On
2/19/2009 5:13:33 AM
Katja
said ..
I have the same question - I know it is possible to give permissions on item level, but is it possible to set a general rule, so everyone can modify his own items?
|
On
3/24/2009 10:13:06 AM
Denise
said ..
Is there a way to set perms on a web part so that it is visible by only certain users? I have perms set so they see "Access is Denied", but I would like them to not even see the web part at all.
|
On
3/26/2009 5:51:16 PM
nagendra
said ..
my problem is that the edit permission allows users to add and delete web parts from the pages... how do I prevent that last part?
|
On
4/30/2009 10:49:32 AM
Muzammil Rajpurkar
said ..
Can anyone help me with the below situation:
I have created a survey list. As of the whole site, I don't want users to create or edit any page, so when I placed the users in the Visitor role, but it seems that they now cannot participate in the survey too.
I want the users to participate in the survey list so want them to see the "Respond to this survey option", but do not want to have the "Site Actions" option available to them.
How can I do this?
|
On
5/4/2009 9:14:44 PM
Alex
said ..
HELP!!!!!PLEASE!!!!! Just like the post on 11/20/2008 - I'm looking to do the same. I need to restrict ONE PAGE from the MEETING SITE (essentially one of those TABS at the top of the site) to just a handful of the hundreds of users that have permission to the site.
On 11/20/2008 3:46:26 PM Dave said ..
Is there any way to restrict ANY page within a SharePoint application or even finer, restrict access (view / edit /delete) to individual web parts on a page? Using WSS 3.0 I haven't found anything. Sure I can block users from accessing lists or such, but when I create a new web parts page there appears to be no way to restrict users from viewing only this page (but see all others) or set security rights on individual web parts. If that is not possible it is a major design flaw.
|
On
6/25/2009 11:01:15 AM
Tom
said ..
Hello Muzammil Rajpurkar,
I am looking for the same.Did you get the answer how to solve it with your survey.
Please let me know.
|
On
7/7/2009 8:57:46 AM
Larry Virden
said ..
I was wondering how I would set permissions up for this sharepoint out of the box approval workflow scenario:
I have:
1. Large body of users - this group needs the ability to add a new item to the list, triggering a workflow. They should NOT be able to approve the workflow tasks.
2. Small group of users A - this group need the ability to approve a workflow task. However, only user 1 will actually have tasks assigned to them. The other users need the ability to approve a task assigned to user 1.
3. Small group of users B - this group need similar permissions to Small group A. This group will contain user 2, who will be the one assigned the tasks.
4. In both case 2 and 3, an email needs to go to user 1 or 2, and not the rest of the people in the group. This means that I can't use a group as the participant, because the two options with using a group is either send everyone an email, or send no one an email. Neither of these work for this case. Instead, user 1 and user 2 need to be listed as the participants of the workflow.
Is there a way to set up a workflow for this?
|
On
7/9/2009 4:29:07 PM
Aurimas
said ..
sorry for off topic, but I am looking for a product which can mange permissions for different parts of document, and assign different users to a specific parts of a document as responsible for those parts.
Then the administrator or someone with rights could filter out by user who is responsible for what parts of which docs etc..
can sharepoint do that?
|
On
12/3/2009 12:06:32 PM
Erik
said ..
->Aurimas
I think documents (files) are atomic units in SharePoint permission-wise. For distributed editing of single documents you could try something like DOORS (designed for requirements and design documents).
/Erik
|
On
2/9/2010 2:24:11 PM
Dasarath
said ..
Hello - I am new to Sharepoint and my question is not related to the above post.
We have a site in Sharepoint 2007 whose permissions are set editing rules in the xml file.I dont know which file it is.And if i try to edit permissions using site actions and advance permissions things are getting messed up.the whole site permisisons are getting wacky.By the way the site does not inherit permissions from the parent.
Can some body help me with this please
|
On
2/16/2010 6:37:00 AM
jm
said ..
Great post, Thanks
|
On
4/5/2010 2:34:46 AM
alpa
said ..
Hi All,
I have avery big issue with approval workflow. I have created a announcement workflow for a particular list with proper approver permissions.Now the proble arises is the one who initiates the workflow can also approve/reject his own item & others too..how can that be possible...Plz provide me a solution to restrict that user to approve or reject the workflow
|
On
5/7/2010 2:20:38 AM
saqib
said ..
Dear,
I have query that, i want to give default "view only" rights to one AD account. kindly help.
|
On
7/8/2010 1:34:36 PM
Mari
said ..
When a workflow is initiated, it runs under the permissions context of the user that started the workflow. How long does the user retain the permission context? I have a situation where a user is not part of a group that is allowed to view a document library, but after a workflow that has the persons name (as part of a contributor), the user is able to check items in etc... Are the elevated rights revoked after the workflow is complete?
|
