Yesterday in our ShareLabs session a question was asked on how to display and/or secure data in a list based on criteria other than the author. I am going to use colors as the criteria for the purposes of this post. So the scenario is that we want to build a list to track something like, say.... oh I don’t know…. how about bicycles. We only want to display certain colors to certain groups for whatever reason. There are multiple ways to accomplish this, one of them being that we create views that filter the colors that we want to display, then create a page and drop a web part for each filtered view, and then apply Audience Targeting on each web part. At first blush this looks like it would accomplish what we want it to but what happens when a user goes to the list itself instead of our web part page? They are going to be able to see all entries in the list regardless of color, because of the permissions that they have on that list.
In SharePoint 2010 there are item level permissions that can be applied on lists. Essentially you can mouse over each item, click on the drop down arrow, and choose Manage Permissions.
On the permissions page you can choose the Stop Inheriting Permissions button on the ribbon and then customize the permissions on that item.
Now you have the desired results across the board without needing to setup web parts with Audience Targeting. However, this approach has a couple of flaws. First, this method can be very daunting to manage especially for large lists. Think of breaking the permission inheritance on each and every item in the list and then customizing the permissions. Also think about managing it going forward, what happens when you have to add a new user to permissions? Since inheritance is broken on the item you will have to manually add that new user to each item that they should have access to. You could and should use groups to assign permissions to but it can still be a very time consuming process to get your permissions just right.
There is an easier way to accomplish this task and it comes in the form of a SharePoint Designer workflow that uses impersonation steps to change the permissions on the items in your list. I will walk you through creating such a workflow as well as discussing some of the potential trouble spots. Before we dive into SharePoint Designer to build the workflow we have some decisions to make and some preliminary work to do.
1. We will need a list for our data. This will also work for Document Libraries but for this example I am creating a list called Bikes with the following columns; Serial Number, Color, Manufacturer, Bike Type, and Suspension.
2. What criteria do we want to use to set up the permissions? For this example we are going to use the color column.
3. How many different sets of users are we going to have? In my list I am using 3 colors; red, blue, and green but I am going to have more sets of users than colors. Our sets are going to be; red, blue, green, red and blue, red and green, blue and green, and all.
4. On my site I am going to create a group for each set, 7 groups total. Bikes-Red, Bikes-Green, Bikes-Blue, Bikes-Red and Blue, Bikes-Red and Green, Bikes-Blue and Green, and Bikes-All will be the group names. As a side note, if I am going to be in Designer anyways and if I need to make multiple groups, I prefer to make my groups in Designer as the navigation is easier with the buttons on the ribbon always being present where in the browser it takes a few extra clicks for each group that you create. Both methods work so use whichever one you prefer.
This is what the permissions look like for all entries in my list before running the workflow:
Now that we have all of the prep work out of the way let’s build a workflow. If you haven’t done so already, open your site in SharePoint Designer 2010.
What’s that? You don’t have SharePoint Designer 2010 installed on your computer? OK, we’ll wait while you go to http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16573 to download and install SharePoint Designer 2010.
1. Once your site is opened in SharePoint Designer (SPD), click on Workflows in the Site Objects pane on the left. In the New section of the ribbon, click on List Workflow and choose the list that you want to create the workflow for, in this case Bikes.
2. Give your workflow a Name and optionally a Description then click OK.
3. You will now be in the workflow editor screen with a blinking orange cursor in the Step 1 window. Changing permissions through a workflow requires that we use an impersonation step so the first thing that we need to do is click above the Step 1 window so that the blinking cursor is above Step 1 and then click on Impersonation Step in the Insert section of the ribbon menu.
After you have an Impersonation Step window you can click on the Step 1 window and delete it. If you are creating a more complex workflow that will use multiple steps then feel free to leave the Step 1 window there so that you can use it in the future.
4. Now that we have an Impersonation Step, the first thing that we need to do is set a condition that compares the value of the color column. Click on Condition and choose If current item field equals value from the drop down menu.
5. Click on field and choose Color then click on value and choose Red. You screen should look like this:
6. Next click on the Action button on the ribbon, scroll down to the List Actions section and choose Replace List Item Permissions.
7. Click on the these permissions link to launch the Replace List Item Permissions window. Click Add.
8. Click on the Choose… button and select the following groups; Bikes-All, Bikes-Red, Bikes-Red and Blue, and Bikes-Red and Green then click OK.
9. Next select the permissions that you want to grant to these groups. To keep things simple I am going to grant all groups Contribute permissions so I select the Contribute checkbox and then click OK.
10. If you want to mix things up and give all groups Contribute and the Bikes-All group Full Control then simply add another entry to the List Item Permissions window and choose Bikes-All and grant them Full Control permissions. This is probably a good place to talk about the potential for locking yourself out of being able to access items in this list. If you are a Site Collection Administrator you have less to fear as you will still have access to the list items. However, if you are a Site Owner and not a member of any of the groups that we created earlier on, then guess what…. after this workflow runs you will no longer have access to items in this list. Make sure that this does not happen to you by either adding the site’s Site Owner Group or making sure that you and/or other site owners are in a group that you are specifying to have Full Control permissions on the item. Don’t say I didn’t warn you! Once you have all of the permissions granted to the right groups or users, click OK.
11. Click on the this list link, leave Current Item in the List field and click OK.
12. In the Insert section of the ribbon click on Else-If Branch then click on Condition and choose If current item field equals value.
13. Click on field and choose Color then click on value and choose Blue. You screen should look like this:
14. Repeat steps 6-11 from above to add the Replace List Item Permissions action to the workflow, only this time for the Blue set of users.
15. Repeat steps 6-14 for the Green users set. When you are done your Impersonation Step should look something like this:
16. Click on the Check for Errors button on the ribbon to verify that there are not any logic errors in the workflow. This check does not ensure that your workflow will work as perfectly as you have envisioned, only that there are no infinite loops, dead ends, etc… in your workflow logic.
17. If there were no errors, click Save.
18. On the bread crumb trail just below the tabs under the ribbon, click on the name of your workflow to exit the editor and to get to the workflow settings page.
19. On the workflow settings page find the Start Options section and choose the Start workflow automatically when an item is created and the Start workflow automatically when an item is changed checkboxes. This will ensure that if someone changes the color field then the proper permissions will be applied.
20. Save the workflow again after choosing your start options.
21. The last step in SPD is to publish the workflow. This is where things can get a little tricky because we are using an Impersonation Step. This workflow is going to run under the security context of the user who publishes the workflow. In most cases this fine but let’s explore a couple of possible scenarios that could render this workflow useless. Suppose that in the future you are assigned to another team and your permissions are removed from the site. At that point the workflow will no longer work and all new items will revert back to inheriting the permissions from the list. Ok who are we kidding, no goes into the site settings and clears up permissions right? Chances are that John who used to be on your team a year ago but has since moved over to Accounting is still a member of your site. True, that does happen all too often so let’s take another approach, let’s say that in 6 months you take a job at another company. It is very likely that your account will, at the very least, be disabled before you make it to your car in the parking lot. At that point your workflow is broken. I know, you’re thinking if that’s the case then why do I care, I don’t work there anymore. That’s not going to win you friends and glowing references in the future so let’s do this right. It is always a good idea to publish workflows that contain Impersonation Steps as a service account. Service accounts generally don’t go away and your administrator can setup a policy on the backend so that the permissions of said account are not ever removed from the site. So either risk alienating your coworkers by publishing the workflow as yourself or contact your SharePoint Administrator and have them publish it using a service account.
Now that your workflow has been published to your brand new, not populated with items, list - you are finished. As you add items to the list, the workflow will run and set your permissions as you configured the workflow to do it.
Oh, but your list already has a few entries?
No biggie, just mouse over each item, click on the drop down list, choose Workflows, and select your workflow name and click Start.
Huh? Oh you meant there are a few hundred items in the list? Ah, well check out my earlier post on creating a workflow to run on an entire list, the poor man's way for the answer to that problem.
Ok, your workflow has ran and now the permissions for your items should look similar to this:
If you see additional entries on the permissions list that have a permission level of Limited Access you don’t need to worry about them per se. The Limited Access permission level is a system permission that acts as a place holder. It could indicate that those entities have access to something either lower in the hierarchy or at a peer level such as a content type. Limited Access does not indicate that they have any access to this specific item. However, if you want to be sure that they do not have permissions to this item, click the Check Permissions button on the ribbon, put the user name or group name into the field and click Check Now.
That about wraps things up, until next time….