EndUserSharePoint.com: How can I restrict views to the contributor’s content, only?
The question of the day comes from Ryne:
Within a SharePoint List, you can specify that users can only see/edit the items they have created. In a document library, which is nothing more than a sophisticated list according to Microsoft, you do not have that option available OOTB [Out of the Box]. Is there any existing documentation or workarounds on this issue?
Response from Chris Poteet at Siolon.com
Yes there is. Let’s look at how to do this.
- Go to the document library where you want to restrict the view
- Select the “view drop down” and select “Create View”
- Name your view (I chose “Only Me”), and make it a public view.
- Scroll down to the “Filter” section, check the “Show items only when…”
- Created By – Is equal to – [Me]
- Modified By – Is equal to – [Me]
- Go ahead and create the view.
- Then login as a different user. I created a “read only” user.
- You should then see only documents uploaded by that person or in my case nothing at all.
Just to double-check I upgraded the test user’s privileges to contribute, uploaded a document, and the view correctly only showed me my one document I uploaded.
Chris Poteet
Siolon.com
Chris has been developing web applications in increasing complexity over the last 8 years. He has a degree in Management Information Systems with an emphasis on Information Architecture.
Chris,
Thanks for your solution! However, I have one thing to add. Correct me if I am wrong …
If this solution is used to achieve “users can only see/edit their own entries” then you need to set up custom permissions.
By default, the “Contribute” permission level allows users to create views, in which case, a power user could create a new, personal, view without the filters and access all items in the library.
Setting up custom permissions is available OOTB and easy-to-do, but its an important step to remember when deploying this solution!
Thanks again,
Ryne
Ryne,
You are absolutely correct. I actually saw this when I upgraded the test user account.
Even if you lock out the availability of views, clever users who can predict the name of a document can gain access with some URL-fu. This is the reason why implementing InfoPath forms where each instance is secured is so complex.
In cases where documents need to be locked down to the creator you have a few options without heavy code development:
1. Set item-level permissions: Sure it’s a pain, but it may be viable if you have a small set of documents and new ones don’t appear often.
2. Set folder-level permissions: make a folder for each creator and make them put their documents in those folders (take away all but the folder content type from the library).
3. Get an ISA server: $$$ expensive solution but powerful and helps with so many other security and compliance issues. Again, it may be the best option for your needs.
4. Push for HTML forms: Push to have documents of this type converted to content types based on Item instead of Document. It’s much easier to secure by creator.
5. Take away views and use email: If you take away contributor rights but email enable the list, contributors can still submit their documents (without metadata). I haven’t tested all angles, but I’m pretty sure that by using web services or Outlook connections (through GPO) you can set the default view to filter for creator=user and none of the users can change it (since they can’t actually get to the library). I hate this option because we loose out best friend during MOSS implementation–the Exchange administrator.
The solution I am looking at is for expense reports. InfoPath is not an option because a) we do not have forms server and b) not all users have infopath. Creating an Expense Report based on an item would be SharePoint Designer-intensive, so we are looking at just allowing the upload of the existing Expense Report (.xls) to a library.
I would probably setup an expense report library with only admin access (someone from Accounting) and the CFO. The only allowed content type is expense folder.
Create an expense folder for each person allowed to submit an expense report in that library. The only content type allowed for expense folder is expense report. Add only the user and possibly their manager to the expense folder’s permissions.
When people navigate to the library, they only see the folders they have access to and therefore can only access certain documents.
For people who travel, they can connect this library to Outlook and synchronize their documents so they keep track of the spreadsheet offline and next time they connect to SharePoint the .xsl is submitted for them.
To support the admin’s job, you may want to create a simple request list to have those folders created for new employees or employees who start traveling.
Be careful about allowing alerts since data could leak through email and therefore break your security model.
Paul – Nice solution. I’m surprised you didn’t include a Mind Map with an embedded screencast.
Mark
Aside from Doc Libraries, I’ve had to restrict views of a List according to various user groups.
I have one List with several Views. I create another Site and give that site “manager level” permissions. I place a link to this manager site on the main site’s Links and call it “Admin Site”. I then change the List to “No Toolbar” so the View drop down is hidden from all users. The primary List is filtered by [me] so that the normal users can only see their own records. Managers click on the Admin Site Link, click on another link back to the List’s manager view, etc. Primitive but it works
Charlie,
Just be wary of “hiding” verses access control. A large portion of SharePoint functionality is predictable. I’m not the only query string hacker out there.
If I see a list with a hidden toolbar, I display an item then switch the URL to EditForm.aspx instead of DispForm.aspx to see if I have edit permissions.
If I don’t have edit permissions, I “step-through” ID’s to check if I have access to other records not listed. Auto-increment integers are predictable and open to manipulation if you don’t set permissions properly.
If the information is in any way private DO NOT SETTLE for hiding list objects.
Paul – Good point. I was going to respond along the same lines, but you beat me to it.
Thanks,
Mark
Point taken. I guess I’m enjoying my honeymoon of not-so-technical users. I’m also not posting critical data, just sales prospects. Thanks-
Charlie,
I wouldn’t be surprised if someone was posting client notes into what they thought was their private list of prospects only to find that another sales person was poaching their list.
It happened to my company on another platform–the only reason I’m sensitive to it.
how do i disable the reply option for the all the people who can post their comments (i.e. have view, add, edit(their own entries)but enable the same for only for members with approver permissions.
The purpose of this is to make only the approver & or predefine group of experts to reply within a discussion forum instead of all replying to a post.
Let the rest of the members just post their queries/comments on the forum.
Can somebody help me out with the required settings to solve this pls
VERY VERY URGENT PLS
Warm Regards,
Surendranath.
If you add a script or CSS to hide the comments link, you can put Audience targeting on the CEWP. You can also add a redirect/alert script to Posts.aspx and use Audience targeting there. With targeting, the script only loads for the groups you want (Approvers in case #1 and non-approvers in case #2).