Configure Item Level Permissions for Document Libraries
Contributing Author: Toni Frankola
SharePoint Use Cases
A few weeks ago Duncun commented on one of my posts: “Still hunting for the holy grail of a solution that ONLY allows users to view or edit documents they have created themselves.”
The problem
As you probably know, there is an item-level permissions feature that can be a solution to this problem BUT it’s only available for lists, not Document Libraries. Please remember this before you make a promise you cannot deliver.
The solution
The proper way to solve this problem is to set permissions on the item level. Since you cannot use the feature I mentioned above, the only way to do it is to create server side code which configures it. In this case I am going to use a custom workflow solution (an event handler might also do). The wrong approach for solving this problem might be using JQuery or something similar, because malicious user can easily trick the system and still see and edit the document he is not allowed to.
Unfortunately, you cannot use SharePoint Designer Workflows to achieve this because there is no activity to configure permissions on item level, and, to my amazement, there are no community created SPD activities to solve this either.
In order to solve the problem I created a custom workflow solution that does the following:
- Breaks inheritance of permissions for the file in a document library
- Deletes all existing permissions
- Grants contribute rights to workflow initiator
Please note: This is bit limiting but in case you need more flexibility here, let me know as I am interested to give some additional configuration options here.
This workflow solution is published as open source solution. Check project site at codeplex. All your ideas, feedback and development efforts will be welcomed.
Deploying the Solution
To deploy this solution you need administrative access to your server. Unfortunately this solution cannot be deployed via web interface. To deploy it simply download, upack and run setup.exe on your SharePoint server.
Installation wizard will guide you step by step:
Once deployed, this workflow will be listed as a solution in your site collection. It will be activated automatically, but in case it is not, activate it manually.
In order to activate this workflow on a document library select the following: Your Document Library > Settings > Document Library Settings > Workflow Settings
Select Configure item level permissions template, type unique name and select appropriate startup options.
If you saved workflow with this configuration, it will run when an item (document) is created and, in just a few seconds, it will revoke permissions from other users and allow only initiator to make changes.
To test this I created a document library “Top Secret Documents”. As shown on pictures below, workflow was triggered automatically for all items. Contribute permissions were given only to document creator (aka workflow initiator)
Great idea and solution
Do you think we can setup the workflow so as to not revoke rights to the owner group (the site administrators).
Would we first revoke rights and then give back full rights to the admin ?
Thank you
Sure you can. I think the best way (in your case) is to revoke and then add new permissions.
Hi Toni,
I think there is a SPD activity designed to do just that on CodePlex (http://spdactivities.codeplex.com/Wiki/View.aspx?title=Grant%20Permission%20on%20Item).
Anyway, nice to see a complete easy to use workflow such as yours !
Jonathan
@Jonathan: I tried it, but I think it does not revoke other permissions before granting new ones. I think this was the problem so I could not use it…
Thanks for this solution! This is a lifesaver for me. The only problem is that I need an administrator account to be able to have at mininum contribute rights to all documents in the library and the way it works now this is not possible. Is there any way I can change this? Also is the actual code for the custom workflow available, I would like to learn how to do this myself.
thanks.
Anya
@anya : As said on comment #1 and #2, you can maintain rights for the administrator. As Tony said, the only thing to do is to grant back some rights to the specified users
thanks, I realized that the solution was there after I posted.
@Anya: Entire code is available at codeplex: http://sharepointworkflows.codeplex.com/ > http://sharepointworkflows.codeplex.com/SourceControl/ListDownloadableCommits.aspx
In case you have a solid business case let me know and I will add it to the original code.
Tnx, Toni
Hi there,
I have created a similar tool, but it does not use workflows and also integrates well with the Document Library settings – bit.ly/soOzy
Cheers,
Chaks
I have you this solution but I wonder is it suitable within a community application where the number of user is thousands?
Say, when we use item-level permission, you should look through the permission settings page of SPList, so messy, because sharepoint lists all the unique permission settings here for users and groups (..without paging).
Any idea about this problem?
Well, SharePoint has a limitation of 2000 security objects per scope. So if you have such a site I do not think this solution is a way to go.
This workflow installed on my SharePoint server but did not show up in the Site Collections Feature list and is not activated.
Hey Tony,
Thanks a lot for the solution… really appreciated! I want to install but I run a 64bit MOSS farm and the code does not compile! I looked around on the web and apparently the solution is to copy the sharepoint.search dll to the bin folder, etc… do you have any other option?
BTW, why did you choose to go the workflow way instead of event handler? just curious!
Have a great day!
Simone
@Simone: What kind of error do you get? Send me the error: http://www.sharepointusecases.com/index.php/contact-me/
Initially I wanted to create a SharePoint Designer Workflow activity which would be easy to use and configure. However I never found time to finish this. I wanted to do it as SPD as it would be easy to use for end users. (SPD 2010 has such workflow activities.)
Hi Toni – I followed your article,Its really good.Can you please help me how to use this in group level.I don’t want based on created by user but groups .My problem is i have users belongs to more than one group .so item created shuld be visible for him in both groups.please help me.
Does anybody have experience with incorporating a ‘trick’ like this one into a Nintex Workflow? We would like to give permissions to both initiator and an approver (selected in a web form by initiator).
@Eirk: Nintex has OOTB functionality to control permissions, actually their solution inspired me to create this one…
Yep, we were already fiddling with that Nintex functionality but couldn’t work it out the way we wanted. So I guess I’m looking for a nice “howto:” out there.
(BTW we actually want to use it on a list, not a doc lib, so I’m half off topic here, but we want to do something comparable).
@Erik: So you want to do the same thing as described here for list items with Nintex Workflow?
Something similar I think. We have a list where people can request job travels. Our AD can’t tell who’s your own manager yet, so with a people picker one has to fill in his manager, who will be the approver. Once a request is approved, our dept. Travelmanagement will be notified etc.
All requests end up in a SP list. Both initiator and approver may view (or maybe edit) only the appropriate requests. Other people shouldn’t see those. We can configure the list to show initiator only his own requests, but with NWF we like to deal with that for approver.