Configure Item Level Permissions for Document Libraries
Contributing Author: Toni Frankola
SharePoint Use Cases
A few weeks ago Duncun commented on one of my posts: “Still hunting for the holy grail of a solution that ONLY allows users to view or edit documents they have created themselves.”
The problem
As you probably know, there is an item-level permissions feature that can be a solution to this problem BUT it’s only available for lists, not Document Libraries. Please remember this before you make a promise you cannot deliver.
The solution
The proper way to solve this problem is to set permissions on the item level. Since you cannot use the feature I mentioned above, the only way to do it is to create server side code which configures it. In this case I am going to use a custom workflow solution (an event handler might also do). The wrong approach for solving this problem might be using JQuery or something similar, because malicious user can easily trick the system and still see and edit the document he is not allowed to.
Unfortunately, you cannot use SharePoint Designer Workflows to achieve this because there is no activity to configure permissions on item level, and, to my amazement, there are no community created SPD activities to solve this either.
In order to solve the problem I created a custom workflow solution that does the following:
- Breaks inheritance of permissions for the file in a document library
- Deletes all existing permissions
- Grants contribute rights to workflow initiator
Please note: This is bit limiting but in case you need more flexibility here, let me know as I am interested to give some additional configuration options here.
This workflow solution is published as open source solution. Check project site at codeplex. All your ideas, feedback and development efforts will be welcomed.
Deploying the Solution
To deploy this solution you need administrative access to your server. Unfortunately this solution cannot be deployed via web interface. To deploy it simply download, upack and run setup.exe on your SharePoint server.
Installation wizard will guide you step by step:
Once deployed, this workflow will be listed as a solution in your site collection. It will be activated automatically, but in case it is not, activate it manually.
In order to activate this workflow on a document library select the following: Your Document Library > Settings > Document Library Settings > Workflow Settings
Select Configure item level permissions template, type unique name and select appropriate startup options.
If you saved workflow with this configuration, it will run when an item (document) is created and, in just a few seconds, it will revoke permissions from other users and allow only initiator to make changes.
To test this I created a document library “Top Secret Documents”. As shown on pictures below, workflow was triggered automatically for all items. Contribute permissions were given only to document creator (aka workflow initiator)
on
Great idea and solution
Do you think we can setup the workflow so as to not revoke rights to the owner group (the site administrators).
Would we first revoke rights and then give back full rights to the admin ?
Thank you
Sure you can. I think the best way (in your case) is to revoke and then add new permissions.
Hi Toni,
I think there is a SPD activity designed to do just that on CodePlex (http://spdactivities.codeplex.com/Wiki/View.aspx?title=Grant%20Permission%20on%20Item).
Anyway, nice to see a complete easy to use workflow such as yours !
Jonathan
@Jonathan: I tried it, but I think it does not revoke other permissions before granting new ones. I think this was the problem so I could not use it…
Thanks for this solution! This is a lifesaver for me. The only problem is that I need an administrator account to be able to have at mininum contribute rights to all documents in the library and the way it works now this is not possible. Is there any way I can change this? Also is the actual code for the custom workflow available, I would like to learn how to do this myself.
thanks.
Anya
@anya : As said on comment #1 and #2, you can maintain rights for the administrator. As Tony said, the only thing to do is to grant back some rights to the specified users
thanks, I realized that the solution was there after I posted.
@Anya: Entire code is available at codeplex: http://sharepointworkflows.codeplex.com/ > http://sharepointworkflows.codeplex.com/SourceControl/ListDownloadableCommits.aspx
In case you have a solid business case let me know and I will add it to the original code.
Tnx, Toni
Hi there,
I have created a similar tool, but it does not use workflows and also integrates well with the Document Library settings – bit.ly/soOzy
Cheers,
Chaks
I have you this solution but I wonder is it suitable within a community application where the number of user is thousands?
Say, when we use item-level permission, you should look through the permission settings page of SPList, so messy, because sharepoint lists all the unique permission settings here for users and groups (..without paging).
Any idea about this problem?
Well, SharePoint has a limitation of 2000 security objects per scope. So if you have such a site I do not think this solution is a way to go.
This workflow installed on my SharePoint server but did not show up in the Site Collections Feature list and is not activated.
Hey Tony,
Thanks a lot for the solution… really appreciated! I want to install but I run a 64bit MOSS farm and the code does not compile! I looked around on the web and apparently the solution is to copy the sharepoint.search dll to the bin folder, etc… do you have any other option?
BTW, why did you choose to go the workflow way instead of event handler? just curious!
Have a great day!
Simone
@Simone: What kind of error do you get? Send me the error: http://www.sharepointusecases.com/index.php/contact-me/
Initially I wanted to create a SharePoint Designer Workflow activity which would be easy to use and configure. However I never found time to finish this. I wanted to do it as SPD as it would be easy to use for end users. (SPD 2010 has such workflow activities.)
Hi Toni – I followed your article,Its really good.Can you please help me how to use this in group level.I don’t want based on created by user but groups .My problem is i have users belongs to more than one group .so item created shuld be visible for him in both groups.please help me.
Does anybody have experience with incorporating a ‘trick’ like this one into a Nintex Workflow? We would like to give permissions to both initiator and an approver (selected in a web form by initiator).
@Eirk: Nintex has OOTB functionality to control permissions, actually their solution inspired me to create this one…
Yep, we were already fiddling with that Nintex functionality but couldn’t work it out the way we wanted. So I guess I’m looking for a nice “howto:” out there.
(BTW we actually want to use it on a list, not a doc lib, so I’m half off topic here, but we want to do something comparable).
@Erik: So you want to do the same thing as described here for list items with Nintex Workflow?
Something similar I think. We have a list where people can request job travels. Our AD can’t tell who’s your own manager yet, so with a people picker one has to fill in his manager, who will be the approver. Once a request is approved, our dept. Travelmanagement will be notified etc.
All requests end up in a SP list. Both initiator and approver may view (or maybe edit) only the appropriate requests. Other people shouldn’t see those. We can configure the list to show initiator only his own requests, but with NWF we like to deal with that for approver.
Hi ,this is good but can we give item level security for all documents at a time.
Thanks&Regds,
udaya kumar
Hi it is useful for MOSS2007 only.How can i do same thing WSS 3.0
Hi while iam doing in wss error is coming because of microsoft.office.workflow.utilit is missing
the error is,
Feature ‘aba9d13a-83fd-4e36-90a1-9c1b66fbfd65′ could not be installed because the loading of event receiver assembly “Microsoft.Office.Workflow.Feature, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” failed: System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.Office.Workflow.Feature, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c’ or one of its dependencies. The system cannot find the file specified.
File name: ‘Microsoft.Office.Workflow.Feature, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c’
at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)
at System.Reflection.Assembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)
at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.Load(String assemblyString)
at Microsoft.SharePoint.Administration.SPFeatureDefinition.get_ReceiverObject()
WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
Troubleshoot issues with Windows SharePoint Services.
i am a little fuzzy on how to grant back some permissions , can anyone point me in the right direction as it relates to the process of granting back some rights to specified users
thanks
Hello,
I downloaded and installed this workflow on a document library, But People are still able to see eachother documents. I am using Moss 2007 standard. Does this solution work with standard version? Were you using Moss Enterprise version when you tested this?
Thanks
Sam
It should work on both Standard and Enterprise. Can you check item permissions of these documents?
HI Sam,just send your mail id to my mail id ([email protected]) .I will send the solution file.Previously i also face same problem and got the solution.
Thanks,
udaya kumar
is there a version that will remove all rights of the author after submitting the form/document in the doc library?
i like to prevent the author going back and editing it or deleting the original. and eyes only for the admin is fine.
Hi Toni Frankola
I am using MOSS 2007 on windows server 2008, I have installed all the features successfully in server. When I am trying to create workflow as mentioned ”
In order to activate this workflow on a document library select the following: Your Document Library > Settings > Document Library Settings > Workflow Settings
Select Configure item level permissions template, type unique name and select appropriate startup options.” in my drop down i am not getting “Configure item level permissions” template
will you suggest me what could be the problem.
Thanks
Nasim