locked
Taxonomy/metadata permissions (per-document). RRS feed

  • Question

  • Hi,

    I currently have a main document library where all my sites documents are stored. Each one of these documents is assigned a managed meta data tag (taxonomy).

    My query is can permissions be assigned based on these tags? For example, let’s say I have a 'Marketing' tag and I only want marketing people to be able to view/open/download any documents given the 'marketing' tag.

    Thanks in advance.
    C.J.Murray

     

    Wednesday, January 11, 2012 4:28 PM

Answers

  • But Audiencing is NOT security and won't prevent them from seeing, using, or downloading the items if they go to the library. You could create a Designer based workflow that upon creation of an item in the library you compare your tag field and then use the replace permission action to assign the permissions you wish.
    Imagine what we could be...If we could just imagine. Daniel A. Galant
    • Marked as answer by C.J.Murray Thursday, January 12, 2012 11:09 AM
    Wednesday, January 11, 2012 9:32 PM

All replies

  • You can attach an audience to an item. So you could create a Marketing audience and attach it to the marketing documents. The users who are not in this audience won't see these documents.
    Blog: www.jasperoosterveld.com Twitter: @JasITConsultant
    Wednesday, January 11, 2012 5:46 PM
  • But Audiencing is NOT security and won't prevent them from seeing, using, or downloading the items if they go to the library. You could create a Designer based workflow that upon creation of an item in the library you compare your tag field and then use the replace permission action to assign the permissions you wish.
    Imagine what we could be...If we could just imagine. Daniel A. Galant
    • Marked as answer by C.J.Murray Thursday, January 12, 2012 11:09 AM
    Wednesday, January 11, 2012 9:32 PM
  • An audience will prevent the users from seeing, using and downloading because you cannot see an item when you are not in that audience.

    I agree with the SP Designer suggestion. Not sure if you can set a condition at a managed metadata field.


    Blog: www.jasperoosterveld.com Twitter: @JasITConsultant
    Wednesday, January 11, 2012 10:02 PM
  • I agree with Daniel, if users should not have access to the documents, then audiences are not enough - there is a chance that users will access the document using direct URL (if they will know it somehow), or from other view which doesn't use audience targeting. Audiences can be used only with conjunction of real security restriction.

    In this case the answer on the question is the following: there are no OTB mechanisms for that. In order to restrict users access based on the documents' metadata, you need to use item-level security (in Sharepoint item (list of doclib item) is the minimal element which can use unique permissions. I.e. parent doclib may have own permissions, but documents inside this doclib - another). One of the solution is to create custom event receiver (e.g. on ItemUpdated event) for the doclib and set unique permissions for the document (break permissions inheritance from parent doclib) based on the updated metadata. Some time ago I created helper class for such operations: see SecurityHelper.AssignGroupRoleToSecurableObject() here: http://sadomovalex.blogspot.com/2010/07/create-associated-sharepoint-groups.html.


    Blog - http://sadomovalex.blogspot.com
    CAML via C# - http://camlex.codeplex.com
    Wednesday, January 11, 2012 10:30 PM
  • I'm going to have to correct you on this. Audiences are not security. They are obscurity. Yes, an audience will hide an item from the users that are not a part of the audience. However, a user can still access the items if they know the URL. Secondly, audiences do NOT work in the libraries themselves. Once you enable audiencing on a library you can apply audiences to items in that library. This filtering is only valid when used via a web part. If you go directly to the library you will still see all the items in that library based upon your permissions. not based upon audience targeting.
    Imagine what we could be...If we could just imagine. Daniel A. Galant
    Wednesday, January 11, 2012 10:36 PM
  • Thursday, January 12, 2012 11:10 AM