locked
Item-level permissions and AD groups RRS feed

  • Question

  • Is there a way to restrict item-level permissions WITHIN an AD group?

    For example, under Advanced Settings in a given list, you can restrict Item-level permissions to only those created by a particular user. But my test have shown that SharePoint appears to treat all users within a given AD/SharePoint group as a singular user.

    We'd like to allow any user in a particular AD/SharePoint group to contribute to a certain list via an InfoPath form. But we want to their restrict view/edit permissions to items created by the individual (ie not allow everyone in the AD group to see all items). Is this possible? Hopefully I am just missing something.


    ~Nicole~
    Wednesday, April 20, 2011 10:54 PM

Answers

  • SharePoint definitely does not treat all users within an AD or SP group as a singular user unless you assign the permissions to that group.  The Item-Level permissions you're talking about are only specific to the individual user who created the item and by no means have any relation to groups of any kind.

    Set your initial permissions for the list or library to the group you want to use, but then use Replace List Item Permissions to convert the item permissions to include only the "user who created the current item."  Chris referenced this, but you will need to first add an Impersonation Step in your SPD workflow, and then you will use Replace List Item Permissions.  However, this is only necessary in a form library, not in a list converted to InfoPath.  If we're truly talking about a list here, then the Advanced Settings > Item-Level Permissions should be all you need.  Set it where users can read "only their own" and users can edit "only their own."  Those setting _definitely_ work and have no association with groups.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by NicDev99 Thursday, April 21, 2011 4:02 PM
    Thursday, April 21, 2011 6:04 AM

All replies

  • Hi,

    Yes, you can do this using a SPD Workflow.

    Set it to fire on Item Created, and have something like

     

    Start -> Set Item Permissions -> End

     

    In the Set Item permissions step you can set whatever permissions you want to the AD Group and the User who created the form.

     

    Regards,

     

    Chris


    Regards, Chris
    • Proposed as answer by Chris Grist Thursday, April 21, 2011 12:00 AM
    • Unproposed as answer by Clayton Cobb Thursday, April 21, 2011 6:00 AM
    Wednesday, April 20, 2011 11:59 PM
  • SharePoint definitely does not treat all users within an AD or SP group as a singular user unless you assign the permissions to that group.  The Item-Level permissions you're talking about are only specific to the individual user who created the item and by no means have any relation to groups of any kind.

    Set your initial permissions for the list or library to the group you want to use, but then use Replace List Item Permissions to convert the item permissions to include only the "user who created the current item."  Chris referenced this, but you will need to first add an Impersonation Step in your SPD workflow, and then you will use Replace List Item Permissions.  However, this is only necessary in a form library, not in a list converted to InfoPath.  If we're truly talking about a list here, then the Advanced Settings > Item-Level Permissions should be all you need.  Set it where users can read "only their own" and users can edit "only their own."  Those setting _definitely_ work and have no association with groups.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by NicDev99 Thursday, April 21, 2011 4:02 PM
    Thursday, April 21, 2011 6:04 AM