none
Infopath form security

    Question

  • Hi,

     

    I have tried to make a performance appraisal system in Infopath 2010 on my personal laptop (running SharePoint 2010) What I am trying to do is the following :

    1. Design a browser based Infopath form which all the users can fill in.

    2. Apply rules so that once a particular user submits the form, an approver can open a different view (a hyperlink in an email to open) to approve

    Now, I am facing problem regarding assigning security permission. All the forms are created in a SharePoint form library. How can I ensure that once the user add his/her own document, he can only access that document rather than rest of the documents created by other users. I can use item level permission on every form. However forms will be created at random by almost every user for this appraisal system.  I also need to make sure that the form can be accessed by the creator, his approver and admin. Rest nobody should be able to access the form once the form is first created. How can achieve that in run-time, ie. as soon as the new form is created and saved.

    Any ideas?

     

    Tuesday, July 05, 2011 2:42 PM

Answers

  • Hi Saytzeff,

    Form your description, I understand that you want remove these (ordinary users who is not the creator) users' permission from current form when a new form had been created. So that only form creator and approvers would have permission to open/edit current form.

    If so, you could use SharePoint Designer workflow to break and manage permissions to current items. These manage permission actions are available in Impersonation Step. You can find them in Edit workflow > Click Impersonation Step in ribbon to add a new impersonation step > Click Action.
    For the details, please refer to
    http://technet.microsoft.com/en-us/library/ee428324.aspx#BKMK_UserStep
    https://www.nothingbutsharepoint.com/sites/eusp/Pages/SharePoint-2010---Configuring-List-Item-Permissions-with-Workflow.aspx

    Best regards,
    Emir

    Thursday, July 07, 2011 12:17 PM
  •  As Emir said, you can use SharePoint designer security related actions to break the list's permissions and assign the user who will approve the form the approve permission. If you want all forms to appear to all users in case the URL is sent to another user, you can make an extra view where users are redirected to if they are none of the user's who are related to the previous 4 views, when they see this view, they will see a message like: "Sorry, you don't have permissions to view this form" and a close button or anything like that.

    Mohamed Derhalli ||| SharePoint Specialist ||| http://Path2SharePoint.com
    Thursday, July 07, 2011 4:46 PM

All replies

  • In this case, filter the list based on Created by = [Me], and you need to let the admin make a view for himself, it will be private view so that he can see all documents and no one else can see this view. This way, users can see only forms created by them, and admin can see all forms.

    But you have one issue still there, when the user goes to the library again and select his form, he will see the view for the admin and he can approve it, did you make your form this way? You need to handle this issue in the view itself to show only forms that have been processed by admin, or to handle it on InfoPath form itself, that if the same initiator entered the form, switch him to the old view again. You need to plan it.


    Mohamed Derhalli ||| SharePoint Specialist ||| http://Path2SharePoint.com
    Tuesday, July 05, 2011 3:35 PM
  • Use a workflow to set item level permission when the form is submitted.  The workflow can for example grant read access to created by, and add permissions to an employee specified as an approver.  If other employees need admin or other access, like HR for example, maintain a separate list with roles and include user IDs in the list.  Then have the workflow also grant permissions based on the names in the list.  The roles list should be secured to only allow specific users access to edit the list.  Using an approach similiar to this, you can totally engineer access to the solution.

    You can do this using SPD, V.S., or 3rd party workflow products like Nintex WF.

     

    Best of luck,

     

    Jonathan

     

    Tuesday, July 05, 2011 6:52 PM
  • In this case, filter the list based on Created by = [Me], and you need to let the admin make a view for himself, it will be private view so that he can see all documents and no one else can see this view. This way, users can see only forms created by them, and admin can see all forms.

    But you have one issue still there, when the user goes to the library again and select his form, he will see the view for the admin and he can approve it, did you make your form this way? You need to handle this issue in the view itself to show only forms that have been processed by admin, or to handle it on InfoPath form itself, that if the same initiator entered the form, switch him to the old view again. You need to plan it.


    Mohamed Derhalli ||| SharePoint Specialist ||| http://Path2SharePoint.com


    Thanks for your reply.

    Let me explain the functionality. The form stays in the same library. It has four Infopath views - Employee View, Reviewers View, Reviewers Manager View, HR view. The rules are written on the Form Load so that a particular user can only open a particular view on Form Load. Your solution seems fine if I had only two Infopath views. Then I could set one view (Created by Me) and one Admin view. However, what about people who wants to approve the form..


    Wednesday, July 06, 2011 10:47 AM
  • Use a workflow to set item level permission when the form is submitted.  The workflow can for example grant read access to created by, and add permissions to an employee specified as an approver.  If other employees need admin or other access, like HR for example, maintain a separate list with roles and include user IDs in the list.  Then have the workflow also grant permissions based on the names in the list.  The roles list should be secured to only allow specific users access to edit the list.  Using an approach similiar to this, you can totally engineer access to the solution.

    You can do this using SPD, V.S., or 3rd party workflow products like Nintex WF.

     

    Best of luck,

     

    Jonathan

     


    Thanks for your reply, I am not sure this will solve my problem. However, I will check setting permissions with a workflow and see if that works. I am already using SPD workflows for approving the form once it is submitted so if there is even a slight delay of giving permission, approver might get access denied in this case. I will test this and will revert
    Wednesday, July 06, 2011 10:51 AM
  • OK. What you would do in this case, is make a field for each user in the form, and when the user is assigned a task, set this field's value with the user's account name. On the form load you read the current user's name and compare it to the four fields, upon it you switch him to his view. So when your form is submitted by user1 and goes to user2, a field called user2 is filled with user2 name from the workflow. When viewing the form, user2 will be taken to the view you want.
    Mohamed Derhalli ||| SharePoint Specialist ||| http://Path2SharePoint.com
    Wednesday, July 06, 2011 6:44 PM
  • I think you misunderstood my problem. I have already achieved the 'Infopath View thing' for different user depending upon their respective id. What I am looking here for is any other random user should not be able to open the form which he is not supposed to in case he gets the URL of the form library. That's it. And with an exception of approver and admin opening the form of the user reporting to them.
    Thursday, July 07, 2011 7:40 AM
  • Hi Saytzeff,

    Form your description, I understand that you want remove these (ordinary users who is not the creator) users' permission from current form when a new form had been created. So that only form creator and approvers would have permission to open/edit current form.

    If so, you could use SharePoint Designer workflow to break and manage permissions to current items. These manage permission actions are available in Impersonation Step. You can find them in Edit workflow > Click Impersonation Step in ribbon to add a new impersonation step > Click Action.
    For the details, please refer to
    http://technet.microsoft.com/en-us/library/ee428324.aspx#BKMK_UserStep
    https://www.nothingbutsharepoint.com/sites/eusp/Pages/SharePoint-2010---Configuring-List-Item-Permissions-with-Workflow.aspx

    Best regards,
    Emir

    Thursday, July 07, 2011 12:17 PM
  •  As Emir said, you can use SharePoint designer security related actions to break the list's permissions and assign the user who will approve the form the approve permission. If you want all forms to appear to all users in case the URL is sent to another user, you can make an extra view where users are redirected to if they are none of the user's who are related to the previous 4 views, when they see this view, they will see a message like: "Sorry, you don't have permissions to view this form" and a close button or anything like that.

    Mohamed Derhalli ||| SharePoint Specialist ||| http://Path2SharePoint.com
    Thursday, July 07, 2011 4:46 PM
  • Thanks Emir, Mohammed, I will try this and will let you know the result.
    Friday, July 08, 2011 12:24 PM