Enforcing separation of duties RRS feed

  • Question

  • Hi,

    Just wondering if SP content approval can be configured in such a way that it's not possible for a single site administrator to modify content without approval from another site administrator? This then would include not having the ability to turn off content approval without another user approving this change.

    Basically we want to enforce separation of duties within a particular site collection so that no individual site administrator has the ability to access/modify content and/or settings without approval.



    Tuesday, July 21, 2015 11:12 PM


  • Hi,

    You can only apply two restricts on modification - either they can or can't modify. However you can apply content approval after content has been modified.

    For approval:

    • By default allow administrators to edit any items/documents but enable content approvals in the lists/libraries.
    • With SharePoint permission don't allow users (even administrator) to approve changes. You can do this by creating a new permission levels in root web (site settings => Site Permissions => Permission Levels). Create the new permission level and remove approve option from the permission level. Now your admin users will not have permission to approve.
    • Create a workflow that will run on item add/edit and send approval requests to all administrators.
    • Once all administrators approve, approve the item/document programmatically in workflow (with elevated privileges).

    Regarding restricting administrators not to modify approval settings in the list, if you want administrators only not to change approval settings but allow to change any other settings, that will be tricky/difficult. Users whoever has 'Manager Lists' permissions (defined in permission level) will have access to make any changes in the list. However I can think of a hacky way.. Using URL rewrite IIS module you can redirect the 'Versioning settings' page to an error page. And then create a custom page for changing versioning settings with a workflow behind that will collect approvals for all administrators and then will enable/disable the approval option.

    Sohel Rana

    Wednesday, July 22, 2015 5:38 AM