Every once in a while your customer might ask you to customize permissions for a document library in such a way that authors can only change their own documents. There was no such feature for document libraries in SharePoint 2007, and the “problem” is still present in v2010. (Both versions support automatic item-level permissions OOTB for other lists like Tasks).
In Part 1 of this article I tried to solve the problem for SharePoint 2007 with Workflows, but never found the time to complete it and create custom workflow activities for SharePoint Designer. In 2010, SharePoint Designer comes to the rescue, as it has similar workflow activities OOTB!
In this article we will examine how you can create a workflow that will customize item permissions for each document submitted to a document library (only Author will have contribute permissions). These SharePoint Designer 2010 workflow activities can also be used in various workflow scenarios where permissions need to be revoked after item is submitted (e.g. Annual Leave Requests, various approvals etc.).
Here is what you need to do:
- Create a new Document Library (e.g. Top Secret Documents)
- Go to Document Library Settings > Permissions for this document library
- Click on Stop Inheriting Permissions command from the ribbon
- Revoke permissions for all but few important groups (e.g. Portal Owners and Portal Members).
Please note: Steps 2. – 4- are optional but workflow is going to be much simpler if there are fewer permissions to manage - Open your site in SharePoint Designer, and select Workflows option and your list from the ribbon
- Type the name for the new workflow (e.g. Customize Permissions)
- Insert a new Impersonation Step. This special step runs each activity as workflow author.
Make sure workflow author (you) has proper privileges to manage permissions for this list.
- From the list of workflow actions choose “Replace Item Permissions
- Click Replace these permissions
- In the dialog click Add
- In the Choose permission to grant dialog click Contribute, and then click Choose… button
- Add User who created current item to the Selected users list
- Click the workflow name (e.g. “Customize Permissions”) to manage workflow settings
- Make sure you have selected the correct Start options
- Publish your workflow
Once a user adds a document to a document library this workflow will revoke permission from other users and grant contribute permissions to the document author.
You can also customize this workflow and add permissions for other users as well.
© 2007 - 2018 | Toni Frankola
I can’t thank you enough!!! This saved a TON of time for us here at the job.
I’m on o365/SPO 2013 using SPD 2013. I’m not seeing this impersonation step..Anybody know if this is possilbe up on the cloud? Please email me at jc (at) cyberpine (dot) com
Not wanting to go back in time, I am looking for a way to do the same thing in SharePoint 2013.
Thanks,
Daniel
Thanks for this guide!
I’m using SP 2010. This method works, but only if the user in question has been explicitly granted permissions to the list ahead of time.
For example, I’m using this on a task list to grant Contribute permission to the user in the ‘Assigned To’ field. First, I remove contribute permission to all users in the group, and then grant permission to the single user. In order for this to work, each user in the group needs to have permissions explicitly defined on the list, IN ADDITION TO the entire group. I suspect this is because the Action only ‘Replaces’ permissions, and can’t create them.
Fortunately, I only have a few users. For large sites however, this would make for an administration nightmare.
Does this mirror your experience, or is there away around this?
This works great. Exactly what I needed to do. Thanks!
If you are trying to restrict read access for sensitive information then you will not want to use this for item level security. While the workflow is running, the document will be exposed to all who can view items until the workflow completes. While the doc is only exposed briefly, it is still a risk for sensitive info.
impersonation will be enabled when you click out of the step area. Lots of people are getting confuse.