5

Can you share your opinion on the best practice for Dynamically changing item permissions?

For example, given this scenario:

  1. Item Creator can create an initial item.
  2. After item creator creates, the item becomes read-only for him. Other users can create, but they can only see their own entries (Created by).
  3. At any point in time, other users can be given Read access (or any other access) by an Administrator to a specific item.
  4. The item is then given edit permission to a Reviewer and Approver. Reviewers can only edit, and Approvers can only approve.
  5. After the item has been reviewed, the item becomes read-only to everyone.

I read that there is only a specific number of unique permissions for a List / Library before performance issues start to set in. Given the requirements above, it looks like item-level permission is unavoidable.

Do you have certain ideas how best to go with this?

Thank you!

Water
  • 539
  • 1
  • 8
  • 17

2 Answers2

1

You can create a custom permission level which allows users to View/Add item but not Edit/Delete. Create a group with that permission level and add all Item Creators to that group.

    SPRoleDefinition roleDefinition = new SPRoleDefinition();
                            roleDefinition.Name = "User custom permission";
                            roleDefinition.Description = "This Permission level has rights to add and view items.";
                            roleDefinition.BasePermissions = SPBasePermissions.AddListItems | SPBasePermissions.ViewListItems |
                                SPBasePermissions.ViewPages | SPBasePermissions.ViewFormPages | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.DeleteVersions
                                | SPBasePermissions.CreateAlerts | SPBasePermissions.BrowseDirectories | SPBasePermissions.BrowseUserInfo | SPBasePermissions.UseRemoteAPIs | SPBasePermissions.Open
                                | SPBasePermissions.EditMyUserInfo | SPBasePermissions.ManagePersonalViews | SPBasePermissions.UpdatePersonalWebParts;
web.RoleDefinitions.Add(roleDefinition);

Now they will be able to Create item but not Edit/Delete. Now you can create a view which has a filter applied "Created By =[Me]", so that creators can view only their item.

This way you can avoid item level permission.

Unnie
  • 8,819
  • 1
  • 22
  • 36
  • Thanks Unnie. Yes, that works for the 1st part of the requirement.

    I'm concerned about #3 - #5 though. If we use "Created By = [Me]", if I give other users read access to a specific list item, the view won't be able to see it.

    And there's also the other issue of Reviewers and Approvers. Different items can have different approvers / reviewers (ex. Item 1 has diff. set from Item 2). So item-level is unavoidable.

     – Water Mar 05 '14 at 02:03
1

Probably one of the best way to accomplish what you want is to create a workflow or event receiver. That may require some coding.

Also about your concern with performance, I have personally seen 10K+ items win unique permissions with no delay. The performance also can be avoided by creating views with filters.

Kevin
  • 101
  • 5
  • Thanks Karim! That's pretty interesting to hear that 10K+ items with unique permissions still run smoothly. I read somewhere that around 2K+ it falls off.

    The views is also good, but from what I read, not a "hard" permission.

     – Water Mar 23 '14 at 12:30