I am currently trying to set up a nintex workflow in SP 2010 that will run when an item is created in a list. Basically, users will be set in a custom permissions group before they create an item. When an item is created, the workflow will check for who created the item and then set that person in a different custom permissions group. From what I have found, the only way to do this is by using a call web service action, this requires credentials that I do not have access to. I was curious if there was a way to achieve the same permissions switch workflow without using the call web service action?
You could always use the action "change item permission" which should do the trick for modifying permissions to the item. you can assign it to either a person or group.
I would also suggest looking at a different route for managing item permissions. Change them at the item level is doable but can quickly become a nightmare if you want to revert things or figure out who has what after the 1000th item has been modified.
Related
We have a travel request application. where a user submit a request which should go into 2 stages of approval process before it gets Final Approval.
Now we did the following:-
Create a SharePoint list which contain those fields; Title, Description, StareDate, EndDate, FirstApproval (the requestor direct manager), SecondApproval (the requester regional approval), Statues (system-generated with those options; open, first-approved, second-approved, Final-Approved).
Power Apps, which send emails to the first-approval and the second-approval users , and show-hide the Approved & Reject buttons based on the item status.
Power Automate,to set item-level permissions, so for example when the item needs first-approval only the approval's direct manager can edit the item, while all stakeholders can read-only.
now the process is not 100% secure, as a requestor using API call or using SharePoint built-in forms, can easily create a new request and define its status as Final-Approved. so in other words the requestor can bypass the Power Apps business logic. so how we can secure our process? so if an item has a status = "Final-Approved", then we can 100% sure that it actually went through the 2 approvals users?
One Approach i am thinking of, is as follow:-
To create additional SharePoint list >> which stores the ItemID + ItemStatus.
Grant all users Read-Only on this new list while grant the service account Contribute.
Update this new list from Power automate Only. so for example only if the submitter's direct manager did the approval, to change the status inside the new list to First-Approved, and so on.. Also only if the submitter's regional manager approve the request + there is already an approval from the direct manager to change the status from First-Approved to Second-Approval.. so what ever the status is inside the new lit i can be sure that it has not been hacked, as end-user will have read-only on this new list.. can anyone advice please?
Thanks
I believe this question is not unique to you, many SharePoint developers need to make specific configurations or use some artifices to ensure a certain process developed in SharePoint.
Using exclusive/custom permission control into List and uses the PowerAutomate layer to conntrol List Item permission only to approver will secures some update from Rest API, for example.
If you want to block New Insert items and/or block Update items by PowerApps, you can substitute the instruction into "OnEdit" and/or "OnNew" events using ResetForm(SharePointForm1);; RequestHide();; with this instructions in these events block some user to create or update SharePoint Items.
Into SharePoint list settings, in advanced settings, you can disable attachments, disable comments in list item, disable search, disable quick edit, disable launch form in dialog.
I think that's all.
How to limit access for dowloading list item's attachment file for all users except users that are in the group of administrators?
I am not sure if this is the answer which you're looking for...
I would suggest to go with item level permissions on the library, where you give specific permissions to specific users/user groups.
Example:
Create a SharePoint Designer workflow which works with item level
permissions on the library.
Attach this workflow to the library, the workflow runs whenever
there is an item created.
So, I've been working in SharePoint, and I want to restrict access to a column in a list in SharePoint, but I found that is not supported.
I have a type of incident management, where you create an incident, and it gets prioritized and moved around using workflows, and what I want to do is have an administrator of some sorts approve the incident, before it gets prioritzed and stuff. So my idea was simple, just have a field called 'approved' and a choice of true/false, and restrict the access of the field to an admin.
Are there any known workarounds for this, or do you have an idea I could try to get some what the same result?
Create an InfoPath form for your list, then have the "Approved" option only visible to your administrators. You could hard code the administrators into the form, or configure the form to use a SharePoint permission group.
In SharePoint 2010, i created an info path form and submitted it to SharePoint.
With Microsoft SharePoint designer i created a workflow for this form.
At this workflow I implemented removing permission from some group and getting contribute access to 2 person.
Now after 3 month, there are 450 item in form library.
And i want to add another person to (2 persons) that have contribute access.
So, i changed workflow in SharePoint designer.
It is correct for new items that created after this time. but i want this new workflow set to old item that before 3 month created!
how can I do that?
If I've understood the question correctly. That you want to add the new person to the existing permissions. Then don't do it through workflow.
Assuming that your 450 forms mean that there are 450 groups that need to be changed, the easiest way is to create a list of the group names and use PowerShell to add the new user to all of the groups.
Better still if you can, would be to create an Active Directory Security Group with the 3 people in it and apply that to all of the SharePoint groups. Then you will never have to go through the same exercise again as you can simply change the AD group and the SharePoint groups will all be correct.
I have a SharePoint list that is populated via an InfoPath form. There are two groups of people who have access to the form: end users and owners. While I don't have any issue with assingning permissions to owners, for the end users, this proposition has been tricky.
My requirement is such that - the end users should be able to:
Add new items to the list via InfoPath form
Not interact with the list in any other way
Now if I give the end users contribute permission to the list, they will be able to view and edit other list items in the list (which is the function of owners only). But if I don't give the end users contribute permission, they cannot add to the list. Is this a real catch-22 or am I spawning this out of my ignorance?
How about using a custom web service that performs the task of inserting items. But the real query is - would you want them to view the items as well?
If yes, you can give the view permissions on the list to your end users and addition via your InfoPath form, which would essentially call a web service and execute the code to submit items with correct privileges.
Regards,
Nitin Rastogi
Go to site collection level >> Site Settings >> Site Permissions (under Users and Permissions) >> Permission Levels (under Manage section) >> Add Permission Level.
In this page, find List Permissions in Permissions section. Check "Add Items".
Create a group that you need and give it the Add Items permissions. Add all the users to this group who should only be able to add to the list and not edit it. Give the list unique permission (don't inherit form the parent). Then add the group to the list.