I have a custom workflow. This workflow removes permissions to items when an item is added (example an item is added by a service account and once added those permissions need to be removed from that item). This works as I have the service account 'hard coded' in the custom workflow.
Now I would like to remove this hard coding and when a item is added to a list I would like to iterate through all users that have access to the list item. If a user matches some algorithm then remove that user from the item permissions which will be 0 to many.
The piece I'm stuggling with is how to iterage all users with permission to a SPListItem. Any thoughts on how to accomplish this?
Thanks in advance!
Check out the SPListItem.RoleAssignments property which is a collection of SPRoleAssignment objects. The Member property then represents a specific SPUser or SPGroup object that is assigned specific permissions in respect to the given list item by binding it to a collection of role definitions.
In your case you need to iterate over all available role assignments, inspect those that denote principals (users or groups) matching your criteria and rearrange the role assignments in a way that fits the desired security policy.
I think I just found the answer to this. I can iterate the RoleAssignments collection and perform my check on that. If anyone has another other ideas I'd be curious to hear about them :)
Thanks1
Related
How can I check if current user has roles for editing, creating an item in a list in Sequential Workflow ?
I guess you need to implement onWorkflowActivated event (http://msdn.microsoft.com/en-us/library/gg265727.aspx )
To get permission on item level for current user u need:
SPRoleDefinitionBindingCollection usersRoles = mysplistitem.AllRolesForCurrentUser;
see below link for more info;
http://sharepointmalaya.blogspot.com.au/2009/07/validate-user-base-permissions-before.html
To check if current user has permissions on item, folder, list or site use DoesUserHavePermission method
Is it possible to create a custom HTML message when a user does not have access to a specific List instead of showing the user that there are no records?
I don't understand what you mean. If the user doesn't have access to a list, they won't be able to see the list at all.
On the other hand, if you mean that the user DOES have access to the list but items in the list have unique permissions and he does not have rights to any of those items, then the answer is "no." He will see an empty list and there is no easy way to tell him that the list isn't really empty.
In our application, we have some forms which need to show some data specifically if the current user has a specific permission level. These users belong to an SPGroup which includes users who should not see this data, so in this particular case I cannot filter based off of group membership.
My current solution has been to use web.CurrentUser.Roles and use a simple check on whether it contains a permission level of the correct name. Roles is of the deprecated SPRole class, so I am bombarded with warning messages despite the fact it technically works. It suggests that I use SPRoleAssignment or SPRoleDefinition (the recommendation seems arbitrary since some lines recommend one while others recommend the other even though it is being used for the same thing).
However, I cannot seem to find any method to directly retrieve an SPRoleAssignment or SPRoleDefinition object from an SPUser or SPPrincipal object, nor can I retrieve either object corresponding specifically to the current user of the SPWeb object.
How can I update these methods to use non-deprecated code? I've found other cases of determining user permissions, but I haven't found one that will work from a starting point of the current web or the current user. It's not urgent, but it certainly is helpful to avoid having to sift through all of those warnings just to reach the more important warnings.
On the actual object, e.g. and SPList, you can call the DoesUserHavePermission method, e.g.
someList.DoesUserHavePermissions(SPBasePermissions.ViewUsageData);
My requirement is that there are 2 parties
1. User (who creates the item)
2.Approvers who approve the item
When the user creates the item then they should see only their created item in the list (This is easily possible)...the approvers should have only read access and they can see all the items ...when i select the option that only person who creates the item can see the item then approvers are not able to see the items...can somebody plz help that how to work with this...maybe i am missing some simple stuff so can anybody just point me out to the solution..
Thanks
Firstly, if you want the Approvers group to be able to approve the item then they need at least the Approver permission assigned to their group, not just read-only (otherwise they can't update the item to mark it as approved).
However, since the requirement is also that users should only see their own items, I believe the only way the Approvers will also still see the items, is if they have Full Control permissions on the list, therefore you need to break permission inheritance at the list level.
As MSDN states, then WriteSecurity has 1 of 3 states possible:
1 — All users can modify all items.
2 — Users can modify only items that
they create.
4 — Users cannot modify any list
item.
But if I want behavour nr. 2 plus users can modify items that are assigned to them? Well if I grant a user full permissions (put in owners group) for list, then those can edit any item (not good). So why wouldn't it work by setting item level permission "full control" just for AssignedTo user (good)? I did, but that didn't help - access denied.
I want exactly the functionality as stated in question "Automatically set list item permission, after new item is created", quoting:
Every users (Supervisor and team members) can see any tasks.
Supervisors can edit any tasks
Team members can only edit their own tasks (tasks that were assigned to them, or created by them)
but although answer has been accepted, the solution does not provide a way for users to edit items assigned to them or items created by user.
Help is appreciated, thank You!
Your only way to do this is using Item-Based Permissions. E.g. have a Workflow or Event Handler change the permission on each file/object based on your requirements.
The solution you quote from the other task is simply setting 2 for SPList.WriteSecurity which still doesn't give users the possibility to edit something they have not created, but were assigned to - in this case you will need to give these users permission, e.g. by listening on the "Assigned To" field with an Event Handler (OnItemUpdated) and give the respective person the needed permission.
Furthermore the solution talks about just setting higher permissions for the users who should always be able to edit items (managers), which is a solution, but you do not have the granularity you usually want in situations like these.