Is it possible to implement a custom permission level that allows a user to modify the properies of a document, but not the document itself? If so, any hints on how to do it?
Larsi
I think it is not possible to assign column level permissions in a default implementation of Sharepoint. However, it should be possible to do it using custom solutions. Have a look at this article http://www.infoq.com/articles/Dressel-Gogolowicz-wss-security. I have not tried it though.
Related
We are having a requirement according to which the access on the Web contents is to be given on the basis of categories.
Example: (i.e): if a role Report is being given to a user, then the user should be able to view only those web contents which are associated with the Report category.
How can this be achieved with liferay 6.2?
The UI will have nothing for you, as this is not the typical way that Liferay handles permissions. There are several options that you can choose from:
First of all you should check why this requirement exists: Quite often I'm seeing permissions being used where "relevance" is actually the way to go: Check if users absolutely must not see content from other categories, or if it would just be irrelevant for them. Don't use permissions to solve "relevance" problems.
My favored solution would be that you determine this is the case. If it isn't here are some other options that you have:
Liferay's permissions work best (and best maintainable) if you separate content with different permissions into different sites. This way you can use the easiest bulk permissions. You can create all the different content in different sites and still show them on other sites - e.g. through AssetPublisher or custom portlets.
You can also create a Hook that automatically sets the required permissions whenever an article is saved. Liferay's API is available and can be overridden with the required operation. In fact, you won't override, but rather add to the standard behaviour.
I'm working on an entity called 'Give Feedback'. I want to give create permission for all users and give read permission for that entity where Feedback provider or Manager of the Feedback receiver is current user. I have created a dynamic view for this. But I want to hide that entity from Advanced Find because it allows the current user to see all the records for that particular entity.
Is there any way to do remove or hide an entity from Advanced Find without removing read permission from security roles?
Any help would be much appreciated!
You need to set the right privileges for your custom entity.
If you set the Read privilege as User, with Advanced Find they will be able to see only their own records.
You can also change the property Searchable to No in Entity cutomizations.
I have a specific requirement where-in I want only the uploader of the document and a specific team to be able to view it in list / library. 1) is it possible? 2) If yes, how...?
Ok. So I was able to resolve my issue with the steps mentioned below. Soon will be documenting it in form of a blog and share it:
Created the document library and modified the default view to only show documents that were created by/modified by [Me].
Added a new web page to the library and gave exclusive rights to access that to a certain set of users.
Restricted all users from creating a view with the help of creating special permission level where user only had access to upload or delete a document but not creating/updating/deleting lists/views. Also disabled private view creation.
Hope this may be helpful to others too who are looking for restricted views / disabling view creation.
You need to set item level permission through event handler:
http://www.chakkaradeep.com/post/SharePoint-ndash3b-Setting-Item-level-permission.aspx
http://msdnvietnam.net/blogs/quang/archive/2009/07/02/sharepoint-eventhandler-set-item-level-permission.aspx
#Ashish, in SharePoint 2007 GUI you cannot make a query that will show documents that belongs to a specific group, however CAML specification supports it (Membership tag), it wasn't documented until SP2010, but it works on SP2007 (i'm using it)
However this involves custom coding and this doesn't assign permissions automatically, it just enables you to filter documents by groups.
For a solution without custom coding you could consider making a seperate folder/list for every person/group and set permissions to folder/list accordingly. This will also help performance - it's better to have permissions set on high-level container than having fine grained permissions (i'm just assuming that, because i read everywhere that mass fine-grained permissions are bad for performance)
You may use current user filter web part to filter the document by whom logged in into the sharepoint site by passing the value Dispaly Name
How can I disallow adding item or document to a list or document library? Due to some other feature scenario I cannot break role inheritance and have custom permission set for the list. Today, we restrict the addition using event handler (Item adding) – but this leads to poor UX.
Is there a way to have Role inheritance for a list and still have a base permission mask? Something like, allow everything that parent web offers but not X,Y,Z. Breaking role inheritance in the traditional way introduces the problem of explicit User and role management. Having a SPGoup hold an another SPGoup could help here, but that too is not possible. Let me know your suggestions.
I think you are asking to allow a user to have add permissions to the list but not actually be allowed to add to the list. Event receiver is going to be the best way. The only other solution I can think of is to use a custom item form that will do the check.
You can solve your problem by creating a webpart with the below functionality.
Identify the logged user is in admin group. If he is not in that group ganarte a javascript alert that "you have no permission for add new item" and redirect to (location.href="") allitems.aspx page.
And place this webpart in Newform.aspx page.
(add &toolpaneview=2&sharedview=true in in Newform.aspx url for editing page)
Hope this helps. Let me know if you need more help.
Create an IHTTPModule and subclass the context AuthenticateRequest event.
In the AuthenticateRequest routine you can inspect what type of action is happening and then redirect the user to the SharePoint "Access Denied" page. This is exactly how SharePoint does this functionality so the UX experiance would be the same.
If you want my opinion I would go with the way SharePoint handles permissions out of the box and break role inheritiance. Sure it will add new complexities to your life. But, I think you can better manage these complexities with the SharePoint Admin Toolkit and some custom built utilities for managing permissions. I think that is a better solution than what you are trying to do.
Am I missing something here when I suggest: Just hide the toolbar (or specific button) in the view page? That's an painless CSS hook done in the view page or SharePoint Designer
If you are using a custom List Template, you could create a custom View Toolbar Template. However, you probably will not want to use this on an OOTB List Template and it doesn't look like this will work on an existing list.
Even if you implement this, I would still leave the Event Receiver in place in order to prevent URL spoofing.
We have a doc library, Requirement is that only the user who has contributed to the document should be able to see the document and other user who has access to the library should not see that.
Can you please help me to achieve this.
Update: I talked to my TL he said, we need multiple Views on the Doc Library. Any one with new Ideas?
Add a custom view to the document library that only displays the items if the current user == creator of the document.
Set this view as the default view.
Prohibit users from changing the view.
If you are after a true permission based solution, you could develop a event handler for the adding item handler that sets the permission on the newly created item.
(By breaking parent inheritance also)
Set only permissions (owner) for the user that created the item.
EDIT: Just re-read your question. I didn't understand correctly. I missed the "contribution" part. Anyway, I will let my answer be here.
Adding a view is not really good practice. If one want's to gain access to the data he can do so by working with the lists web service. the solution is much simpler then it seems.
1. you need to install this: http://spdactivities.codeplex.com/.
This add-on will add you work flow activities to the SP Designer.
2. create a workflow doing what you described. It will take you no more then 10 minutes.
That's it :)