InfoPath User Roles in Browser-Based Forms in the SharePoint 2010 Without Code – What’s Really Working?

Recently one of my clients asked if I can disable or enable some of the buttons on the browser based forms based on the SharePoint Security groups without any code. Based on what I have learned from the community and conferences, my response was Yes. Based the many of the blog articles referenced in this article, I thought it would be one of the no-brainer tasks but it turned out it is much more complicated than that.

I am using the InfoPath 2010 as a SharePoint 2010 list forms and as many of you may know, List Forms doesn’t support the custom code.  So, Lets look at our options and what would be best options to implement security roles in the browser based forms in the SharePoint 2010 without custom code.

Option 1 – User Roles

  • Only available on the InfoPath Client Forms, Not Available on the browser forms. It means, it requires InfoPath 2010 on the client machines to access the InfoPath forms stored in the SharePoint.
  • Biggest limitations of the User roles cannot be created based on SharePoint Groups, only AD groups.
  • Nik’s Conclusion – Can’t be considered for browser based forms or SharePoint Security Groups

Option 2 – User Profile Service

  • UserProfileService.asmx –
  • User Profile Service is the interface for remote clients to Read and Create User Profiles in the SharePoint
  • In SharePoint 2010, this service requires both User Profile Service and User Profile Synchronization Service. In MOSS 2007, profile synchronization must be enabled on the SSP.
  • This options Works for browser based form in MOSS 2007 but with limitations in the SharePoint 2010. More precisely, at the moment of writing, this option works for AD DL, AD SG, and SharePoint Groups in MOSS 2007 but Works only for AD DL in the SharePoint 2010. As many of you may know, SharePoint 2010 Profile Sync is using the FIM and it’s not returning the AD SG through profile service. Until Microsoft fixes this issue, AD Security Groups are not available through User Profile Service. Here is the active thread on the MS forum to discuss this issue lead by Clayton Cobb –
  • To use User Profile Service in MOSS 2007, there are several blog posts available.
  • Nik’s Conclusion – Use this method is you have MOSS 2007. This method is not reliable for the SharePoint Security Groups or AD SG groups in the SharePoint 2010. Use this method only if you have users maintained in the AD Distribution List. Limitations of the AD DL list is it can’t be used as the SharePoint Security Groups in SharePoint 2010 or maintain the duplicate SG and DL groups in the AD. In other words, in most real world scenario, this method is not useful in SharePoint 2010. If you’re still planning to use this method then make sure both User Profile and User Profile Sync service is enabled. I have tested it with only User Profile Service is enabled and this method doesn’t return any AD DL info if only User Profile Service is enabled.

Option 3 – Duplicate SharePoint List to emulate the users and their roles

  • There are several workarounds by the community members to map the SharePoint Security Groups or AD SG groups in the SharePoint Lists to use the security in the browser based forms. Downside of this approach is to maintain the security info in two places and additional auto or manual synchronization steps may be required.
  • SharePoint Solution’s Custom List Method –
  • Clayton Cobb’s Contact List Method –
  • Nik’s Conclusion – Unless someone convince me with the better method, In SharePoint 2010, these are the most reliable methods to implement the security. I have implemented SharePoint Solutions method and without doubt, even though it maintains the duplicate security info, it’s most reliable method.

Hope this helps making right decision for given situation.

This entry was posted in Uncategorized. Bookmark the permalink.