Handy SharePoint Designer Workflow Tip – Configure Item Level Permissions

Some of the most common scenarios for SharePoint workflows are email notifications, approval notifications, or scheduled reminders. Recently I have been working in the organization where security is utmost important and one of the most common requests are once item is created, it should be managed by only handful number of folks.

Since current version of SharePoint Online is SharePoint 2013 and lot more, one of my first instinct was to look at SharePoint 2013 designer workflows to see if there are any options to create item level security upon item created or saved. After initial research, came across this useful MSDN forum entry, where it’s clearly mentioned that SharePoint 2013 designer workflows doesn’t have any out of box activities to set item level security and may not be possible without creating any custom Visual Studio workflow activities or accessing APIs.

One alternative of limitations of SharePoint 2013 designer workflows was to use SharePoint 2010 designer workflows. This is one of those valid use cases where you would prefer SharePoint 2010 designer workflows over SharePoint 2013 designer workflows.

Configuring item level permissions in SharePoint 2010 designer is straightforward. Start with creating a new SharePoint Designer 2010 workflow.

1_SPDItemLevelSecurity

On the workflow designer surface, select surface outside of Step 1. Once you select outside surface, “Impersonation Step” will be enabled on the Ribbon. Click on the Impersonation Step to add Impersonation Step.

2_SPDItemLevelSecurity

Once you add Impersonation Step, you can add “Replace List Item Permissions” action.

3_SPDItemLevelSecurity

This activity is straightforward to configure. You can follow series of popups to select current users or SharePoint security groups or predefined SharePoint groups or specific users to select set of users and what kind of permissions needs to set.

4_SPDItemLevelSecurity

Here is how it would look like once you select what kind of permissions for which users are selected.

5_SPDItemLevelSecurity

Once this workflow is configured, you are ready to save and publish. Since this workflow required impersonation, it is important to note that workflow will run under account with which workflow is published and this account must have full control permission on the list. In other words, you must publish this workflow with admin user credentials.

6_SPDItemLevelSecurity

Here is much better and much more in-depth article than mine on how to set item level permissions using SharePoint Designer 2010 – http://spcycle.blogspot.com/2012/01/how-to-create-workflow-to-change-item.html

This is it. Might be great handy tip for me in future and my clients.

Advertisements
This entry was posted in Office 365, SharePoint 2010, SharePoint 2013, SP2010 Online, SP2013 Online, SPD 2010. Bookmark the permalink.

5 Responses to Handy SharePoint Designer Workflow Tip – Configure Item Level Permissions

  1. Peter Ganev says:

    Nick, you are the man (like always). Very, very helpful tip for what I am doing right now!

  2. Hi Nick you have said “you must publish this workflow with admin user credentials.” sitecollection administrator account or appPool account.

    • Nik Patel says:

      It shouldn’t be user’s account so, site collection admin would be out of scope unless you have dedicated scadmin account as service account for this kind of job… In your option – I would use apppool account.. Bottom line here is I wouldn’t use employee/user account which may leave company and your workflow would fail… Hope this clarifies..

  3. Thanks Nik for sharing, this saved my time.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s