Some of the most common scenarios for SharePoint workflows are email notifications, approval notifications, or scheduled reminders. Recently I have been working in the organization where security is utmost important and one of the most common requests are once item is created, it should be managed by only handful number of folks.
Since current version of SharePoint Online is SharePoint 2013 and lot more, one of my first instinct was to look at SharePoint 2013 designer workflows to see if there are any options to create item level security upon item created or saved. After initial research, came across this useful MSDN forum entry, where it’s clearly mentioned that SharePoint 2013 designer workflows doesn’t have any out of box activities to set item level security and may not be possible without creating any custom Visual Studio workflow activities or accessing APIs.
One alternative of limitations of SharePoint 2013 designer workflows was to use SharePoint 2010 designer workflows. This is one of those valid use cases where you would prefer SharePoint 2010 designer workflows over SharePoint 2013 designer workflows.
Configuring item level permissions in SharePoint 2010 designer is straightforward. Start with creating a new SharePoint Designer 2010 workflow.
On the workflow designer surface, select surface outside of Step 1. Once you select outside surface, “Impersonation Step” will be enabled on the Ribbon. Click on the Impersonation Step to add Impersonation Step.
Once you add Impersonation Step, you can add “Replace List Item Permissions” action.
This activity is straightforward to configure. You can follow series of popups to select current users or SharePoint security groups or predefined SharePoint groups or specific users to select set of users and what kind of permissions needs to set.
Here is how it would look like once you select what kind of permissions for which users are selected.
Once this workflow is configured, you are ready to save and publish. Since this workflow required impersonation, it is important to note that workflow will run under account with which workflow is published and this account must have full control permission on the list. In other words, you must publish this workflow with admin user credentials.
Here is much better and much more in-depth article than mine on how to set item level permissions using SharePoint Designer 2010 – http://spcycle.blogspot.com/2012/01/how-to-create-workflow-to-change-item.html
This is it. Might be great handy tip for me in future and my clients.