Item level update security in MS SharePoint 2007

Similar Messages

• BAPI or RFC for item level updation in BOM

  Hi ,
  I need to mass update the operation lead time offset in all the items in the BOM.
  First i am downloading the BOM components and its existign operation lead time offset in the form of excel file. Then i am modifying the excel file and the same is uploaded to update the operation lead time offset.
  I need a BAPI or RFC to update the item level details in the BOM. Please help.
  Thanks
  S.Srinivasan

  Hi,
  Please refer the below thread to find BAPI
  How to find related BAPIs
  You can also use tcode BAPI
  Message was edited by:
          Kannan S

• Item Level permissions document library

  In SharePoint 2010 you could apply item level permissions to document libraries via PowerShell with
  $web= Get-SPOSite "sitename"
  $list = $web.Lists[“Listname”]
  $list.ReadSecurity = 2
  $list.Update()
  $web.Dispose()
  Is there a way to apply this to SharePoint online 2013? it doesn't seem to work.  

  Hi SpNerd,
  For SharePoint 2013 Online, there is not a comdlet that is used to get a site. So, it seems that there is not a way to change Item-level permissions via PowerShell for SharePoint Online.
  Windows PowerShell for SharePoint Online cmdlets
  http://technet.microsoft.com/en-us/library/fp161364(v=office.15).aspx
  As a workaround, you can change Item-level permissions via SharePoint Online UI as List Settings->Advanced Settings->Item-level Permissions.
  I hope this helps.
  Thanks,
  Wendy
  Wendy Li
  TechNet Community Support

• Sharepoint 2007 Setting Item level permission

  How do i set item level permission using SharePoint 2007 workflow. As I've been working on employee leave management, time sheet entry and attendance, quite similar to Orange HRM features...And also being a beginner who never had any hands on SharePoint.
  It would be really grateful if anybody comes up with all the help for me.
  Employees should not be able to see each other's personal information like contact details, email addresses, etc other than the Admin. How do i do that step by step automatically using a workflow using SharePoint 2007....?
  Thank You.

  you can use the http://spdactivities.codeplex.com/ Grant Permission on Item workflow activity from codeplex and build the workflow.
  Below are the few examples
  http://sharepointgeorge.com/2010/item-level-permissions-infopath-forms-sharepoint-designer-workflows/
  http://www.codeproject.com/Articles/18415/Custom-Activity-Workflow-for-implementing-Item-Lev
  hope this helps.
  My Blog- http://www.sharepoint-journey.com|
  If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

• Setting Item level access rights on sharepoint list item in ItemAdding event handler

  Hi ,
  I am using sharepoint 2013. I am trying to set item level access rights when a list item is added using the following code snippet,
  public override void ItemAdding(SPItemEventProperties properties)
  base.ItemAdding(properties);
  ConfigureItemSecurity(properties);
  private void ConfigureItemSecurity(SPItemEventProperties properties)
  var item=properties.ListItem;
  SPSecurity.RunWithElevatedPrivileges(delegate()
  using (SPSite site = new SPSite(properties.SiteId))
  using (SPWeb oWeb = site.OpenWeb())
  item.ParentList.BreakRoleInheritance(true);
  oWeb.AllowUnsafeUpdates = true;
  var guestRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Reader);
  var editRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Editor);
  SPGroup HRGroup = oWeb.SiteGroups.Cast<SPGroup>().AsQueryable().FirstOrDefault(g => g.LoginName=="HR Team");
  SPRoleAssignment groupRoleAssignment = new SPRoleAssignment(HRGroup);
  groupRoleAssignment.RoleDefinitionBindings.Add(guestRole);
  SPUserCollection users = oWeb.Users;
  SPFieldUserValueCollection hm = (SPFieldUserValueCollection)item["HiringManager"];
  SPFieldUserValueCollection pm = (SPFieldUserValueCollection)item["ProjectManager"];
  SPFieldUserValueCollection pmChiefs = (SPFieldUserValueCollection)item["ProjectManagerChief"];
  item.BreakRoleInheritance(true);
  item.RoleAssignments.Add(groupRoleAssignment);
  foreach (SPFieldUserValue staffMember in hm)
  SetRightsOnItem(item, staffMember, editRole);
  foreach (SPFieldUserValue staffMember in pm)
  SetRightsOnItem(item, staffMember, guestRole);
  foreach (SPFieldUserValue staffMember in pmChiefs)
  SetRightsOnItem(item, staffMember, guestRole);
  item.Update();
  private void SetRightsOnItem(SPListItem item, SPFieldUserValue staffMember, SPRoleDefinition role)
  SPUser employeeUser = staffMember.User;
  var userRoleAssignment = new SPRoleAssignment(employeeUser);
  userRoleAssignment.RoleDefinitionBindings.Add(role);
  item.RoleAssignments.Add(userRoleAssignment);
  Nothing is happening though... Is the event handler the right place to do this?
  thank you

  Hi ,
  You can refer to the code working in my environment:
  using System;
  using System.Security.Permissions;
  using Microsoft.SharePoint;
  using Microsoft.SharePoint.Utilities;
  using Microsoft.SharePoint.Workflow;
  namespace ItemLevelSecurity.ItemSecurity
  /// <summary>
  /// List Item Events
  /// </summary>
  public class ItemSecurity : SPItemEventReceiver
  /// <summary>
  /// An item was added.
  /// </summary>
  public override void ItemAdded(SPItemEventProperties properties)
  SPSecurity.RunWithElevatedPrivileges(delegate()
  try
  using (SPSite oSPSite = new SPSite(properties.SiteId))
  using (SPWeb oSPWeb = oSPSite.OpenWeb(properties.RelativeWebUrl))
  //get the list item that was created
  SPListItem item = oSPWeb.Lists[properties.ListId].GetItemById(properties.ListItem.ID);
  //get the author user who created the item
  SPFieldUserValue valAuthor = new SPFieldUserValue(properties.Web, item["Created By"].ToString());
  SPUser oAuthor = valAuthor.User;
  //assign read permission to item author
  AssignPermissionsToItem(item,oAuthor,SPRoleType.Reader);
  //update the item
  item.Update();
  base.ItemAdded(properties);
  catch (Exception ex)
  properties.ErrorMessage = ex.Message; properties.Status = SPEventReceiverStatus.CancelWithError;
  properties.Cancel = true;
  public static void AssignPermissionsToItem(SPListItem item, SPPrincipal obj, SPRoleType roleType)
  if (!item.HasUniqueRoleAssignments)
  item.BreakRoleInheritance(false, true);
  SPRoleAssignment roleAssignment = new SPRoleAssignment(obj);
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
  item.RoleAssignments.Add(roleAssignment);
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected].
  Eric Tao
  TechNet Community Support

• Item level security...

  We have an out of the box solution where users can log there meeting minutes in a custom list. The security of the site consists of about a 100 SharePoint groups which are being used throughout the site collection with different permissions.
  For the purpose of this solution we have each group belonging to one of four logical roles (Directors, Power Users, Employees (Internal) and Employees (External). There are about 50 groups that fit the role of Employees. We want to make sure that users can
  access only the items if they belong to this logical role. That means that an item created by employee has to be accessible by 50 groups.
  What would be the best practice to apply security in this situation since for item level security it would require that inheritance be broken at item level and 50 groups added to the permissions of that item.
  Regards

  We are often discouraged from using folders, but security is one place they are quite useful. Create one folder for each of your top level groups (Directors, etc), break inheritance on the folder and assign your 50 groups. Upload a file to the folder and
  all of the security you need has been applied. You general users don't need to know about the folders. Create view that "Show all items without folders". Keep one view with folders displayed for uploading files.
  Mike Smith TechTrainingNotes.blogspot.com
  Books:
  SharePoint 2007 2010 Customization for the Site Owner,
  SharePoint 2010 Security for the Site Owner

• Sharepoint 2013 / Office 365 Document library item level permissions problem

  Hello,
  I'm looking for a solution to enable users to upload documents to a document library, the ability to view other documents uploaded to the same document library, but able to edit or delete those other documents.
  With a list you can use Item-Level security in Advanced Settings but this is not available for Document libraries. I could use workflows to assign individual permissions to document, but the the library already contains over 2,000 documents and will continue
  to expand so I don't like the idea of having that many individual permissions set.
  Are there any 3rd party plug-ins or solutions to this issue?
  Thanks,

  Try below:
  http://www.hersheytech.com/Blog/SharePoint/tabid/197/entryid/28/Default.aspx
  As it turns out the, setting Item-Level Permissions in a library is fully supported with PowerShell!
  The PowerShell commands for changing this are very simple:
  $web = Get-SPWeb http://YourSite/
  $list = $web.Lists[“Your Document Library Name”]
  $list.ReadSecurity = 2
  $list.Update()
  $web.Dispose()
  Note the 3rd line which is where you determine the value for this setting using the following values:
  1 = “Read all items”
  2 = “Read items that were created by the user”
  If you wish to modify the values for Create and Edit access instead, replace .ReadSecurity with .WriteSecurity with
  the following values:
  1 = “Create and edit All items”
  2 = “Create items and edit items that were created by the user”
  4 = “None”
  For example:
  $web = Get-SPWeb http://YourSite/
  $list = $web.Lists[“Your Document Library Name”]
  $list.WriteSecurity = 2
  $list.Update()
  $web.Dispose()
  Also check 
  http://sppermissions.codeplex.com/
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://freeit-support.com/

• SharePoint OOB Item level Permission under List Settings

  Users & Roles:
  Authors: User with author role can create a new item but can only edit/delete their own items and not other user items. They should not modify or view the list settings(Permission level - Contribute)
  Editor: User with Editor role can create a new item and can Edit/Delete their own items and also other user items. They should not modify or view the list settings(Permission level - Contribute)
  1. Created a new list.
  2. In advance setting enabled "Item-level
  Permissions" as follows,
  For Read
  Accesss selected "Read all items"
  For Create
  and Edit access selected "Create items and edit items that were created by the user"
  Now, User with Editor access can't able to Edit/delete other user items but can able to Edit/Delete their own items(same as user with Author role).
  Then i have changed the Editor access Permission level to
  Edit. In Edit Permission level  i have enabled Override Check-Out
  and disabled Manage Lists. But still user with Editor access doesn't satisfy the condition.
  kindly help me on this to resolve the above issue.
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"

  Hi Nishok,
  Agree with Paul's opinion, you can create an event receiver to set Item Level Permission. Here is the snippet:
  using System;
  using System.Diagnostics;
  using System.Threading;
  using System.Windows.Forms;
  using System.Security.Permissions;
  using Microsoft.SharePoint;
  using Microsoft.SharePoint.Utilities;
  using Microsoft.SharePoint.Workflow;
  namespace ItemLevelSecurity.ItemSecurity
  /// <summary>
  /// List Item Events
  /// </summary>
  public class ItemSecurity : SPItemEventReceiver
  /// <summary>
  /// An item was added.
  /// </summary>
  public override void ItemAdded(SPItemEventProperties properties)
  SPSecurity.RunWithElevatedPrivileges(delegate()
  try
  using (SPSite oSPSite = new SPSite(properties.SiteId))
  using (SPWeb oSPWeb = oSPSite.OpenWeb(properties.RelativeWebUrl))
  //get the list item that was created
  SPListItem item = properties.ListItem;
  //get the author user who created the item
  SPFieldUserValue valAuthor = new SPFieldUserValue(properties.Web, item["Created By"].ToString());
  SPUser oAuthor = valAuthor.User;
  //assign permissions to task author
  AssignPermissionsToItem(item,oAuthor,SPRoleType.Reader);
  //update the item
  item.Update();
  base.ItemAdded(properties);
  catch (Exception ex)
  properties.Status = SPEventReceiverStatus.CancelWithError;
  properties.ErrorMessage = ex.Message;
  properties.Cancel = true;
  public static void AssignPermissionsToItem(SPListItem item, SPPrincipal obj, SPRoleType roleType)
  if (!item.HasUniqueRoleAssignments)
  item.BreakRoleInheritance(false, true);
  SPRoleAssignment roleAssignment = new SPRoleAssignment(obj);
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
  item.RoleAssignments.Add(roleAssignment);
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Item Level Security in Document Libraries

  Hi all,
  I need to set up an Item level Security in Document Library in SharePoint 2007. Does this requirement have any OOTB Feature in SharePoint or through CUstomization is the only road.I have researched and found that it can be done using coding.But I didn't
  find anything in OOTB.This feature is available OOTB for the lists but why can't it will be available for Document Libraries.Please help.
  Thanks,

  Hi Pa1 Kumar,
  Item level security is available only for list not for document library. This is the design behavior. But don't worry you don't need to write any code for this because CODEPLEX solution is available for this. 
  Here is the solution link:
  http://www.endusersharepoint.com/2009/07/07/configure-item-level-permissions-for-document-libraries/
  http://vspug.com/usecases/2009/07/07/configure-item-level-permissions-for-document-libraries/
  Hope this will help
  Cheers, Hemendra-MCTS "Yesterday is just a memory,Tomorrow we may never see"

• Differences between SharePoint 2007 and 2013 security options?

  Hi,
  We just did a test upgrade from Sharepoint 2007 to Sharepoint 2013 by copying over the content database. One thing we are noticing is that users who had permissions to upload to a document library no longer have that option in 2013. Is there a difference
  between the 2007 and 2013 "contribute" permission?
  What can I do to fix this issue?
  thanks,
  Sherazad

  their is no difference between 2007 & 2013 for Contribute premission.
  Contribute having the same rights in 2007 and 2010.
  Read permissions, plus:
  Add Items
  Edit Items
  Delete Items
  Delete Versions
  Browse Directories
  Edit Personal User Information
  Manage Personal Views
  Add/Remove Personal Web Parts
  Update Personal Web Parts
  You can further check here:
  SP 2013: http://technet.microsoft.com/en-us/library/cc721640.aspx
  Moss 2007: http://technet.microsoft.com/en-us/library/cc721640(v=office.12).aspx
  May be you edit the Contribute permission level, make sure its on its default.
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• ACL - ILS (Item Level Security) for Content Server & WebCenter Spaces

  We're trying to implement Item Level Security (ILS / ACL) for Webcenter spaces. We're following the instructions from the Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1.5.0) http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405.pdf
  After making the configuration changes, we're unable to see the "Security" option from the "File" menu in the Document explorer. Has anyone else implemented this feature and ran into similar issues?
  I made the following configuration changes:
  UseEntitySecurity=1
  SpecialAuthGroups=SecurityGroups (comma separated list with no spaces and the application name is included)
  CS: Version:11gR1-11.1.1.5.0
  DB: 11.2.0.2.0 ---Oracle Database 11g Enterprise Edition
  WebCenter: 11.1.1.4.0 (in a clustered environment)
  Also, we're looking at the document properties in webcenter spaces via document explorer and do not see the "security group" or "accounts" metadata fields. We can see the "Content ID" and a whole bunch of fields and do not see "security groups" and "accounts". However, when we log into the content server and look at the folder or file "info" we can clearly see the security group and account values...not sure what is required to make these two fields show up in webcenter spaces.

  Hi ,
  Do you upload the documents from spaces or from UCM side ?
  When you say the security and account field are not displayed , is that when viewing the content or during update ?
  When the ACL features are turned off do you see the above fields ?
  Thanks
  Srinath

• SharePoint 2010 Item level permissions nightmare...how do I escape this madness?

  We have a custom SharePoint 2010 application that helps process job req. documents from 200+ partner companies. Each company can only see its own job req. documents (done using item level permissions in one document library).
  The number of documents is getting close to 3k. I've read that once you get over 5k, you'll see a huge performance hit because of the number of unique security scopes.
  Creating 200+ libraries is out of the question. That just seems like an even bigger logistical nightmare...especially since we add partners every month almost. We have reports that run off of this data and querying that many libraries would be nuts.
  Next would be making folders for each company. A lot of recoding would need to be done, but my biggest concern will be not being able to sort and filter properly.
  I've tried writing a PowerShell script to copy everything into folders in a new library and the filtering doesn't work even after messing around with the view to not show the folders at all.
  The last thing I'm considering is just archiving older data that may no longer be relevant by year or something.
  Has anyone else run into a similar issue?
  Any suggestions?

  Hi,
  Once you have exceeded the threshold limit, certainly there will be performance issues. However, you can still iterate though lists/libraries that exceed threshold limit by workaround here:
  List Threshold
  Additionally, please refer following link which demonstrates how you can implement sorting/paging for lists exceeding threshold limit:
  https://social.msdn.microsoft.com/Forums/en-US/4f788144-773c-4e63-8c1f-1e51f1c0a82f/client-object-model-fsobjtype-and-list-view-threshold?forum=sharepointdevelopmentprevious
  Hope it helps!
  Thanks,
  Avni Bhatt
  If this helped you resolve your issue, please mark it Answered

• Updating Administrators(built-in) with item-level targeting on an enforced policy

  I need help with this. 
  In our Computers OU, we have an enforced GPO with a computer policy that adds local admins to the computers on our network. The policy is Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Local Policies/User
  Rights Assignment >> Restricted Groups >> Group (BUILTIN\Administrators). For this example, we'll call this GPO #1.
  I need to add another user account as a local admin, but targeted to certain computers.
  I tried to edit GPO #1. I went into Computer Configuration >> Control Panel Settings > Local Users and Groups, and then added a Group with the settings >> Updating >> Administrators (built-in) & item-level targeting to the computers
  I wanted, but the setting always gets over-written by the setting that adds local admins. 
  I then tried to create a GPO with the Group update. Lets call this GPO #2. I enforced this rule, linked it to the OU, changed the order so that GPO #2 is above GPO #1, but this doesn't seem to be working.
  Is my inheritance order incorrect?
  1 is GPO #2
  2 is GPO #1
  Ideas anyone?

  > In our Computers OU, we have an enforced GPO with a computer policy that
  > adds local admins to the computers on our network. The policy is
  > Computer Configuration >> Policies >> Windows Settings >> Security
  > Settings >> Local Policies/User Rights Assignment >> Restricted Groups
  >  >> Group (BUILTIN\Administrators).
  Restricted Groups has 2 operation modes: Members and Member of. The
  first one clears out any existing members, and that's what you use right
  now. The second simply adds a group to another group and keeps all
  existing members, that's what you want to use for your additional computers.
   > I need to add another user account as a local admin, but targeted to
   > certain computers.
  To do so, you need to create a domain group that contains the related
  account(s). This domain group is "member of" local admins. And make sure
  this second GPO is linked higher (so it is processed _after_ the first
  one that clears out existing members).
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))
  Yes I know I can do this, but I can't use item-level targeting with this setup. I don't want the user account to be local admins for all computers. I only want it to be local admins for 4 of them.
  Wouldn't precedence take place in this OU if I have the GPO that adds another member as #1, and the GPO that deletes and adds as #2? It isn't working as I had thought it would.

• ACL - ILS (Item Level Security) for Webcenter Spaces

  We're trying to implement Item Level Security (ILS / ACL) for Webcenter spaces. We're following the instructions from the Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1.5.0) http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405.pdf
  After making the configuration changes, we're unable to see the "Security" option from the "File" menu in the Document explorer. Has anyone else implemented this feature and ran into similar issues?
  Also, we're looking at the document properties in webcenter spaces via document explorer and do not see the "security group" or "accounts" metadata fields. We can see the "Content ID" and a whole bunch of fields and do not see "security groups" and "accounts". However, when we log into the content server and look at the folder or file "info" we can clearly see the security group and account values...not sure what is required to make these two fields show up in webcenter spaces.

  Hi ,
  Do you upload the documents from spaces or from UCM side ?
  When you say the security and account field are not displayed , is that when viewing the content or during update ?
  When the ACL features are turned off do you see the above fields ?
  Thanks
  Srinath

• Item level security for custom items in 902

  I've created several custom item types and created some items in a page
  that enables Item Level Security.
  Enabling item level security on any of these items cause
  Error 30694: Error in API - update item failed
  Steps:
  1. Create custom item type
  Extended simple text type
  added image attribute
  2. Create custom item
  3. Edit custom item just created
  Select Access / Item Level Security
  Select Define Item Level Access Privileges
  Hit Apply or OK
  -> Error 30694: Error in API - update item failed
  Same error is using a "Image" item type.
  The above steps do not cause an error if using the default types; e.g. Simple Text and Simple URL
  Also tried promoting the item type so its shared. No effect.
  Is item-level security only for base "simple" item types??? If so then this is a MAJOR restriction.
  Any help would be greatly appreciated.
  --jason mathews                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  Hi Jason
  I filed a bug on this. See 2529787
  I narrowed the problem down to custom item types that have a file or image attribute and only when the item is edited by someone other than the orginial publisher.