Workflow for Changing Item Level Permission in SharePoint 2013 (Office365)

Similar Messages

• Workflow not triggering when changing Item-level Permissions in Sharepoint 2013 list

  Scenario:
  We have a custom list in Sharepoint 2013 that we use for Case Management. We have a workflow that triggers on a created item generated from an email. The user then gets a reply with a link to his own case.
  I want the users only to be able to see their own cases and no one elses.  When I change this under
  Advanced Settings under List Settings and
  Item-level Permissions and set them to Read items that were created by the user
  and Create items and edit items that were created by the user
  the workflow doesn´t trigger.
  How can I resolve this? I've tried every possible out-of-the-box permissions but with no result. Help!
  Thanks in advance!
  // Browncreek

  When you're testing , remember you cant trigger declarative workflow from the System Account - you need a general user account for auto-trigger workflows.  Good luck!
  Chris McNulty MCSE/MCTS/MSA/MVTSP | blog http://www.chrismcnulty.net/blog | twitter @cmcnulty2000 Microsoft Community Contributor Award 2011
  Hi, I have the same problem. Except that I am not using an email to create a new item. The item is created by members of a SharePoint group that have Contribute access to the list. When use the same settings i.e.
  Read items that were created by the user and Create items and edit items that were created by the user,
  the workflow does not trigger. If I set it back to Real all items and Create
  and Edit all items, it triggers the workflow.
  Please help me resolve as I have rolled this out to pilot users and am having this trouble.
  Thanks,
  Vishal

• Get the item level permission in sharepoint 2013 uisng rest api

  I created the test list  and i created the 5 items in that list.
  I stopped the item level permissions.
  I shared the list item with userA.
  In the rest api response, it giving the other users also (means user who is not having permission to the item).
  I am using below rest query
  /_api/Web/GetFileByServerRelativeUrl('/site/Lists/test/1_.000')?$expand=Versions,Author,ModifiedBy,ListItemAllFields/RoleAssignments/Member/Users,ListItemAllFields/FieldValuesAsText,ListItemAllFields/ParentList

  Hi,
  Following are the steps, I performed:
  After adding the item in the list, I went into list item permissions and clicked on stop item permissions. Then I selected all the permissions which got carried over to the item and clicked on "Remove user permissions" in the ribbon. After that
  I clicked on Grant permissions in the ribbon and shared the item with one user. Note that last action can also be performed by going back into the list and selecting the item and click on Share.
  Finally, I ran the above REST query and returned the user with whom the item was selected and also the system account (which is expected, as admin will have access.
  You can try shortening your query as well
   /_api/Web/GetFileByServerRelativeUrl('/site/Lists/test/1_.000')?$expand=ListItemAllFields/RoleAssignments/Member/Users
  This will return the relevant user permissions and response will contain lesser data and hence will be easier to read. Lastly, try intercepting the traffic
  using fiddler, as again it will in reading the response.
  Thanks,
  Nadeem
  Please remember to up-vote or mark the reply as answer if you find it helpful.

• Item level permission on workflow task List using sharepoint designer 2013

  Hello All,
  I have created a custom approval workflow. Workflow create a Task in Tasks List.  Now suppose A task is assign to user1. 
  User2 should not able to edit\approve\reject the item.
  How to give item level permission using SharePoint designer in SharePoint 2013 workflow.
  SharePoint 2013 workflow doesn't have impersonation steps also.
  Please suggest how to give permission on task list based on assigned To field.

  In order to change permissions on a list item you'd need a sharepoint 2010 workflow according to http://msdn.microsoft.com/en-us/library/jj728659.aspx
  Unfortunately this functionality is not available in SharePoint 2013 workflows :-(
  The impersonation step still exists, but it is now called "App Step" in the SharePoint Designer 2013 Ribbon. This step is disabled, though, until you activate a web site feature called "Workflows can use app permissions"

• Sharepoint 2007 Setting Item level permission

  How do i set item level permission using SharePoint 2007 workflow. As I've been working on employee leave management, time sheet entry and attendance, quite similar to Orange HRM features...And also being a beginner who never had any hands on SharePoint.
  It would be really grateful if anybody comes up with all the help for me.
  Employees should not be able to see each other's personal information like contact details, email addresses, etc other than the Admin. How do i do that step by step automatically using a workflow using SharePoint 2007....?
  Thank You.

  you can use the http://spdactivities.codeplex.com/ Grant Permission on Item workflow activity from codeplex and build the workflow.
  Below are the few examples
  http://sharepointgeorge.com/2010/item-level-permissions-infopath-forms-sharepoint-designer-workflows/
  http://www.codeproject.com/Articles/18415/Custom-Activity-Workflow-for-implementing-Item-Lev
  hope this helps.
  My Blog- http://www.sharepoint-journey.com|
  If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

• Best Practice: Dynamically changing Item-Level permissions?

  Hi all,
  Can you share your opinion on the best practice for Dynamically changing item permissions?
  For example, given this scenario:
  Item Creator can create an initial item.
  After item creator creates, the item becomes read-only for him. Other users can create, but they can only see their own entries (Created by).
  At any point in time, other users can be given Read access (or any other access) by an Administrator to a specific item.
  The item is then given edit permission to a Reviewer and Approver. Reviewers can only edit, and Approvers can only approve.
  After the item has been reviewed, the item becomes read-only to everyone.
  I read that there is only a specific number of unique permissions for a List / Library before performance issues start to set in. Given the requirements above, it looks like item-level permission is unavoidable.
  Do you have certain ideas how best to go with this?
  Thank you!

  Hi,
  According to your post, my understanding is that you wanted to change item level permission.
  There is no out of the box way to accomplish this with SharePoint.               
  You can create a custom permission level using Visual Studio to allow users to add & view items, but not edit permission.   
  Then create a group with the custom permission level. The users in this group would have the permission of create & add permission, but they could no edit the item.
  In the CodePlex, there is a custom workflow activities, but by default it only have four permission level:
  Full Control , Design ,Contribute and Read.
  You should also customize some permission levels for your scenario. 
  What’s more, when use the SharePoint 2013 designer, you should only use the 2010 platform to create the workflow using this activities,
  https://spdactivities.codeplex.com/wikipage?title=Grant%20Permission%20on%20Item
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Change item level security using wwsbr_api.modify_item

  Hi.
  Im using wwsbr_api.modify_item for change item level security.
  Its code for change type access for item of my procedure
  l_masterid := portal30.wwsbr_api.modify_item(
  p_master_item_id => 7061,
  p_item_id => 7062,
  p_caid => 136,
  p_folder_id => 1,
  p_display_name => 'test',
  p_region_id => 5,
  p_access_level => portal30.wwsbr_api.item_access,
  p_text => 'test change item security',
  p_addnewversion => true, -- My content area have item versioning
  level is audit
  After execute my procedure access type = folder.
  I see in wwv_things table new record
  masterthingid = 7061,
  id = 7064,
  security = 'folder'
  How to change item level security programmatically?
  Thanks

  Jerry,
  Please forgive me for persisting with this, and thankyou for your continued patience, but let me try to explain the issue I'm having in another way...
  I have a function that calls wwsbr_api.modify_item to change, say, the description. In this case "description" is the one and only thing I want to change about the item. As you've described above, I am able to query most things associated with the item (via wwsbr_all_items, wwsec_api.grantee_list, etc) so that I can pass current values to the wwsbr_api.modify parameters. However, I haven't found a way to query the current level of access control for a given item (i.e. wether it is currently set to ITEM_ACCESS, FOLDER_ACCESS, or null). As documented, I can force the item to be ITEM_ACCESS or FOLDER_ACCESS. However, I don't want to force a value and as we have concluded, passing null will nullify the current state.
  So, in summary, an answer to this question will solve my problem:
  Is it possible to query the current access control level of an item (either directly via one of the published views or indirectly via one of the views)?
  If the answer is yes - great that solves my problem. How please?!?!?
  If the answer is no - this must be a bug is it would mean that it isn't possible to use wwsbr_api.modify_item without inadvertently altering the current access control level of the item.
  Again thanks for your patience...
  Mark

• SharePoint OOB Item level Permission under List Settings

  Users & Roles:
  Authors: User with author role can create a new item but can only edit/delete their own items and not other user items. They should not modify or view the list settings(Permission level - Contribute)
  Editor: User with Editor role can create a new item and can Edit/Delete their own items and also other user items. They should not modify or view the list settings(Permission level - Contribute)
  1. Created a new list.
  2. In advance setting enabled "Item-level
  Permissions" as follows,
  For Read
  Accesss selected "Read all items"
  For Create
  and Edit access selected "Create items and edit items that were created by the user"
  Now, User with Editor access can't able to Edit/delete other user items but can able to Edit/Delete their own items(same as user with Author role).
  Then i have changed the Editor access Permission level to
  Edit. In Edit Permission level  i have enabled Override Check-Out
  and disabled Manage Lists. But still user with Editor access doesn't satisfy the condition.
  kindly help me on this to resolve the above issue.
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"
  For Read
  Accesss select "Read items that were created by the user"
  For Create
  and Edit access select "Create items and edit items that were created by the user"

  Hi Nishok,
  Agree with Paul's opinion, you can create an event receiver to set Item Level Permission. Here is the snippet:
  using System;
  using System.Diagnostics;
  using System.Threading;
  using System.Windows.Forms;
  using System.Security.Permissions;
  using Microsoft.SharePoint;
  using Microsoft.SharePoint.Utilities;
  using Microsoft.SharePoint.Workflow;
  namespace ItemLevelSecurity.ItemSecurity
  /// <summary>
  /// List Item Events
  /// </summary>
  public class ItemSecurity : SPItemEventReceiver
  /// <summary>
  /// An item was added.
  /// </summary>
  public override void ItemAdded(SPItemEventProperties properties)
  SPSecurity.RunWithElevatedPrivileges(delegate()
  try
  using (SPSite oSPSite = new SPSite(properties.SiteId))
  using (SPWeb oSPWeb = oSPSite.OpenWeb(properties.RelativeWebUrl))
  //get the list item that was created
  SPListItem item = properties.ListItem;
  //get the author user who created the item
  SPFieldUserValue valAuthor = new SPFieldUserValue(properties.Web, item["Created By"].ToString());
  SPUser oAuthor = valAuthor.User;
  //assign permissions to task author
  AssignPermissionsToItem(item,oAuthor,SPRoleType.Reader);
  //update the item
  item.Update();
  base.ItemAdded(properties);
  catch (Exception ex)
  properties.Status = SPEventReceiverStatus.CancelWithError;
  properties.ErrorMessage = ex.Message;
  properties.Cancel = true;
  public static void AssignPermissionsToItem(SPListItem item, SPPrincipal obj, SPRoleType roleType)
  if (!item.HasUniqueRoleAssignments)
  item.BreakRoleInheritance(false, true);
  SPRoleAssignment roleAssignment = new SPRoleAssignment(obj);
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
  item.RoleAssignments.Add(roleAssignment);
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Real World Item Level Permission Performance?

  I am considering implementing item level permission on a list we use. I've seen all the articles online cautioning not to do this with lists of more than 1000 items, but the articles seem to have little detailed information about the actual impact and what
  causes the performance issues. Additionally, they seem to refer to document libraries more than lists. I'd like some feedback about what might occur if we were to use item level security in our situation.
  Our situation is this: list of current ~700 items in a sharepoint list. Expected to grow around 700 items per year. The list has about 75 fields on it. We have 8 active-directory groups that have access to the list, based upon company department. Each
  item in the list can apply to one or more departments. The groups represent around 100-150 different unique users.
  We would like to use item level security to be set via workflow, to enable particular groups to access the item based upon their group membership. For example, if the list item is for the HR department, then the HR group has access. If the item is for IT,
  then the IT group has access (and HR wouldn't).
  That's it. There would be no nesting of items with multiple permission levels, no use of user-level ACLs on the items, etc.
  Thoughts about this configuration and expected performance issues?  Thanks for any feedback!

  Just an update for anyone who finds this thread:
  I converted our data into a test SharePoint list with 1500 rows. I then enabled full item-level security, with restrictions to hide data not created by the person.
  I then set individual permissions for each item that included 2-3 AD groups with different permissions--contribute, full ownership, etc, and 2-3 individuals with varying permissions. The individuals represented around 50 total people.
  After the permissions were set I then did a comparison of loading individual views and the full data set in Standard and Datasheet views, for both myself as an administrator with full list access and with several of the individuals who only had access to
  their designated items--typically 75-100 of the total list.
  The results were that I found no discernable difference in system performance from the user interface level while loading list views after the item level security was configured in this way. I understand this will vary based up
  hardware configuration and exact permission configuration, but in our situation the impact of item level security on a list of 1500 items had very little, if any, negative performance impact. Note that I didn't check performance at the database server level,
  but I'm assuming the impact there was minimal since the front-end user experience was unaffected.
  I expect we'll put this solution into place and if we do I'll update this post when we have additional real-world usage information.

• Item Level Permission does not work as designed

  Here is the problem. 
  We have a site with a site members group with created permission level called vnContributor that differs from contributor in that they cannot edit delete items or versions, or create alerts. 
  We have a site owners group who have a custom permission level called vnOwner that allows them to add, edit, delete, view, and open items and view versions.  They do not have "Manage Lists" 
  The list permission settings were set to view everyone and edit everyone.  In this setting, however members could not see or edit anything, and owners could see and edit everything, regardless of whether it was theirs or not. 
  So I changed the list permissions level to edit only their own and changed the members to the OOTB contributor permission level.  I then opened the calendar and added a new item as a user in the members  group.
  There was no change.  Members still could not edit their items.  Owners could see and edit everyone's items.
  This is not how this is advertised to work. 
  ERJ MCSD MCDBA

  On June 11, 2008 Rachel.lane entered the following request
  "I would like to hide/show the edit button on a list item's edit form based on whether the user is the item's creator.  The reason I want to do this is because SharePoint's out-of-the-box behaviour is such that when a user edits someone
  else's item, the Access Denied page pops up AFTER the user makes his/her edits and presses ok.
  " My users want the edit button to be hidden so they don't have to go through the steps of making the edits, press ok, and then find out their access is denied."
  My users want the same thing. 
  Alex Santos1 said that "One approach is to give each list item it's own permission- giving the owner (creator) full access while giving everyone else read access."
  However everything I seen about giving item level permission seems to utilize the method I've already been doing which does not hide the Edit button.  Does anyone know how to pull off what he was suggesting?
  ERJ MCSD MCDBA

• How check page level permission on SharePoint pages library using JSOM

  Hi,
  Can anyone tell me how check page level permission on SharePoint pages library using JSOM.
  Tanks in advance .
  Regards,
  Hari
  Regards, Hari

  Hi,
  According to your post, my understanding is that you want to check the page level permission on SharePoint Pages library via JSOM.
  I have made a simple code demo to check whether current user has edit permission for the pages in Pages library, it works like a charm.
  You can re-write it to fit your environment.
  <script src="http://code.jquery.com/jquery-1.10.2.min.js" type="text/javascript"></script>
  <script type="text/javascript">
  var web;
  var list;
  $(function(){
  $("#Button1").click(function()
  console.log(1);
  getListItems('Pages',success_Items,error_Items);
  console.log(2);
  function getListItems(listTitle,success,error)
  var context = SP.ClientContext.get_current();
  this.web = context.get_web();
  this.list = context.get_web().get_lists().getByTitle(listTitle);
  this.items = list.getItems(SP.CamlQuery.createAllItemsQuery());
  this._currentUser = web.get_currentUser();
  context.load(this._currentUser);
  context.load(web,'EffectiveBasePermissions');
  context.load(items);
  context.executeQueryAsync(
  function() {
  success(items);
  error
  function success_Items(items){
  var e = items.getEnumerator();
  while (e.moveNext()) {
  this.item = e.get_current();
  console.log(this.item.get_item('FileLeafRef')); //print File or Folder Name
  console.log(this.item.get_item('FileRef')); //print File or Folder Url
  if (this.web.get_effectiveBasePermissions().has(SP.PermissionKind.editListItems)) {
  console.log('Nice, edit list item permissions!');
  else {
  console.log('Boo, no edit list item permissions!');
  function error_Items(sender,args){
  console.log(args.get_message());
  </script>
  <input id="Button1" type="button" value="Check Permissions"/>
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Dont allow to change item level data in sales order.

  Hi all,
  I have a requirement in which, users should not be allowed to change  item level data or not allowed to add any new items in sales order on a certain condition. But they should be allowed to change the header level data.
  How can i achieve this.
  Can anyone help me?

  Hi,
  Check below exit.
  MV45AFZZ and in form USEREXIT_MOVE_FIELD_TO_VBAP.
  Here check for ur validation, If passes then CHECK variable SVBAP-TABIX. If it is 0 then item is created. If it is GT 0 then item is changed. Other way could be...
  select data from VBAP for each sales document and item in xvbpa internal table.
  If for any item u don't have data in VBAP table that means u r adding that item. So issue error message.
  *       FORM USEREXIT_MOVE_FIELD_TO_VBAP                              *
  *       This userexit can be used to move some fields into the sales  *
  *       dokument item workaerea VBAP                                  *
  *       SVBAP-TABIX = 0:  Create item                                 *
  *       SVBAP-TABIX > 0:  Change item                                 *
  *       This form is called at the end of form VBAP_FUELLEN.          *
  Thanks,
  Vinod.

• Item Level permission issue

  Hi,
  I have created a custom list for which I have added some users with contribute permissions(The users are not given access at site level). Each user creates  only a single item about himself. He should be restricted from accessing other list items in
  terms of editing/deleting the list items.
  Can you please help me in this regard.
  Regards,
  Chaitanya.

  Hello Chaitanya,
  You need to setup the item level permission from list settings-->advanced settings--> see below screen.
  After this user will be able to edit/view only own items.
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• User exit to change item level data in purchase order

  Hi,
  Can anyone let me know the user exit to change item level data in purchase order . there is a badi ME_PROCESS_PO_CUST for this but the issue is its method process_item gets triggered only when the item is changed. My requirment is
  For purchase order document types u201CZSOu201D and u201CZCOu201D, where the purchase order is a u201CLimits Orderu201D only i.e. no materials or services on the purchase order, the print price indicator field should be set to u201Cblanku201D (unchecked).   now i cant use ME_PROCESS_PO_CUST  because process_item wont get triggered if there is no change in itemlevel data.
  Regards,
  Rahul

  Hi Rahul,
  Probably EXIT_SAPLMEKO_002.
  hope it helps,
  Edgar

• Help - User exit to change item level data in Purchase Order

  Hi,
  Can anyone let me know the user exit to change item level data in purchase order . there is a badi ME_PROCESS_PO_CUST for this but the issue is its method process_item gets triggered only when the item is changed. My requirement is For purchase order document types u201CZSOu201D and u201CZCOu201D, where the purchase order is a u201CLimits Orderu201D only i.e. no materials or services on the purchase order, the print price indicator field should be set to u201Cblanku201D (unchecked).   now i cant use ME_PROCESS_PO_CUST  because process_item wont get triggered if there is no change in item level data.
  Thanks,
  Rahul

  Hi Rahul,
  Probably EXIT_SAPLMEKO_002.
  hope it helps,
  Edgar