Thursday, 13 February 2014

How to filter SharePoint List based on user permission

Have you ever had a scenario where you had to create a custom list and then you should only show items in the list which the user is supposed to see based on the user permission or the User Group he belongs to?
  
Read on if you want to find a solution for this scenario..... I did tried lot of researching and I got bits and pieces of information scattered in the net but couldn’t find a compete article, so thought to blog it, hope this will help you.

I will brief a bit more on the scenario:

I was asked to create a Master Custom list for users of different departments in my company however since there are confidential documents these items should not be shown to each other. My initial thought was to achieve this OOB using views and permission however while digging down I understood that this was not straight forward and I couldn’t find much help from the internet. To achieve this I have done the below : 

Step 1.

First I have created a Custom list called “Contract Manager” with the necessary columns for me to store contracts (My Company teams were supposed to store contract proposals in a List), I created a Column called “Departments” on the list which is basically a “Person or Group” field. 

Step 2.

I have created SharePoint Groups with Contribute access with the names “CTProcurement”, “CTHR” ..... (Prefixed CT as I was called this site Contract Manager, so you can create the group with any logical name and then set it to Contribute permission. So while creating a new item in the list the users will be able to add this group on to the Department field and also CAN add any department on to the field, for me there was a business case that “Procurement” team will create contract proposals for them and for other team. In this was users can create items which can be visible for other teams as well.








Step 3.

Once completing the above 2 steps you need to create a New View or edit the “View All” default view using SharePoint Designer, and what we are going to do is we will set the view in such a way that it will only display items which the user belongs to and will pick the “Group Name” which the user belong to and will filter the “Department” column to show only items with the Group Name. In- essence the users will only see the items in the list for which their department is added on the “Department” column. This is a simple logic, you might need to take a moment to contemplate.

Now here are the steps where you can put this Query in the default view/Or a new View you create : 

- Open the Site in SharePoint Designer 
- Select the List, and on the right hand side, click on the “All Items” view Once opened  Search for “ <Query>
-  


- Paste the below code, analyse the code it is straight forward make appropriate changes for yours if needed





















You can also download the full working view code from here - Download Code

-       Sometimes when you try to save the view it might throw you error, for me it was saying “Reference field not found”, so I have the add the “Department” reference field properly below the “ <Query> tag – 


Step 4 –

Once you done this and if everything is working, well done you are almost there J, Now we need to edit the permission level’s slightly so that the “Contributors” group should not create a new “View” where they can see all the items, for that follow the step below
            Site Action > Permission Levels > Contribute > Uncheck “Manage Personal Views  -  Create, change, and delete personal views of lists” , I have also unchecked “Manage Lists  -  Create and delete lists, add or remove columns in a list, and add or remove public views of a list.”. So now the contribute users will not be having permission to create a new view where they can change the filters.

For my project this was a perfect solution, I did this in SharePoint 2010, I believe the same principle can apply in SharePoint 2013 there is also something called “Content Search Webpart” which you can make use of, now I have also created a simple reporting mechanism to display all the items for which the alert date is set by using Content Query Webpart. I will soon write about that for you….till then happy SharePointing :)… Hope this helps you.

Here is a screenshot of CQWP that –
http://sharepointlogics.com/2014/02/sharepoint-2010-content-query-web-part.html



11 comments:

Sarah Cunningham said...

I'm trying to do something similar with views based on permissions, but it's slightly different. Here's my situation:

1 Document Library with Target Audience as a column. How the site is set up, everyone in the company technically has read access, and then there are contributor groups set up. What I need to set up for this library is the default view for everyone outside of my department be any document without a Target Audience, then if it does have a Target Audience, that be the default view for that specific team, with a third default be all documents for the team that owns the library. Essentially, I'd need this if statement:

If Target Audience=Null, view documents without a Target Audience, else
If Target Audience=Department, view document with a Target Audience=Department, else
If Target Audience=Team, view all documents.

Thanks for your help!

Joseph Jeethu said...

Hi Sarah,

So analysing the situation you have basically 3 audience, now if you want to implement this based on the way i said in this post, which is the easiest and minimal code solution is to go creating SharePoint Groups. Now I would create 3 SharePoint groups, on each group add the appropriate AD Group/Users, for eg. for the "Target Audience=Null" i would add "All authenticated" users to the SharePoint Group and for the others i will add if there is any AD Group or as users. After that if you add the appropriate SharePoint groups in to the Target audience column it should filter appropriately.

Again this is how you can do on a List but for Document Libraries, it could be straight forward if you set permissions on the folder level it will only show those folders as appropriate to the targeted audience.

Hope this helps.

Cheers,
Joseph

Anonymous said...

Wow this is an awesome Article,Thank you!!

Trung Tran

Anonymous said...

I receive an error when I save the page after editing it. Why is this happening?

Joseph Jeethu said...

Could you tell me where you are getting the error?

Anonymous said...

I like this solution and it works for me. I would like to add another functionality that is to only show certain user groups in the group picker.
I tried storing groups in a different list and adding as a lookup in the list. but when I do that this code does not work.
Any suggestions?

Joseph Jeethu said...

If your intention is to show the items to specific Sharepoint groups you could achieve this on the XSLT itself you could filter it for Groups here. Even though you store the SharePoint groups on a different list and reference it, this should work, may be am not sure on the advantage of storing it in a different list.

Anonymous said...

I am trying to allow user to choose from a limited choice of user groups by displaying the sharepoint user groups in a drop down.

Any suggestions how to combine this with your solution?

Joseph Jeethu said...

I did try to do something similar on this solution by showing in dropdown, however i could'nt find any client scripts to fetch all sharepoint groups in a site so have to do it this way however you always can write custom code solution to find all the share point group and show it in a dropdown.

Anonymous said...

Q: If someone knows the URL of an item displayed in the ALL Items view and has this item filter out in their view - can they just paste the filtered url in and edit the item or will they be denied?

Joseph Jeethu said...

Every time a user comes to the system they will be taken to the --/Lists/Site/AllItems.aspx view, the moment the user is out of a specific user group the items will be filtered and restricted however there might be a chance that if the user finds the item url and goes directly to it he might be able to see it I have not tested that yet.