Forms and security. It is a common requirement to have a form that can be filled out, and when it is submitted, it goes to a location that the form submitter does not have access to. This is tricky because the users need to have contribute access to a list or library in order to create new items in it, but then if they can do that, they can access everything else in the library. There are many variations of this requirement, but in this post, I'll show how it can be done in a pretty simple way.
General overview: This concept can be done with either a list item or a library. (I'll just use the term "list" in this overview, just to get the general point across). Create a content type. Create two lists. Add the content type to both lists. List A "New Items" items can be created by anyone on the site, and List B "Locked List" is locked down so that only managers have permissions to access it. When new items are created in "New Items", a SharePoint Designer workflow runs an impersonation step that copies that item over to the "Locked List", and then deletes it from the original list.
This solution can be done out of the box with SharePoint 2010 (any version), and SharePoint Online with Office 365.
Since InfoPath is the most common thing that I use to create forms, and I get asked about this a lot, I'm going to use an InfoPath form in my example here.
- If you don't already have a document library on your site called "Form Templates", go ahead and create it.
- When you publish your form to SharePoint, instead of publishing it directly to a form library, publish it as a content type. Note that if your form has been published as an administrative template, that's fine too, but just less common. Click Next.
- Choose Create a new Content Type, and click Next.
- Name your content type, with whatever the name of the form is. Mine is a Check Request. Click Next.
- On the screen where you specify a location for the form template, click Browse. Select the Form Templates library on your site, and give your form a name. I called mine CheckRequest.xsn. Click Next.
- Pick your fields that you want to be columns, and click Next. Click Publish. Click Close.
- Create two new form libraries. "New Check Requests" and "Locked Check Requests".
- Go to the Library Settings screen of New Check Requests, and click Advanced Settings.
- Change Allow Management of Content Types to YES. Click OK.
- On the Form Library Settings screen, click Add from existing site content types.
- Click Check Request (or the name of your own content type from step 4) and click the Add button to move it to the right side. Click OK.
- Click the "Form" content type, and click Delete this content type.
- Go to the Library settings screen of Locked Check Requests. Repeat steps 8 through 12.
- In your InfoPath form, make sure that the Submit data connection is set up to submit the forms to the New Check Requests library.
- Open your site n SharePoint Designer, and create a new workflow based on the New Check Requests library.
- Name the workflow New Check Request, and click OK.
- Put your cursor underneath the Step 1 box, and click the Impersonation Step button in the ribbon, so your screen will look like this:
- Delete Step 1. Put your cursor inside of the Impersonation step and add the action called Copy List Item. Then add the action Delete Item below it.
- Set up the copy so that it copies from the current list over to the Locked Check Requests. Then make it delete the current item. Like this:
- Click Workflow Settings in the ribbon. Under start options, only put a check box next to Start workflow automatically when an item is created.
- Publish the workflow.
Okay, it's done now. The key here is that the permissions will be set up as so:
- People who need to be able to fill out the form: Give them Contribute permissions on the New Check Requests Library. Do not give them permissions on the Locked Check Requests library at all.
- People who need to be able to access the whole list of forms that have been submitted: If they need to be able to *modify the forms that have been submitted, give them Contribute access to the Locked Check Requests library. If you only want them to be able to see the submitted items and not change them, just give them read access.
- The key here is that when the workflow copies items over from one list to another, it uses the login of the person who published the workflow. The best practice for workflows with impersonation steps is to publish the workflow as the SharePoint admin account, and not someone's personal account. You know, just in case. You wouldn't want someone to leave the company and then none of the workflows function anymore, right?
Again, to reiterate…. This is just the most simple way to accomplish this goal. Of course, with impersonation steps in a workflow, you could change permission on each individual item in the list or library via workflow. It just gets kinda messy and hard to manage when you start delving into individual item permissions. The method in this blog post is simple because you the permissions are set at the library level.
Keep in mind that with some list types in SharePoint, such as a custom list, there is a setting in advanced settings that you can use. Unfortunately, this setting just doesn't exist in libraries.
Note: If people will be modifying the submitted forms after they have been moved to the Locked Check Requests Library, there is one more important consideration… the submit data connection. You'll have to create another submit data connection that submits to Locked Check Requests, because you probably don't want to have a bunch of duplicate files. There just needs to be a condition that looks to see if this is a form that has already been initially submitted. So, for example, you can create a field called "FormStatus". When the submit button is clicked, add an action to set a field's value, where you set the FormStatus to submitted. That way, you can create a condition so that if a form has already been submitted initially, then it gets submitted to the Locked Check Requests.