Saturday, September 26, 2009

Column Level Permissions in MOSS 2007

SharePoint 2007 supports customizing security only to the level of row /item level. If you need column level security, SharePoint 2007 does not provide support for the same.

A work around is to set the column as hidden and read-only, preventing it from being displayed in New and Edit forms. Please note that this is not 100% secure and there are ways to update the values of the hidden columns. SharePoint allows the values for such read only columns to be updated by calling the list web service or through SharePoint Designer Workflows.

The requirement for our intranet portal was that users should not be able to manipulate a particular column through the UI. The security risk was considered acceptable.

The read only property is not exposed through the UI and needs to be set using the object model or calling the UpdateList method of lists.asmx web service.

Sample Code using lists.asmx:

var listService = new ListsWebService.Lists();
listService.Url = "http://vbnbred123/_vti_bin/lists.asmx";
listService.Credentials = System.Net.CredentialCache.DefaultCredentials;
string listName = "LeaveRequest";
string columnName = "LeaveStatus";

XmlDocument xmlDoc = new XmlDocument();
XmlNode updateNode = xmlDoc.CreateNode(XmlNodeType.Element, "Fields", "");
StringBuilder innerXMLNode = new StringBuilder("<Method ID='1'><Field ReadOnly='True' ShowInEditForm = 'FALSE' ShowInDisplayForm = 'True' ShowInFileDlg = 'FALSE' ShowInListSettings = 'True' ShowInNewForm ='FALSE' ShowInVersionHistory = 'FALSE' ShowInViewForms = 'TRUE' Type='Text' Name='");

innerXMLNode.Append("' DisplayName='");
updateNode.InnerXml = innerXMLNode.ToString();

listService.UpdateList(listName, null, null, updateNode, null, null);

The read only column values can be updated through the workflow, and I created a workflow using SharePoint Designer for my requirements.

I hope SharePoint 2010 provides this out of box and this work around is not needed.