Rules based permissions

Home Forums General discussion Rules based permissions

Viewing 4 reply threads
  • Author
    Posts
    • #32198
      Mark Bassig
      Participant

        Hi Alexander. I had originally designed a database where individuals entered their own info so they can manage their own data however I was forced to compromise by prepopulating the groups data on their behalf so the group no longer have the option to manage their own data. Next, I had to open up the database to allow them to see their own data and others. To restrict users from opening not their own data in the display form, I am thinking about setting up rules based permissions. I am trying to make sense in the display form to setup 4 rules. First two rules are based on if their are a member of a sharepoint group. Third rule is based on the logged in user matching profile properties with a list item field value. Fourth rule restricts viewing based on the third rule for the logged in user profile property not matching with a list field value. Can you share with me how I go about setting up rules in such a way or if you have a better suggestion setting up permissions. Thank you in advance.

      • #32202
        Alexander Bautz
        Keymaster

          Hi,
          The first two rules (using the trigger “SharePoint group membership: Logged in user is member of group”) can be combined into one rule – just separate the names of the SharePoint groups with a | (pipe character).

          Third rule:
          I need to know what user profile property you are using and how it is stored in the form (the field it is checked against). When i get this info I’ll give you a code snippet you can use in your Custom JS to do this.

          Fourth rule:
          Not sure you need this one – the check is done in the third rule so you can do this from there.

          Not sure I understand how the first two rules interact here – should this work like if rule one OR two OR three is true the user can view the form?

          Alexander

        • #32204
          Mark Bassig
          Participant

            Hi Alexander,

            I’ll preface that I entered the user’s email (email field located in a tab only accessible by an administrator) info into a list item. In reference to the third rule, logged in user’s work email is checked to match email in the database.

            As for the first two rules relooking at the groups’ rights who are administrators, they are essentially the same so they can be combined as one rule.

            The interaction is logged in user is part of the administrators group and/or the logged in user (work email and database email match) are able to view the list item. If logged in user is not part of the administrator group and/or logged in user (work email and database email does not match) are not able to view the list item.

            I apologize ahead for introducing another element in this concerning the edit form. The same rules can be applied to access the list item in edit form.

            Thank you. Much appreciated.

          • #32214
            Alexander Bautz
            Keymaster

              I have show an example on how you can use user group and people picker rules here: https://spjsblog.com/2019/02/17/dffs-example-limit-access-to-form/

              This will however not work with checking the user profile so in your case you should use custom js like the below example (no rules are involved, only custom js).

              jQuery("#part1, #s4-ribbonrow").css("visibility", "hidden");
              var checkAccessDlg = spjs.modal.add({
                  "title": "Checking permissions...",
                  "html": "Please wait while your permissions are checked.",
                  "showClose": false,
                  "allowMaximize": false,
                  "resizable": false
              });
              
              function dffs_ready(){
                  var accessGranted = false;
                  if(spjs.dffs.verifyGroupMembership(["DFFS Admin group"])){
                      accessGranted = true;
                  }else{
                      var currentItemEmail = getFieldValue("EmailAddress");
                      var userEmail = spjs.utility.userProfile().WorkEmail;
                      if(currentItemEmail === userEmail){
                          accessGranted = true;
                      }
                  }
                  if(accessGranted){
                      spjs.modal.cancel(checkAccessDlg);
                      jQuery("#part1, #s4-ribbonrow").css("visibility", "visible");
                  }else{
                      spjs.modal.add({
                          "title": "No access",
                          "html": "You don't have permissions to view this item.",
                          "showClose": false,
                          "allowMaximize": false,
                          "resizable": false,
                          "ok": function(){
                              if(GetUrlKeyValue("IsDlg") === "1"){
                                  window.frameElement.cancelPopUp();
                              }else{
                                  window.history.back();
                              }
                          }
                      });
                  }
              }

              In this example I have a SharePoint group named DFFS Admin group – replace this with your group name or ID in the snippet. Also change the field name EmailAddress with your email address field internal name.

              Let me know how this works out.

              Alexander

            • #32249
              Mark Bassig
              Participant

                Hi Alexander,

                Thank you for this. This worked for me.

                So far, I am not seeing someone able to use a workaround to see another’s list item.

                • This reply was modified 3 years, 10 months ago by Mark Bassig.
            Viewing 4 reply threads
            • You must be logged in to reply to this topic.