Tagged: dffs security permissions
August 11, 2018 at 13:34 #21784
First, I wanted to say great job with DFFS. Talk about one heck of a powerful tool.
DFFS saves all of its settings/configurations in a list. In order for any user to be able to use a list that is configured with DFFS, they must have, at minimum, read access to the list items in the DFFS list that contains the settings/configurations for it.
- You cannot remove read permission from the DFFS list because the user needs it for DFFS to be able to read it.
- You can “hide” the list view web part using targeted audience settings but this is a rather weak control as any user with programming knowledge can use REST/SOAP to retrieve the data from the site/list.
- You can hide the entire list from the browser but you can still pull data from it using SOAP/REST.
Any other ideas/thoughts?
How can we secure the DFFS list so users cannot read data from it while still using lists that are configured with DFFS.
August 11, 2018 at 15:20 #21786
Thanks for the beer!
If you restrict the regular users so they only have read access to the configuration list, I believe you should be OK because the contents of the configuration doesn’t contain any list data from the forms filled in with DFFS – it’s only the field names and configuration for tabs, rules and Custom JS etc. used to build the form and nothing that can reveal the actual contents of the list items in the DFFS enabled lists.
Let me know if you have any further questions.
August 11, 2018 at 18:52 #21794
The issue is that there is a requirement to hide the configuration/settings from the user. I know there is nothing dangerous/risky but that is the requirement we have.
August 11, 2018 at 19:47 #21796
I cannot really see why this requirement would apply to DFFS as no compromising data is served from the configuration list. It would be another matter if the actual form contents was saved in this “blob” and was accessible in the list.
Just to clarify in case your super needs it: In case you for example set item level security on a list item in your DFFS enabled list, there is no way to get access to the form contents trough the configuration list.
August 11, 2018 at 20:18 #21798
I thought I’d check with you to get your perspective on this. I appreciate your help sir.
You must be logged in to reply to this topic.