Automating item-level permissions in SharePoint document libraries and lists


Item-level permissions come in handy for a number of situations. Here are some examples and food for thought:

  • Travel plans are submitted to a list, but only those in people columns (supervisor, director, traveler) are allowed to see or find the plan by search.
  • Allow “content owners” to edit documents, and everyone else to view only.
  • Allow non-admin individuals to set editing permissions for documents or list items by populating a people column

Using a SharePoint Designer 2010 Workflow and an impersonation step, we can:

  • Add list item permissions
  • Inherit list item parent permissions
  • Remove list item permissions
  • Replace list item permissions

This tutorial will use the “replace list item permissions” action. Whenever you’re replacing permissions, you must remember to INCLUDE YOURSELF or admin individuals in the replacement permissions or you won’t be able to access the content or help with troubleshooting. Let’s begin!

  1. Create a new workflow on the list or library for which you wish to alter permissions of its contents
  2. Set the workflow’s “Platform Type” to SharePoint 2010 Workflow
  3. Click above or below the default “Step 1” box so you see an orange line outside the box
  4. Add an impersonation step
  5. Delete Step 1 (right-click gray header bar, click “delete”)
  6. Click inside the impersonation step so you see the orange line
  7. Click Action, then “Replace list item permissions” OR begin typing “replace” and hit enter
  8. Select the hyperlink called “these permissions”
  9. Select “Add”
  10. Select “Full Control” and then “Choose”
  11. Set yourself, and any other admins to this full control level (as well as anyone who, by workflow, should be granted full control of the list item or document)
    • To set a permissions group as full control such as Admin group, double-click “People/Groups from SharePoint site…” and search for the group name
    • To set a specific individual as full control, just search for their name or e-mail address and double-click
    • If the person(s) or group(s) that should have full control are in a people column in the list, do “Workflow Lookup for a User…” then select the relevant column. Leave the “return field as” set to “As String”
  12. Click “OK”
  13. Repeat steps 9-12 for all permission levels you wish to assign.
  14. Click OK until you’re back to the workflow editing screen with just your impersonation step
  15. Click “this list”
  16. Click “OK” to accept “Current item” as the item to be gaining new permissions
  17. Click “back” or the name of the workflow in the breadcrumb to see workflow settings
  18. Check all start options, if suitable. I tend to think it never hurts to make sure your permissions are accurate.
  19. Publish your workflow

The automation piece comes in here:

  • Set up if/then statements in your workflow to do different permissions setups conditionally based on content types, file names, departments, etc. (i.e. If the list item is related to R&D, assign permissions to those directors only)
  • Use people column(s) in your list or library that other people with proper permissions can update, then reference that column or those columns in your workflow to add permissions based on the columns’ contents (i.e. using workflow lookup for a user, add permissions for each column such as traveler, supervisor and director)

That’s it! You won’t need to do permissions manually again for these sorts of things if you can write a thorough and well-planned workflow to handle it for you, in combination with a list with appropriate people columns and settings suitable for your purpose. Feel free to comment any questions specific to your scenario and I’ll be glad to assist.