Applying Item Level Permissions in SharePoint Libraries, Lists, Part 1

Every organization has its own policies and practices for IT security and governance, and when SharePoint comes into the picture, managing and applying those policies become even more important. This is mainly because of surface area exposures when collaborative platforms like SharePoint are rolled out in organizations.

There are many factors that play important roles in managing and applying policies consistently, varying from technical to non technical. From a technical side, SharePoint Lists plays a key role in persisting the information, and each item in the list may be required by organizational policy to have unique permissions, depending on security requirements. This also means that SharePoint Security should be aligned with organizational security polices, plus each and every item should follow the policy.

This article explains a scenario where a customized security model needs to be implemented while using SharePoint List as storage repository. The first part of the article details the scenario and what SharePoint constructs can be used; the second part shows the implementation by using the SharePoint Object Model. Let’s start by looking at a business scenario and the special security needs in hand. See Figure 1.

As shown in Figure 1, the user will act as initial data entry operator, plus they select the security group whose users will have rights to access the item. The other alternative is to place the file in a folder, where the name of the folder actually corresponds to the security group. This enables batch creation of items and saves time. There can be a couple of factors here, such as:

1. The items in the scenario referred to information that can be specialized to a specific business scenario. For example, in the case of HR, the items can be payroll entries for different departments, or may be even files in the form of an Excel document, etc.

2. Now comes the system part. As information is available to the system, it needs to maintain security for every item it stores. This affects all the operations on that item, including add, edit, and delete.

3. Lastly, the system should able to keep up with the changes and updates to the security of the item. For example, a change in a group should immediately take effect and restrict previous group users from performing operations (add/edit/delete) on the item.