I needed to meet a security requirement for an InfoPath form today. In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it. (This is new-hire on-boarding form used by Human Resources that launches a workflow).
To meet that objective, I created created two new permission levels ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, update" user and a separate "update only" user. The mechanics all worked, but it turned out to be a little more involving than I expected. (If you feel a little shaky on SharePoint permissions, check out this blog post). The required security configuration for the permission level was not the obvious set of granular permissions. To create an update-only permission level for an InfoPath form, I did the following:
- Create a new permission level.
- Clear away all options.
- Selected only the following from "List permissions":
- Edit Items
- View Items
- View Application Pages
Selecting these options allows a user to update a form, but not create it.
The trick was to enable the "View Application Pages". There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, but turns out it is.
Create-and-Update was even stranger. I followed the same steps, 1 through 3 above. I had to specifically add a "Site Permission" option: "Use client integration features". Again, the description there does not make it seem like it ought to be required for an InfoPath form, but there it is.