Minimum Security Required For InfoPath Forms

I needed to meet a security requirement for an InfoPath form today.  In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it.  (This is new-hire on-boarding form used by Human Resources that launches a workflow).

To meet that objective, I created created two new permission levels ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, update" user and a separate "update only" user.  The mechanics all worked, but it turned out to be a little more involving than I expected.  (If you feel a little shaky on SharePoint permissions, check out this blog post).  The required security configuration for the permission level was not the obvious set of granular permissions.  To create an update-only permission level for an InfoPath form, I did the following:

  1. Create a new permission level.
  2. Clear away all options.
  3. Selected only the following from "List permissions":
    • Edit Items
    • View Items
    • View Application Pages

Selecting these options allows a user to update a form, but not create it.

The trick was to enable the "View Application Pages".  There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, but turns out it is.

Create-and-Update was even stranger.  I followed the same steps, 1 through 3 above.  I had to specifically add a "Site Permission" option: "Use client integration features".   Again, the description there does not make it seem like it ought to be required for an InfoPath form, but there it is.


Technorati Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *