Views and Columns on Lists and Document Libraries Cannot Be Secured

UPDATE (02/29/08): This new codeplex project seems to provide a method for securing individual columns:  If you have any experience working with it, please leave a comment.

Forum posters frequently ask a question like this: "I have a manager view and and a staff view of a list.  How do I secure the manager view so that staff can not use it?"

They also frequently ask a related question: "I want to secure a specific metadata column so that only managers may edit that column while others may not even see it."

These  answers apply to both WSS 3.0 and MOSS:

  • SharePoint does not provide out-of-the-box support for securing views.
  • SharePoint does not provide out-of-the-box support for security columns.

There are several techniques one can follow to meet these kinds of security requirements.  Here’s what I can think of:

  • Use out-of-the-box item level security.  Views always honor item level security configuration.  Event receivers and/or workflow can automate security assignment.
  • Use personal views for "privileged" views.  These are easy enough to set up.  However, due to their "personal" nature, these need to be configured for each user.  Use standard security configuration to prevent anyone else from creating a personal view.
  • Use a data view web part and implement some kind of AJAXy security trimming solution.
  • Roll your own list display functionality and incorporate security trimming at the column level.
  • Modify the data entry forms and use JavaScript in conjunction with the security model to implement column-level security trimming.
  • Use an InfoPath form for data entry.  Implement column-level security trimming via web service calls to SharePoint and conditionally hide fields as needed.
  • Roll your own ASP.NET data entry function that implements column level security trimming.

None of those options are really that great, but there is at least a path to follow if you need to, even if it’s hard.

NOTE: If you go down any of these paths, don’t forget about "Actions -> Open with Windows Explorer".  You want to be sure that you test with that feature to make sure that it doesn’t work as a "back door" and defeat your security scheme.

If you have other ideas for or experiences with securing columns or views, please email me or leave a comment and I’ll update this posting as appropriate.


Subscribe to my blog.

Technorati Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *