Setting Permissions on SharePoint Views
Here’s a little hack that you can do, in order to create permissions on views of any list or library. I’m not going to say this is the most pretty or perfect solution, but it’s at least a way to accomplish this. It gets asked all the time. “How can I set permissions so that only certain people can see certain views of my list?”
Maybe you have a situation that the default view of a list shows users only items that they’ve created, or only items in a certain filter like by department. That’s the only view that you want most users to see, except maybe “Managers” get an additional view with information pertaining to them. Anyway, here’s how you can do it. First, the high level:
- Create a library to put web part pages in.
- Create a new web part page in that library
- Insert a data view web part of your list on the web part page
- In the data view properties, turn on the SharePoint list toolbar and SAVE
Now, when you go to the regular default view of your list or library, you will see a new view in there with the same name as your list. Clicking on this view name will take you over to the web part page you created. This hack will allow you to change the permissions on your web part page. The resulting behavior is that users who click on that view name and don’t have access to that aspx web part page will get an access denied message. I know, it’s really disappointing that the “view” drop-down box isn’t security trimmed. Now, if you’re still interested, here are all of the steps to follow:
- Create a document library on the site called “Views”.
- Create a blank web part page, preferably using the method in my previous blog post Create a Web Part Page WITH a Quick Launch Menu and save that web part page in the doc library from step 1.
- In SharePoint Designer, open this new blank web part page. Click the Data View menu and click Insert Data View.
- Click the list or library, click Show Data, and select the fields you need and drag them into the web part zone. (If you need more help with inserting web part basics, check out my data view web part series of videos)
- Open the Data View Properties screen. On the General tab, put a check next to the SharePoint List Toolbar. Click OK.
- Click File and Save As, and save it to the document library created at step 1. Close SharePoint Designer.
- This is probably something a lot of you have noticed before. Now, your list will have a new view in the list of views, that has the same name as the list itself. You can go to the document library settings, scroll all the way down to the Views section, and click on that view and rename it.
Here’s what you can do with this weird little hack. Notice that now when you click on that view name in the regular list, it takes to over to that web part page and the data view web part you created… over in that other document library called “Views”. This gives you the ability to set permissions per view! In the Views document library, click the drop-down box on that ASPX page that you created, and click Manage Permissions. Assign permissions to only the people who should have access to this view. Note that this is not a substitute for item level permissions. Users could technically still go to any of those list items, so this solution is not feasible in a high-security situation.
The end result is that each view that you create as a web part page is listed in the View drop-down box of the list or library, and people who don’t have access to that view ASPX page will get an Access Denied page if they try and click on it.
Again, this is not a perfect solution, but it gives at least some way to accomplish “view permissions”. Try it out and see what you think.
Interesting. Very interesting. Does it matter what the page filename is? What if you wanted two of these “views”? Another way to do this would be to create a view the normal way, then replace the LVWP with a DVWP which checks the PermMask for the current user and adjusts accordingly. This would keep the user from seeing Access Denied if you handled things gracefully. M.
Great hack! It certainly gets the job done.
Marc, No, the filename doesn’t matter, and yes, you can create as many views as you want. Your suggestion… would that PermMask be just for the View drop-down box?
Another way would be to modify the view and change Target Audience on LVWP, the drop down would still show but nothing would be returned.
Marc, No, no alerts… The point of this post is that the permissions aren’t on the list items, just on the views, so PermMasks stuff and list permissions aren’t applicable.
Laura, Very nice article. First of, thank you very much for saving a lot of effort in meeting a very specific requirement. I created the page and added the DVWP and saved to the document library. I dont find the “new view” added to my list in the views menu. I dont see that in the list of views in list settings menu either. Did I miss something? Appreciate your help and guidance, thanks Srinivas
Great effort… Would I be correct to say therefore that it is DVWP views that this method controls, not the original views of the List?
I’m teariing my hair out over item permissions… would really really really apreciat your advice… I think I must resort to this ‘hack’ in order to restrict my users from being able to see other people’s vacation requests but still allow managers to see all items. so I’m using the fab 40 absences tracker – how do I set up permissions? Users should only be able to edit their own but view all? My main issue is that I allow people to enter time for other people (like if someone is sick, the manager just enters the time but I still want the users to be able to see their total days. Is that correct? Not Ideal but I’m no expert and although I’ve received expert help with event receivers and item level permissions I’m just not there yet.
I have created the page, added the data view webpart. Saved the page but it doesn’t show up in the views drop down. Did I miss something?
Ive found a bullet-proof 100% secure way to solve this that doesnt need SD. This approach first makes the list only accessible via personal views. We then customise a personal view for each user, and finally secure the list by preventing the user from changing their personal view. 1. As Site Admin user, copy a suitable permission level (eg Limited Contribute) for the list, but uncheck the ability to manage personal views (down the bottom) and name it “Limited Contribute – default view only”. 2. Modify the default “All Items” view by adding the filter “ID, is equal to, 0”. This view no longer displays anything. 3. Now set permissions for the list from List Settings – add the people (not groups) who get access to the list and initially give them “Limited Contribute” so they can all still create a personal view. 4. This is the tedious part. Login as each user one by one. Create a Personal view for the current user based on the “All Items” public view. Remove the “ID is equal to 0” filter and add the filter constraints you want to apply for this particular user. Even if all users have the same filter constraint you have to do this once for each user, as they all get independent personal views. 5. Login as site Admin and bulk change all the users permissions to the permissions set “Limited Contribute – default view only” that prevents them managing Personal views. 6. Hey presto, its done! You can mix permission sets too – just make sure you remove the ability to manage personal views for each user or the list security is lost.
Hi Laura, Was the instruction intended for Designer 2010 or for 2007? I was able to follow every step listed using Designer 2007; However, I noticed that after I checked the “SharePoint List Toolbar” and then click OK (Step#5), there’s an error “Error Rendering Control” on the Web Part. Then I went and click on the view from the View Library, but I got “An unexpected error has occurred” page and the view doesn’t get displayed. I appreciate all your help. Bora
Thanks for taking the time to document your thoughts. However I like quite a few other people here followed the instructions word for word and there was no list that appeared for me either? I am guessing you are making tiny assumptions in your instructions that we are not privy to?
Bora, Richard, and anyone else who is confused, This blog post is really pointing out a weird behavior that I found, and is not necesarily a best practice. Here’s what I do as a standard: create a document library and create a new web part page in the library for each view I’ll need. Put the web part of my list on each of these aspx pages, and set item level security on each of these pages. You can change the web part settings to put a # in the “title url” field so that people can’t click it to get to your list or library.
Wouldn’t it be easier to create a new view using standard view creation methods and then using SPD move that view out of the the list and into the Views folder that was created?
Aaron, Just like I stated at the beginning, this is not the most pretty of perfect solution. There are plenty of better ways. 😉 Oh, and of course, I’ve learned so many more different ways since back in the day when I wrote this post.