InfoPath User Roles in Browser Forms (Part 1 of 2)
This blog post applies to the Enterprise version of SharePoint, not WSS or Foundation.
There’s a concept in InfoPath called “User Roles”. You can set up these roles, and when a person opens the form, the form knows if they belong to a certain role, and you can set up certain objects to hide or show in the form based on the user’s role, or switch to a view based on a role, etc. Each role that you set up can be defined by specific user names, Active Directory groups, or a person’s name from within the form, like this:
UNFORTUNATELY, there are a couple of limitations of this functionality in InfoPath.
- User roles are NOT available when creating browser-based forms. Therefore, if your form absolutely requires these, then all users who ever fill out this form will need to have the InfoPath software installed on their computers. This is a huge limitation in a lot of cases.
- User roles cannot be created based on SharePoint Groups, only AD groups.
There’s a blog post out there, that describes a a way to get around this limitation, and emulate user roles in a browser based form. BUT this method entails manually keeping up a separate SharePoint list where you define all of the users and their roles.
Today, I’m going to tell you about another way of using the currently logged in user’s information instead of roles, and this can be used in a browser-based form. This can be used with SharePoint groups, where the built in user roles cannot. The trick is a built in SharePoint web service called the user profile service. Lori Gowin blogged a while back about how to use this web service in order to auto-populate text boxes in any SharePoint form, with information about the current logged in user. My method entails using that same web service. Clarification: This doesn’t refer to ANY SharePoint group, this is only the “members” group that exists on each SharePoint site. There is another web service that can be used, UserGroup.asmx, in order to get the info about SharePoint groups in general, on a site.
There are a couple of very useful operations in the UserProfileService.asmx web service, so I’ll show you a couple of options (2 parts to this blog). In this example, you have a change request form. Site visitors fill out the form, and after they’ve filled it out, people in the IT department will have additional fields to fill in. We don’t want non-IT staff to see these additional fields, though. We will create another view in the form. This view will contain all of the original fields that were filled in by the originator, plus the additional IT fields. When the form is opened, we want it to automatically switch to this IT view when the logged in user is an IT person. The prerequisite is that there is a SharePoint group on your site called IT Group, and you are a member of it. Also, you’ll need a form with 2 views, one of them called IT Dept.
- Create a new data connection in the InfoPath form, to receive data. The source is a web service. (In SharePoint 2010, pick SOAP web service.) Click NEXT.
- Type the URL of the userprofileservice.asmx file. This is at the root of your SharePoint site, under the _vti_bin folder. Click Next.
- For the operation, click GetUserMemberships, and click NEXT.
- On the Parameter screen, just leave the default and click NEXT.
- Leave “store a copy of the data…” unchecked, and click NEXT.
- Leave “Automatically retrieve data when form is opened CHECKED, and click FINISH.
- Now, when someone opens my form, I want the form to automatically switch to the IT view if the user is in a SharePoint group called “IT Group”.
- In InfoPath 2010, click the Data tab in the ribbon, and click the Form Load button, which will bring up the Rules pane on the right.
- In InfoPath 2007, click the Tools menu and choose Form Options. Click the Rules button on the Open and Save section.
- Define the rule as so:
The condition is: Click the first drop-down box (the field name). Click “Select Field or Group”. In the drop-down for the data source, select GetUserMemberships, which was the first data connection that you created. Expand several levels and select the DisplayName field. Click OK.
- For the value, click “type text” and type IT Group, as so. Click OK.
- Click to add the Action. The action will be just to switch views.
- The action is just to switch views, so you’re done with the form open rules now.
- Now try it out. Publish the form. If you’re a member of the IT Group (SharePoint group), the form will now automatically switch to the IT Dept view when it opens.
Stay tuned for part 2 of this blog post, for another way to go about accomplishing something similar with this same web service.
Testing: This GetUserMemberships operation returns a list of all groups that the current user is a member of, SharePoint and Active Directory. In order to see exactly what is returned from this operation, here’s how you can do this. In the data source pane on the right side of InfoPath, click the Main drop-down box at the top of it and change the data source to GetUserMemberships. This will show all the fields. Expand several levels until you get to the one called MembershipData. Drag this whole group of fields onto your form, as a repeating table. Preview your form. This will show you a list of all the groups that you are a member of. You may need to increase the width of the Display name field, so that you can see all the values. You’ll also notice that there is a field called Source that shows whether each one is a SharePoint group (“SharePointSite”) or a Distribution list.
Clayton Cobb actually blogged about this exact thing last year: http://claytoncobb.wordpress.com/2009/07/19/infopath-user-roles-in-browser-enabled-forms-using-groups/ Maybe he had the same dream as you?
Great post, Laura. I blogged on a similar topic for InfoPath 2007. Perhaps it will be helpful to someone. http://coleshiflett.wordpress.com/2010/04/26/using-the-usergroup-web-service-and-infopath-2007/
Laura, thanks for sharing this. It looks like it might help solve some of my problems with regards to protecting some of the fields depending on which groups user belongs to. However, when setting this up I ran into a problem. GetUserMemberships method returns the list of sites that the user is a member of. What I need is for the web service to return the list of SharePoint groups that the user is a member of on this Site Collection (or site). Is there a way to do that? I tried using the UserGroup.asmx, but no luck.
Does this really work with the SharePoint Security Groups in the SharePoint 2010? I have followed your steps but it doesn’t seem like working at all…
Does User Profile Sync Service needs to run to use this in SharePoint 2010? Or, should User Profile Service would be enough?
I don’t understand whta you mean by Clarification: This doesn’t refer to ANY SharePoint group, this is only the “members” group that exists on each SharePoint site. I created a group called “Legal” instead of “IT” and gave them the Contribute permission level. I also have the default “Demo Members” group that was created when the site was created. So will this process not work if I’m using both groups?
I keep getting 500 internal server error. I tried to put this in the data connection in CA but sill no luck. I have a large farm but can’t figure out why it won’t work. Works in INFO Path Client
Beth, This method will only work with that “members” group (yours is called Demo Members). Paul, Could be that your firewall doesn’t like the web service call. Not sure.
I foloowed these steps and I am not getting any returned results from the service. Any ideas why nothing is coming back?
Hey Doug, Not sure, it could be a network or firewall issue. See if you get to this URL directly on the server, and then try it on your client machine and see if there’s a difference? http://yoursiteurl/_vti_bin/userprofileservice.asmx
hi Laura I tried the above, but I am getting the error 5566.. any idea..why..
I do not get the option to change views in the drop down.
Thanks for this post–very helpful, but I do have a question: Managers are both approvers AND claimants. How will the form know which view to display? Idea: perhaps the rule should also check for the status of the workflow? If it’s waiting for approval, then show the approval view. P.S. I’m using SharePoint 2010 / InfoPath 2010
Cally, I don’t know what that error is. Joey, What step are you on, did you already create multiple views, and what version of infopath are you using? Aaron, Sure, there is an endless plethora of different ways to go about this. Good idea!
laura, Thanks for the article.In this you have mentioned that it will work only for “members” group and also you mentioned that there is a SharePoint group called IT Group.so the users have to added to both of the groups?
Hi Laura. Long time listener first time caller!!! I’ve implemented this and I get everything. It’s quite easy really but; as the SharePoint admin with membership of a number of SP groups and a rediculous number of DL’s in AD, when I drag the ‘MembershipData’ group onto my form to view the resulting memberships, I only see one. Any ideas? I did this because the girls that need the view switching to be automated see the same as everyone else and they’re the only members of the DL that I’ve used in my ‘Form Load’ condition… Thanks in advance. (You’re cool)
Hi No3L, You’re probably seeing this behavior because it’s looking to see if you’re in the “members” group in any sites. Since you’re the admin, you probably have full control of most everything, so you’re not in most “members” groups.
Hi Laura, i am trying in vain to get this to work on the site, but cant. I have an infopath form, with several views, I have a test user as a member in a SP group called “group a”. I have set up the infopath form to switch to one of the views when a person in “group a” views the form, but the view is not changing, its still showing the default view, not the view I requested and furthermore when that person opens the form they get a drop down to change to any view they want (which I dont want). can you help. I notice when i try to use your “Test” option, i dont get anything returned at all Please Help!
i want to know that how can i enable the “User Role” button on the infopath 2010 ribbon under “Data” Tab.
Can we have more than one member group in the same site collection. I have a requirement where we need to have 3 views of the same form for differenet deparments. How to create separate member groups for each of the so that the getUserMemberships web method returns the correct groups in te respective cases?
Kizzie, It has to be the members group on the site, and there is only one members group. In sp2010, there’s actually an option to “set as default group”, which will let you pick a specific group to be the members group. Himanshu, This setting is disabled in browser-based forms. Debraj, Yes, each site can have a member group. Per site, not per site collection. I recommend using the Department field that already exists in the user profile. You can use the userprofileservice.asmx and pick the get user profile by name operation. then you’ll be able to look at the department field of the currently logged in user, and not have to worry about sharepoint groups.
Hi Laura. I use the getuserprofilebyname.asmx but i obtain the sharepoint site name. I want to obtain the active directory group name from the user logged on. Any idea?? Greetings and thanks for your help
Thanks for this blog post. I want to implement it, but we have AD setup on our domain controller, and are using SP2010 on a virtualized server separate from the DC. Can this approach be used? That is, can the AD groups from the domain controller be “seen” by SP2010?
hi, i am getting error ” An error occurred accessing a data source. An entry has been added to the Windows event log of the server. Log ID:5566 ” any idea how to resolve?
Aleds, That’s an awesome idea, but I don’t know of any way to do that. WebDBApps, I don’t know as much about troubleshooting that end of it, such as the communications between servers. http://www.toddklindt.com may be a better person to ask that. Jenny, Can you access it via your: http://yoursiteurl/_vti_bin/userprofileservice.asmx ? There are many many reasons why your InfoPath may not see the ups data. One I’ve seen recently was that anonymous authentication was enabled on the web app.
How will this work with permissions? I’m pretty new to infopath, but wouldn’t the form need to run at Full-Trust for the webservice to run no matter the user opening the form? You can’t run Browser based forms, full trust can you?
Aleds & Laura… Here is a post by clayton, about leveraging AD groups in browser based forms. I haven’t tried it out, but maybe this would help. http://claytoncobb.wordpress.com/2009/07/19/infopath-user-roles-in-browser-enabled-forms-using-groups/
Beau, Thanks, that link is also in the very first comment in this blog. I’ve never gotten that method to work, though.
I have the same problem as Joey. The pull down for Add actions in the Rules is missing Switch Views option although I have created 2 views in my form. I’m using InfoPath 2010.
DaveJ, where are you trying to add the switch view action? It can only be done in Form Load rules or in a button. It can’t be done on a regular field.
Beau, it isn’t related to permissions. Full Trust is not needed. Yes, you can create Full Trust browser forms.
Btw, everyone, this method (and mine) does not work for AD Security Groups in SharePoint 2010. I have a huge thread on the MSDN forums explaining why, and I have it submitted as a change request to Microsoft, which they acknowledge and will be doing. Until then, AD SGs do not show up in the UserProfileService.asmx, though Distribution Lists do work.
I am following the above for an urgent project I am working on using SharePoint 2010. Data–>Form Load. I set rules but switching is not working. My form is a browser based form. Any help Please
For troubleshooting, go to the Fields pane, take that whole membership table from step 8 and drag it onto the form. That way you can see exactly what the data is. If your view is not switching, then most likely your condition is not being met. I recommend troubleshooting the condition itself and taking a look at the values that it is comparing to make sure they do in fact match.
Laura, I’ve followed your steps and to troubleshoot, I dragged in the MembershipData as a repeating table at the bottom of my form. The Display Name column doesn’t show the name of the membership group, instead it shows the site name. In face, logged in as someone who should have very limited access, my list still shows a long list of sites that this user does not have access to. Any ideas?
Unfortunately, this solution appears to work differently in each different client environment that I work in. I guess it’s not the most reliable solution, which is frustrating.
Has anybody discovered why this doesn’t work for in some environments? It is not working for me either in SP2010. I am testing this on a site collection called Sandbox, so I am using the Sandbox Members group. I have also made sure this is the ‘default group’.
Sometimes accessing the user profile service as a web service like this doesn’t work in some environments because of issues with a firewall or VPN. I’ve come across one or two environments where this solution simply couldn’t be used.
I am trying to use root site location (../) for submiting an infopath form to a form library but it doesn’t work
i am using a development server if i am using full url of a form library sucha as
it cause problem when it move to Production
so could you please help me to resolve the problem and prove the ../ format for the above url
have you tried converting your submit connection to be a universal data connection? Those allow you to make it relative to the site collection. Right there in your list of data connections, click the one you want, and click to convert it. Then you just need to have a data connection library for it to be automatically put in.
i have a problem with using data connecting over web soap on getuserprofilebyname. when i publish my form, everytime i receive error 7893 dataconnection time out. on internet i found many many solutions but nothing. can you help me