Mimicking Column Security
One of the most common questions I’ve ever gotten in my ten years using SharePoint is:
“How can I set a certain permission on a specific view or column (field)?”
In this blog post, I will start with a couple of very simple ways to do this, which can easily ramp up to some more fancy / tricky ways. This is actually really easy with InfoPath, but I’m not going to use it in this example. Just remember:
SECURITY DOES NOT ACTUALLY EXIST ON A VIEW OR COLUMN.
The things I’m going to show you are ways you can mimic security and obfuscate some things. This post is applicable to all versions of SharePoint and SharePoint Online in Office 365.
Here’s the example I’m going to use. We’ll do a “Computer Issues” list, using the Issue Tracking list template (App). A lot of times, people want an end user to be able to fill out a form, but they want certain fields to be unavailable in that form. Think about any form where you’ve seen “Office Use Only” at the bottom. When filling out a help desk request, we want them to be able to describe what’s wrong, and give it a category, but we don’t necessarily want them to be able to fill in the Assigned To and Due Date, and a couple of other things. Here’s what the default “New Item” form looks like. I have put red X’s on the fields that we don’t want end users to see, but we want someone else filling it out later.
- Go to your list settings, and in the advanced settings, change Allow Management of Content Types to Yes.
- Back on your list settings page, you’ll see a new section in there called Content Types. Now, this part will look a little different depending on what kind of list/library template you’re using, but since mine is an issues list, it has Issue as the only content type listed in there. Click Issue (or whatever yours is).
- Click the Assigned To field (this is the first one I want to hide). Change it to Hidden, and click OK.
- Go to each of the column names that you want to hide, and do step 3 for each one. Then, your list of columns in the content type will look something like this:
- Now, next time you are in this list and click the New Item button, this is what the form will look like:
- Pretty simple so far, right? Easy for the end users to fill forms out, but now what about those other people who need to be able to fill out other fields. THERE ARE MANY WAYS TO DO THIS. I’m just initially going to show you a pretty simple way. First of all, there are the views. We did not delete those columns, we simply hid them from the form. We want people to be able to see their own issues, but not edit (or not even see) certain columns, and we want them to still be able to know what their statuses are.
Create a view called “My Issues” if there isn’t already one, and set the filter so that they only see stuff pertinent to them. Make it the default view.(If you don’t know what a view is or how to modify it, here’s a reference.)
- Once that view has been set as the default, delete all of the other views. We want people to see a certain subset of information, and not the list of absolutely everything in the list or library. We also need to make sure that they can’t create their own personal views there as well. You can make a copy of the default permission level called Contribute, and call the new one “Contribute but no views” or something, and just remove the ability for people to be able to create their own personal views.Note: You can even remove the ability for people to create alerts for themselves on that list as well, because a SharePoint alert would send them a lot of info that you may not want them to see. (If you did this though, but still wanted them to be notified about the status of their ticket, then you’d have to create a workflow that sends them an email instead.) You can just apply that permission level to certain people just on that one list. Like, you’d want general users of the site to have this new permission level on the list, but for the people who are working tickets, you can let them have the “Contribute” level.
Here are the items that I unchecked in this permission level:
Reference: More on permission levels here.
- Next, this is where we address the concept of security on a view. At the top right of your site, click the Gear, and choose Add a Page. Name it Full Issue List, or something to that effect.
- On your new page, click the Insert tab in the ribbon, and choose Web Part. Find the name of the list or library that you’re working with in this example, click the name of it, and click the Add button. I called mine Computer Issues.
- There, now you have your list right there on this special page. You can edit this list web part to make it show any columns you want to show, and make it show all of the items with no filter.
Reference: Using the List View Web Part
- This next step is important. The way that we’re putting security on this view, is by putting security on this specific page that we just created. Save the page, then click the Page tab in the ribbon. Click the View All Pages button.
- This takes you to a library. If this is a publishing site, it will be called Pages, otherwise it will be called Site Pages. You’ll see the name of the page you just created listed here.
- Click the little ellipsis (…) next to your new page (Full Issue List), and choose Shared With.
- Click the Advanced button.
- Click Stop Inheriting Permissions at the top, and click OK.
- Here is where it will be a bit unique to your specific solution. I want the IT department to be able to see this page, but not anyone else, especially not the end users. I’m giving the IT department Read permissions on this page.
REMEMBER: This permission is on the page itself, that shows the view of the list. This is not the permissions on the list itself. So you’re probably thinking you need to give the IT department “Contribute” here, but they don’t really need it.
- Now you need to give the IT department a link to this special page. You don’t want them to have to click Site Contents –> Site Pages –> and then click on this page to open it. Here’s a quick way to get the URL (link) to this page, so you can stick it in the navigation or on the homepage or wherever. Look at the screenshot above in step 13. That little box that has the text that starts with http://… That’s the URL, so you can select it and copy it to your clipboard.
- Okay, so what about the part where we want the IT department to be able to edit certain columns that other people can’t see on the form? Here’s the super easy version. Go to your super secret page (Full Issues List). On this page, you can edit the view in this web part, add columns for all of the things users couldn’t fill out in the initial form, such as Due Date and Assigned To.
- When the IT department people go to this page, they can click on a row, and click the List tab in the ribbon. When they click Quick Edit, there’s where they can edit all of the values in those columns!
- This is what Quick Edit (datasheet view) looks like. Like a spreadsheet.
Note: If you want to default it to this Quick Edit mode, you’d have to create that as a view on the list, then pick that view from the web part settings, then go back and delete the view from the list.
So far, we’ve created a list with a simple form that users can fill out, and a separate, secret view that only certain people can get to, with the additional fields to fill in. What about having certain fields on the actual form show up according to a certain status of the item? I wrote a blog post a long time ago, called Using Content Types as Statuses, which is still applicable today, with all versions of SharePoint and Office 365. This will take you farther into the concept. There are still more advanced ways to do some of this stuff, but I thought this post would at least get you going with some ideas.
Another thing to remember is that a lot of list types have a setting in them called Item-level Permissions, which is just a setting in the list’s advanced settings. This doesn’t exist in libraries, though, and doesn’t exist in some templates like the Issue Tracking one I used in this example. This is helpful in ensuring that users can’t see stuff in the list that doesn’t pertain to them, or that they can only edit their own things and not others’
Here is the recording of the SharePoint Power Hour, where I did a demonstration of this whole thing, with lots of extra tips and tricks!