Last night we were talking about one customer scenario where we recently helped to secure and control the values they’re users have access to within a drop down list. Their users need to upload project documents to SharePoint, and they’re required to choose a project name for each document from a drop down list. However some project names are considered sensitive and can only be viewed or selected by users with higher-level security clearance. It was an interesting simple implementation that I thought I’d share.
The scenario was this (I’ve changed the example slightly to protect the innocent):
The customer has information workers that upload project documents to a SharePoint library, and they must select the project name associated with each document upon upload. This project name is specified through a metadata field that all users are required to fill out from a predetermined list. However, some project names are considered sensitive and are only accessible to users with higher-level security clearance. So, the question is, how do we impose this kind of security within SharePoint on values within a drop down list, and how do we manage it effectively as the list grows.
The solution we found was the following:
- We created a new SharePoint List called ‘Projects’ with 2 columns: Clearance and Project
- The Clearance column represented the minimum security clearance required by a user to access a particular project name, and the Project column represented the project names themselves
- We added all possible project names to this list along with their associated security clearance – here is an example of what this could look like:
List of Project Names Associated with Security Clearance- On the library in which users will upload documents, we added a custom metadata column called ‘Project’ and configured it to retrieve values from the List mentioned above – you can do this by going to Library Settings, clicking ‘Create column’, selecting that column to be of type ‘Lookup (information already on this site)’, selecting the List created above from the ‘Get information from’ drop down, and finally selecting the List’s project name column in the ‘In this column’ drop down. Here is an example of what this would look like:
Settings for the Project Metadata Column- We then configured TITUS Metadata Security on the list so that permissions were automatically applied to each individual list item for specific Active Directory groups, based on the Clearance metadata column – so our rules looked something like this:
1. If [Clearance] = ‘General’ then apply Read permission to AD Group : AllUsers
2. If [Clearance] = ‘Secret’ then apply Read permissions to AD Group: SecretUsers AND AD Group: TopSecretUsers
3. If [Clearance] = ‘Top Secret’ then apply Read permissions to AD Group: TopSecretUsers
The rules are cumulative, so that if you have top secret clearance you get access to all project names, if you have secret clearance you get access to generally available and secret cleared names, and if you simply have general clearance you only get access to those names.
The net result is that when a user uploads a document and they ‘re prompted for a project name, their group membership in Active Directory and the permissions applied by TITUS Metadata Security will determine automatically which project names are available to the user in the drop down list.
The Metadata Security rules are only applying Read permissions so these users can select them in a drop down list but they can’t edit the project names if they happen to navigate to the list. The SharePoint Administrator or someone cleared to view/edit all project names would have full control over them.
So, overall, this is a simple but powerful way of automatically controlling which drop down list items users are permitted to access.
Comments