How To: Adding List Item Permissions

  • This content uses the legacy Nintex K2 for SharePoint app. For more information about using the new Nintex Automation for SharePoint app, see Adding the App.

This article illustrates how to customize permissions on a SharePoint list item using steps in a workflow. The workflow steps remove existing permissions and then adds different permissions for a single list item.

Configuring custom permissions for a list item
Configure List Item Permissions

Scenario

You work in Human Resources and have a SharePoint list of manager contact details. Each manager should edit their details whenever there is a change. However, managers should not view or edit another manager's details. To accomplish this, you adjust the permissions for each list item so that managers can only view and edit their own item.

Steps

In this scenario, you create a new list item for each manager. After you add a list item, a workflow starts. The workflow removes existing permissions and assigns edit rights to the manager.

Setup Steps

The following steps set up the scenario from start to finish. If you want to skip the setup steps and view the topic step, go to Add SmartObject Method Steps to Customize List Item Permissions.

  1. Create a SharePoint list called Manager Details. Use the table below as a guide for your list columns.
    Column NameTypeNotes
    TitleSingle line of textKeep the default Title column. Change the column name to Manager Last Name.
    Manager First NameSingle line of text 
    Manager Full NameSingle line of textYou enter the manager's full name. This name must match exactly a user in your domain or environment. The workflow reads this username and assigns edit rights for list item. This user can now edit their list item.
    Manager DepartmentSingle line of text 
    1. Create a new list in your SharePoint environment. Name the list
      Manager Details.
      Open the list Settings.
      Open List Settings
    2. Edit the default Title column and change the column name to
      Manager Last Name
      then click OK.
      Change Title Column Name
    3. Add the remaining new columns using the table below as a guide.
      Column NameTypeNotes
      Manager First NameSingle line of text 
      Manager Full NameSingle line of textYou enter the manager's full name. This name must match exactly a user in your domain or environment. The workflow reads this username and assigns edit rights for list item. This user can now edit their list item.
      Manager DepartmentSingle line of text 
    4. Your list columns should look like the image below.
      List Columns

  2. Review the inherited permissions for the list. Make a note of any groups that have edit rights. (If you are working on a K2-provided VM, you see Portal Members have edit rights.) In the image below, the MtOlympus Members group has edit rights. In a later step, you remove this group's permissions for a single list item.
    In the next step, you stop inheriting permissions from the parent site, which breaks the bond between the parent site permissions and the list permissions. It does not, however, remove permissions, but instead makes a copy of the existing permissions. The list's permissions simply become independent of the parent site.
    List Permissions
    1. Before you edit permissions in a workflow step, it is important to know what users and groups already have rights. By default, SharePoint lists inherit permissions from their parent site. In this demonstration, you break this inheritance, then add permissions at the list item level. From the List Settings page, click the Permissions for this list link.
      View List Permissions
    2. You see a list of users and groups with inherited permissions to this list. In the image below, the MtOlympus Members group has Edit rights to this list. In a later step, you remove this group and add user permissions specific to a single list item. Make a note of any users or groups that have edit rights to this list. (You must have the exact spelling of the users or groups.)
      Inherited List Permissions

    3. Click Manager Details under the Recent heading to return to your list.
      Return to List
  3. Create Data and Workflow application elements for the list. Keep the default workflow name (Manager Details Workflow) and change the workflow start rule to An item was added.

    Now that you have your SharePoint list ready, you can create application elements. Application elements include the core components: Workflow, Forms, Data, and Reports. This demonstration incorporates the Data and Workflow components.

    1. Click the List tab, then click the Application icon.
      Application Elements
    2. The Create K2 Application page opens. Select the Data (it should be selected by default) and the Workflow elements. Keep the default workflow name, Manager Details Workflow. Select When the following events occur > An item was added for how the workflow starts. Click OK.
      Create Application Elements
    3. The Workflow Designer launches. The welcome screen includes an interactive panel which you can navigate through by clicking the left and right arrows. You can also click Close to continue to the design canvas.
      Welcome Screen

Add SmartObject Method Steps to Customize List Item Permissions

The following steps illustrate how to customize permissions on a list item.

  1. Add a SmartObject step and configure the method to stop inheriting permissions on a list item by ID. This action breaks permission inheritance from the parent site. From the Context Browser, map the Manager Details > ID reference to the Input Mappings > ID. Rename the step Stop Inheritance.
    When using the stop inheriting permissions method, the system does not delete list item rights. Instead, they become independent of parent permissions. Use the remove permissions method to delete user or group rights.
    1. Expand the Toolbox, then expand the SmartObjects node.

      The Toolbox contains steps from which you build your workflow. A workflow is a sequence of steps which automates a business process when followed from start to finish.
      Expand Toolbox

    2. Navigate to your SharePoint list location. Your navigation structure is similar to: Toolbox > SmartObjects > SharePoint 2013 > [Your SharePoint Site] > Lists > Manager Details > Manager Details SmartObject.
      Navigate to SharePoint List
    3. Select the Manager Details SmartObject, then drag it into the empty placeholder on the canvas.
      Accessing the Toolbox
    4. Select the Manager Details step, then expand the Configuration Panel.
      The Configuration Panel allows you to configure and customize the steps you add to your workflow.
      Expand Configuration Panel
    5. The SmartObject value is Manager Details (the SmartObject you added to the canvas). For the method, select Step Inheriting On List Item by ID.
      Select Method
    6. Notice after selecting the stop inheritance method, a new section appears - Input Mappings. There is a required value, ID. The workflow uses the ID to identify which list item you are configuring.
      Input Mappings
    7. Expand the Context Browser.
      The Context Browser contains variables, functions, and SmartObject properties. Variables, or references, are replaced at runtime with live data. For example, at runtime, the system replaces the ID reference with the ID of the current record.
      Expand Context Browser
    8. Expand the Manager Details reference. Drag the ID into the Input Mappings > ID box. The ID reference is the current record or list item.
      Map Reference ID
    9. Select the Properties tab. Change the name of the step to
      Stop Inheritance.
      Collapse the Configuration Panel by clicking the slider.
      Properties Tab
    10. At this point, the workflow breaks the permission inheritance for the current list item. The permissions remain in place; however, they are now independent of the parent site. The list item permissions no longer reference the parent site inheritance.
      List permissions inheriting from parent site
      List Permissions
      List item permissions independent of parent site
      List Item Permissions

  2. Add a SmartObject step and configure the method to remove permissions on a list item by ID. This action deletes a user or group from list item permissions. From the Context Browser, map the Manager Details > ID reference to the Input Mappings > ID. For the user or group, enter the name of the group with edit rights. (On a K2-provided VM, the edit group is Portal Members. The image below reflects MtOlympus Members.) Rename the step Remove Group.
    1. From the Toolbox > SmartObjects node, navigate to the Manager Details SharePoint list and drag another Manager Details SmartObject step below the Stop Inheritance step. Connect the two steps.
      To connect steps, hover over the bottom border of the first step until you see a handle appear. Click and drag the handle into the second step. Click the canvas to set the line.
      Connect Two Steps
    2. Select the Manager Details step, then expand the Configuration Panel. For the Method, select Remove User or Group Permissions From List Item By ID.
      Select Remove Method
    3. Expand the Context Browser. Drag the Manager Details reference > ID into the Input Mappings > ID box. You are referencing the current record or list item.
      Map ID Reference
    4. You want to specify the user or group to remove. In this demonstration, you remove the group with edit rights. In the next step, you add permissions for a single user. Now only the user (and users with full control) can edit the list item.

    5. Click the Add (+) icon under the Input Mappings heading. Select Specify Users and Groups.
      Specify User and Groups
    6. For the value, enter the name of the group with edit rights. (Recall that you reviewed the permissions for the list at the beginning of this demonstration.) For a K2-provided VM, this is the Portal Members group. The image below reflects a different environment where the edit group is MtOlympus Members. Your value may be different if working in another environment.
      Enter Group to Delete
    7. Click the Properties tab and rename the step
      Remove Group
      then collapse the Configuration Panel.
      Rename Step
    8. At this point, the workflow breaks permission inheritance from the parent site and removes the group with edit rights. If you find you have more than one user or group you need to remove, add additional SmartObject steps.
      List item permissions before workflow
      Permissions Before Workflow
      List item permissions after workflow
      Permissions After Workflow

  3. Add a SmartObject step and configure the method to add user or group permissions on a list item by ID. This action grants a user or group rights to the current record or list item. From the Context Browser, map the Manager Details > ID reference to the Input Mappings > ID box. Map the Manager Details > Manager Full Name reference to Input Mappings > Specify Users and Groups box. For the Specify Permissions value, enter Edit. Rename the step, Grant Permissions.

    The last action in this demonstration is to grant a single user edit rights to a list item. Keeping with the scenario, as a member of HR, you add managers to the Manager Details list. You want each manager to maintain their details. The workflow takes the value entered into the Full Name form field, then grants that user edit rights to the current record or list item.

    1. From the Toolbox > SmartObjects node, navigate to the Manager Details SharePoint list and drag another Manager Details SmartObject step below the Remove Group step. Connect the two steps.
      Add SmartObject Step
    2. Select the Manager Details step, then expand the Configuration Panel. For the Method, select Add User or Group Permissions To List Item By ID.
      Add User or Group Permissions
    3. The Input Mappings section appears. As with the previous two steps, you map the Manager Details reference ID to the Input Mappings ID. There are two other required values: Specify Users and Groups and Specify Permissions. For the user value, you map the Full Name from the Manager Details reference. When you add a new item to the list, you enter the full name of the manager. The workflow reads this name, then assigns rights to the user for the current record. For the second entry, Specify Permissions, you enter the permission level you want to grant the manager. For this demonstration, you grant Edit rights.

    4. Expand the Context Browser. Drag the Manager Details reference > ID into the Input Mappings > ID box. You are referencing the current record or list item.
    5. Drag the Manager Details reference > Manager Full Name into the Input Mappings > Specify Users and Groups box.
      Map Manager Full Name
    6. For the Specify Permissions value, enter
      Edit.
      When working with SharePoint lists and libraries, you must use known permission levels such as Full Control or Edit. Granting rights not recognized as a permission level causes errors at runtime.
      SharePoint Permissions
      Edit Permissions
    7. Rename the step
      Grant Permissions
      then collapse the Configuration Panel.
      Rename Step
    8. At this point, the workflow breaks permission inheritance from the parent site, removes the group with edit rights, then assigns edit rights to a single user.
      List item permissions after workflow
      Single User Permission

  4. Notes and considerations with this demonstration.
    • You must deploy the workflow prior to use.
    • To view permissions for a list item, navigate to the list settings page. Select the list permissions link. Select the show items link. Click a list item to view its rights.
    1. Deploying a workflow publishes it to the server and makes it available for use. Each time you make a change, you must deploy the workflow again so that the server records the change. To deploy the workflow, click File > Deploy. When you see the success dialog, click File > Close to exist the workflow designer.
      Deploy Workflow
    2. To view list item permissions, navigate to the List Settings page. Click the Permissions for this list link. Click the Show these items link in the warning box. Select a list item to view its permissions.
      View List Item Permissions
Review

SharePoint lists are convenient to use for most employees. By default, SharePoint lists inherit permissions from their parent site. At times, you may need to adjust permissions on a list. To accomplish this, use a SmartObject method in your workflow to disinherit or remove permissions, then assign specific permissions to a user or group.