asked on

How can I create a hierarchy like this in SharePoint?

Hi everybody,
My English may not be the best you ve read so far but I ll do my best describe this.

So the scenario goes like this:
ADMINISTRATION(Administrator)
            AREAS(AREAS_USER)
                  AREA 1 (AREA1_USER1, AREA1_USER2)
                        COMPANY 1(COMP1_USER 1, COMP1_USER 2)
                              Department 1 (DEPT1_USER 1, DEPT1_USER 2)

                        COMPANY 2(COMP2_USER 1, COMP2_USER 2)
                              Department2(DEPT2_USER 1, DEPT2_USER 2)

                  AREA 2(AREA2_USER1, AREA2_USER2)
                        COMPANY 3(COMP3_USER 1, COMP3_USER 2)
                              Department 3(DEPT3_USER 1, DEPT3_USER 2)

                        COMPANY 4(COMP4_USER 1, COMP4_USER 2)
                              Department 4(DEPT4_USER 1, DEPT4_USER 2)

The Administrator has Full control permissions over all levels
The AREAS_USER has Read permissions over all the derived children
The AREA1_USER1 has READ and WRITE permissions in AREA 1 and READ permissions over all the derived children
The AREA1_USER2 has READ and approve permissions in AREA 1 and READ permissions over all the derived children
The AREA2_USER1 has READ and WRITE permissions in AREA 2 and READ permissions over all the derived children
The AREA2_USER2 has READ and approve permissions in AREA 2 and READ permissions over all the derived children

The COMP1_USER 1 has READ and WRITE permissions in COMPANY 1 and READ permissions over all the derived children
The COMP1_USER 2 has READ and approve permissions in COMPANY 1 and READ permissions over all the derived children
The COMP2_USER 1 has READ and WRITE permissions in COMPANY 2 and READ permissions over all the derived children
The COMP2_USER 2 has READ and approve permissions in COMPANY 2 and READ permissions over all the derived children

How can I create a hierarchy like this in SharePoint?
Is it feasible in MOSS 2007?
Could this be done in AD and then used by SharePoint?

Ted Bouskill

Yes it can be done. Inheritance of permissions can be turned on or off at any branch in the tree. AD security groups can be used to assign permissions anywhere within Sharepoint.

savic7uk

ASKER

Hi tedBilly,

Thanks for answering.

So do you have any suggestions on how should i start working this out?
I dont have the best knowledge on AD, so any help would be much appreciated.

Ted Bouskill

Knowledge of AD isn't a requirement. My point is that if you have security groups in AD that already exist, you can use them to assign permissions to groups in Sharepoint. Sharepoint uses it's own custom permissions model so using AD security groups is convenient because you don't have to select individual names as often. Instead of adding each person's name in a Sharepoint group you have the choice of using an AD security group.

savic7uk

ASKER

Maybe i didn't made myself clear before so please let me restate my problem.

I would like to setup a list in sharepoint 2007 for an extranet.

The users of the extranet would be companies with multiple user accounts.

The requirement is:
"      USERA1 and USERA2 of COMPANY_A must be able to see and edit only list items that are created by users of COMPANY_A
"      USERB1 and USERB2 of COMPANY_B must be able to see and edit only list items that are created by users of COMPANY_B
"      USERA1, USERA2, USERB1 and USERB2 cannot see or edit any of the items that are not corresponding to their company
"      ADMIN1 must be able to see all list items
"      We cannot have separate lists for each company/customer.
"      Morever,
o      USERA1 should be able to approve or reject entries of USERA2 and
o      USERB1 should be able to approve or reject entries of USERB2

My problem is that sharepoint normally gives ONLY the following options:
1.      On the Settings menu of a list, List Settings.
2.      On the Customize page, in the General Settings column, Advanced settings.
3.      On the List Advanced Settings page, in the Item-level Permissions section, under Read Access, can do one of the following:
"      Click All items to enable users to read all items in the list.
"      Click Only their own to enable users to read only their items in the list. Users will not be able to see other users' items in the list. It will look to a user like the other users' list items don't exit.
4.      On the List Advanced Settings page, in the Item-level Permissions section, under Edit Access:
"      Click All items to enable users to edit all items in the list.
Or
"      Click Only their own to enable users to edit and delete only their items in the list.
Or
"      Click None to prevent users from editing or deleting items in the list.

In reality I would like to be able to allow view/edit only their own, where own means company and not single user.

savic7uk

ASKER

I have changed the points from 250 to 500

Ted Bouskill

Based on your additional requirements it cannot be done with Sharepoint without very advanced custom programming.

savic7uk

ASKER

Ok ,

So can you, or someone else help me with this advanced custom programming?

Ted Bouskill

I doubt it. I'm talking about many weeks worth of work even for a very advanced Sharepoint developer. EE gives the impression that you will get solutions but that isn't true. We answer questions. Considering we are volunteers we simply don't have time to do that much work for free. We can answer a question to point you in the right direction but something like this would take my most senior developer many weeks to do.

savic7uk

ASKER

Well tedbilly I didnt ask for a free solution or something like that.
I ve been a member of this community for 6 years now so i ve understood the philosophy supporting it.
Also since i ve been trying to teach myself sharepoint for the past 4 months i have seen how timeconsuming it can get if you seek for more than basic tasks.
By the way as you said yourself you are a volunteer so you dont have to help me if you dont want to or even if you dont have the time. That is why i asked if someone can help sort this out.
So no offence but if you cant or dont want to help me just dont. You dont have to lecture me about it.

Thanks any way for your responses. It did reassured my fears of having to use custom code but as you can understand i cannot give you all the points for that.

If i dont get a better answer i ll consider talking to the mods to see if i can lower the points and give you that.

Ted Bouskill

I hope I didn't offend. Sharepoint is an amazing product and I'm a big fan, however, there is a steep learning curve and not all business cases were thought out with the the feature set. I manage a small software development team whose full-time job is customizing Sharepoint. We've done some amazing things with it and in fact, our work is going to presented in case study on the Microsoft website. (You might get to see my face if I'm not edited out)

One of the pain points we've experienced is that Sharepoint's own custom permissons model isn't as versatile as AD. You can get close but it's a lot of work and it's easy to make a mistake.

In your case the only way I could see achieving your requirements without writing a custom permissions model is to separate visualization from permissions. Your design is mixing structure with permissions like a file system. Now that I've thought about it, maybe you should consider separating them. That way you could build a list that a group could edit but you could display the elements in another page with ready only access for others using the Data View Web Part.

savic7uk

ASKER

Hi there

Sorry for the late response. Major power failures this weekend at my area.

Good luck with that presentation of yours.(Borrow me your team, will you? hehe)

Seperate lists depending on perimissions is actually a good idea. But would this work with the type of hierarchy i am looking for? For Example will the area Manager be able to see only the companies and their departments? And will the companies be able to see their departements only?

The major issue is that there will be around 500 users (2 for each group) and 20 to 30 lists so that way the administration will be a nightmare.

Ted Bouskill

Yes separating presentation from permissions will meet your needs.

In regard to maintenance, how often will the structure change or will you have to implement new branches in the hierarchy? Once they are setup, maintenance is trivial.

To give you an example, of how powerful separating permissions from presentation is, take a look at some of Microsoft's sample templates. They actually do what I am proposing. I'd strongly recommend you install them on a sample site and play around with them.

savic7uk

ASKER

Basically the hierarchy will change one more time as this is going to be the first step.

There will be additions in all hierarchy levels, but to be honest if find a way how to do it correctly i wont mind doing it all over again.

The lists on the other hand might change at any time.

I ll play with the templates a little and let you know.

savic7uk

ASKER

Hi there,

I ve used the Record Center Template, which seems to have some features that i might need. Would you recommend another template?

ASKER CERTIFIED SOLUTION

Ted Bouskill

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

savic7uk

ASKER

I am still trying make this work.
Anyway thanks for your help and for your time.

Even though i would have expected more for 500 points (nothing personal to you of course)