How to manage columns permissions in a list in Sharepoint

I have a sharepoint 2013 list and would like to hide some columns from some users and visible to certain users. How can I manage columns hide and show

Thanks
bujjigaduAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
You can not.

You need to use a third party solution. We use BoostSolutions one, very efective.  See Here
0
bujjigaduAuthor Commented:
My company wont invest on third party. I'm looking for any solution using JQuery or Javascript if possible?
0
Neil RussellTechnical Development LeadCommented:
All of those can be got around. ANYONE who has the ability to create their own VIEW on a list will be able to get around what you have done. Anyone who can create a page and add a web part to it can get around what you do. Anyone who can use any form of API to connect to your list.... etc.

There is absolutely no secure way without either developing a full blown sharepoint application that you can load into your farm or go buy one that already exists.

Sorry
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Neil RussellTechnical Development LeadCommented:
Those are fine if you only ever want users to VIEW data in a set view and do nothing with the data ever.  You may as well print it out for them.
0
Neil RussellTechnical Development LeadCommented:
Could you define what you mean by "Hide from some users" ?

Do you want those same users to be able to ENTER ANY data in that list OR to be able to edit ANY data in that list?

Do you intend to use that list as a lookup in any way at all on the site?

Ask yourself "What are the consequences of these columns becoming visible to the users who should not see them?"
0
Jamie McAllister MVPSharePoint ConsultantCommented:
The only effective way I know to do this is;

1. Create views for the different user groups
2. Remove the rights to create public or personal views for the users involved
3. Ensure the list in question cannot be searched for - set this in List settings
4. Open SharePoint Designer. Go to the View Pages for the library, you'll see these as aspx pages
5. Wrap the List View control on the page in a Security Trimmed Control, based on a permission the restricted users don't have

When unauthorized users try to see the view with the extra column it's blank. When they search for values, nothing shows up as the list isn't crawled.

Only downside to this approach is that the two groups of users need distinct permissions.

Aside from this the only other way I know is filtering on [Me],;

https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-me-easy-item-level-security.aspx

This can be very granular which is good, but maintaining the list of users per row is difficult without a coded solution. You can't filter per row on groups alas.
0
Neil RussellTechnical Development LeadCommented:
"Only downside to this approach is that the two groups of users need distinct permissions"

ONLY?

You have just crippled SharePoint in effect and still not achieved what was asked.  What about Datasheet view?  ALL of the suggestions so far mean you have to completely disable datasheet view as none of them offer any protect in that mode.

What about all those ribbon buttons that allow a user to export data? Set up Alerts on lists?

What if another user, with permissions, creates a new public view?

They are ALL considerations and all are security holes if your data is sensitive.  Without a third party solution that has been built specifically for this purpose, you have to "Play" at making it secure and it will cost you a lot more in the long run.

I am just trying to make sure that you are aware of what you can and cant do and just how much work would be involved in you trying to do this on your own in code.

Regards...
0
Jamie McAllister MVPSharePoint ConsultantCommented:
There was a coded solution pre-written to achieve this via a custom field control and security on a second list (explained in the article); http://www.infoq.com/articles/Dressel-Gogolowicz-wss-security

However I cannot see the code in the gallery anymore, so that's probably lost to us.

I even raises the need for a column level security solution with the SharePoint Product Group two years ago. They were not interested... :/
0
Daniel KlineSr. SharePoint DeveloperCommented:
I do this all the time.  I set up SharePoint groups (usually at the site level) with the required permissions.  In the JavaScript bond to the page, I write custom CSOM code that checks the user for membership to the groups.  I then add the users to the groups and customize the group permissions appropriately.  I find the groups work best, because you many times are trying to control access based on AD groups which can be bound to the SharePoint groups.  This avoids a nightmare when trying to manage permissions with changes in the enterprise.  AD becomes the single source of truth for authorization.

Use your IE debugger to identify the elements that need to be "hidden", and use a little jQuery to select the elements. (Don't forget the column headers).  If necessary, wrap the dynamic elements in spans or divs on the page so that you can assign an ID that can be used for selection.

Once you have you DOM selection you can either use jQuery .hide() or .remove() depending on the sensitivity of the information.

There are a few other tricks I've learned along the way.  One important one is to put the commonly used CSOM and REST functionality in the JavaScript for the master page and parameterize it so that it is available for all pages that use the master.  

Hope this helps.  For obvious reasons, I'm not going to post security based code on a public forum.
0
bujjigaduAuthor Commented:
Looks like some customization is required for sure to control columns. One thing i'm allowed to do is to have the columns that I'm trying to hide can be visible but want to restrict edit or enter details in the new form for some users but allow some users to edit and enter them. WIll this be possible with OOTB or some other means?
0
Daniel KlineSr. SharePoint DeveloperCommented:
To make fields read-only   .prop('readonly', true);  rather than .remove() for the appropriate user groups.
0
Neil RussellTechnical Development LeadCommented:
The BoostSolutions PAID solution allows you to do everything you have mentioned and more, with a few clicks and no code.  You can have as many Groups with as many different permissions on different columns AND Views as you like.

Now if your company does not value an investment of $899 (Assuming a single WFE Farm) and would rather you(?) spend days/weeks learning and tuning permissions that are by no means secure then the above mentioned methods are your only option.

If they want a robust, secure, supported, quick and simple way for you to work and improve productivity with SharePoint then Sometimes they have to put their hands in their pockets and realise that SharePoint is a development framework and that you really need all of the right tools to do the right jobs.

I work in a secure environment and to me when someone says I want to HIDE that information form a group of users it is understood that it should NOT leave the server.  Your situation may be different in that having that data travelling around the network and onto client machines and THEN hidden is acceptable.  But remember that if it arrives on the client machine it CAN be got at.
0
Daniel KlineSr. SharePoint DeveloperCommented:
If paid is not a solution and security is a concern, remove() is a reasonable solution.  The selected elements are removed from the page before it is rendered to the client browser.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.