Solved

How to manage columns permissions in a list in Sharepoint

Posted on 2014-09-06
14
1,181 Views
Last Modified: 2014-09-15
I have a sharepoint 2013 list and would like to hide some columns from some users and visible to certain users. How can I manage columns hide and show

Thanks
0
Comment
Question by:bujjigadu
  • 6
  • 3
  • 2
  • +2
14 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40307623
You can not.

You need to use a third party solution. We use BoostSolutions one, very efective.  See Here
0
 

Author Comment

by:bujjigadu
ID: 40307629
My company wont invest on third party. I'm looking for any solution using JQuery or Javascript if possible?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 100 total points
ID: 40307645
All of those can be got around. ANYONE who has the ability to create their own VIEW on a list will be able to get around what you have done. Anyone who can create a page and add a web part to it can get around what you do. Anyone who can use any form of API to connect to your list.... etc.

There is absolutely no secure way without either developing a full blown sharepoint application that you can load into your farm or go buy one that already exists.

Sorry
0
 
LVL 12

Assisted Solution

by:Ramkisan Jagtap
Ramkisan Jagtap earned 100 total points
ID: 40307664
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40307672
Those are fine if you only ever want users to VIEW data in a set view and do nothing with the data ever.  You may as well print it out for them.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40307688
Could you define what you mean by "Hide from some users" ?

Do you want those same users to be able to ENTER ANY data in that list OR to be able to edit ANY data in that list?

Do you intend to use that list as a lookup in any way at all on the site?

Ask yourself "What are the consequences of these columns becoming visible to the users who should not see them?"
0
 
LVL 31

Assisted Solution

by:Jamie McAllister MVP
Jamie McAllister MVP earned 100 total points
ID: 40307757
The only effective way I know to do this is;

1. Create views for the different user groups
2. Remove the rights to create public or personal views for the users involved
3. Ensure the list in question cannot be searched for - set this in List settings
4. Open SharePoint Designer. Go to the View Pages for the library, you'll see these as aspx pages
5. Wrap the List View control on the page in a Security Trimmed Control, based on a permission the restricted users don't have

When unauthorized users try to see the view with the extra column it's blank. When they search for values, nothing shows up as the list isn't crawled.

Only downside to this approach is that the two groups of users need distinct permissions.

Aside from this the only other way I know is filtering on [Me],;

https://www.nothingbutsharepoint.com/sites/eusp/Pages/sharepoint-me-easy-item-level-security.aspx

This can be very granular which is good, but maintaining the list of users per row is difficult without a coded solution. You can't filter per row on groups alas.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 40307767
"Only downside to this approach is that the two groups of users need distinct permissions"

ONLY?

You have just crippled SharePoint in effect and still not achieved what was asked.  What about Datasheet view?  ALL of the suggestions so far mean you have to completely disable datasheet view as none of them offer any protect in that mode.

What about all those ribbon buttons that allow a user to export data? Set up Alerts on lists?

What if another user, with permissions, creates a new public view?

They are ALL considerations and all are security holes if your data is sensitive.  Without a third party solution that has been built specifically for this purpose, you have to "Play" at making it secure and it will cost you a lot more in the long run.

I am just trying to make sure that you are aware of what you can and cant do and just how much work would be involved in you trying to do this on your own in code.

Regards...
0
 
LVL 31

Expert Comment

by:Jamie McAllister MVP
ID: 40307779
There was a coded solution pre-written to achieve this via a custom field control and security on a second list (explained in the article); http://www.infoq.com/articles/Dressel-Gogolowicz-wss-security

However I cannot see the code in the gallery anymore, so that's probably lost to us.

I even raises the need for a column level security solution with the SharePoint Product Group two years ago. They were not interested... :/
0
 
LVL 5

Assisted Solution

by:Daniel Kline
Daniel Kline earned 200 total points
ID: 40307784
I do this all the time.  I set up SharePoint groups (usually at the site level) with the required permissions.  In the JavaScript bond to the page, I write custom CSOM code that checks the user for membership to the groups.  I then add the users to the groups and customize the group permissions appropriately.  I find the groups work best, because you many times are trying to control access based on AD groups which can be bound to the SharePoint groups.  This avoids a nightmare when trying to manage permissions with changes in the enterprise.  AD becomes the single source of truth for authorization.

Use your IE debugger to identify the elements that need to be "hidden", and use a little jQuery to select the elements. (Don't forget the column headers).  If necessary, wrap the dynamic elements in spans or divs on the page so that you can assign an ID that can be used for selection.

Once you have you DOM selection you can either use jQuery .hide() or .remove() depending on the sensitivity of the information.

There are a few other tricks I've learned along the way.  One important one is to put the commonly used CSOM and REST functionality in the JavaScript for the master page and parameterize it so that it is available for all pages that use the master.  

Hope this helps.  For obvious reasons, I'm not going to post security based code on a public forum.
0
 

Author Comment

by:bujjigadu
ID: 40308702
Looks like some customization is required for sure to control columns. One thing i'm allowed to do is to have the columns that I'm trying to hide can be visible but want to restrict edit or enter details in the new form for some users but allow some users to edit and enter them. WIll this be possible with OOTB or some other means?
0
 
LVL 5

Expert Comment

by:Daniel Kline
ID: 40308712
To make fields read-only   .prop('readonly', true);  rather than .remove() for the appropriate user groups.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40308727
The BoostSolutions PAID solution allows you to do everything you have mentioned and more, with a few clicks and no code.  You can have as many Groups with as many different permissions on different columns AND Views as you like.

Now if your company does not value an investment of $899 (Assuming a single WFE Farm) and would rather you(?) spend days/weeks learning and tuning permissions that are by no means secure then the above mentioned methods are your only option.

If they want a robust, secure, supported, quick and simple way for you to work and improve productivity with SharePoint then Sometimes they have to put their hands in their pockets and realise that SharePoint is a development framework and that you really need all of the right tools to do the right jobs.

I work in a secure environment and to me when someone says I want to HIDE that information form a group of users it is understood that it should NOT leave the server.  Your situation may be different in that having that data travelling around the network and onto client machines and THEN hidden is acceptable.  But remember that if it arrives on the client machine it CAN be got at.
0
 
LVL 5

Assisted Solution

by:Daniel Kline
Daniel Kline earned 200 total points
ID: 40308733
If paid is not a solution and security is a concern, remove() is a reasonable solution.  The selected elements are removed from the page before it is rendered to the client browser.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now