I appreciate if you can help me with this. My beloved company uses SP2010, and I got the task to solve this issue using it, though I am not a programmer (basic html is still ok).

I need a simple annual leave list with the following capabilities:

1. Group of users (~100 members) should be able to create list items in a list that contains annual leave data. Columns are: Name, Leave start date, Leave end date, Team leader, etc.

2. Once they fill in the new item form, a workflow notifies the team leader to visit the item and set a column "approval status" to approved or rejected.

3. Based on this column value, another workflow notifies the requestor about the decision.

4. After approval, users should be able to see their items in the list, but they should not be able to edit it.

Sounds so simple, but I have big issues with point 4. as Sharepoint does not differentiate create and edit rights to a list item. As a result, requestor can edit dates of the approved items.

Any hints how to solve this? Can impersonation help with this? Or should I add a new permission level to the site?

• Edited by Gabor A Wednesday, February 13, 2013 4:06 PM

Hello

We are going to do the following things to accomplish your task

• create a new security permission level that will allow submit only
• create your annual leave list
• assign everyone the submit only permission
• add a workflow to send the email and modify the item permissions

Ok first things first, on the sharepoint server open a powershell window and type the following powershell:

$spweb=Get-SPWeb -Identity "<site url>";
$spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition;
$spRoleDefinition.Name = "Submit only";
$spRoleDefinition.Description = "Can submit/add forms/files/items into library or list but cannot view/edit them.";
$spRoleDefinition.BasePermissions = "AddListItems, ViewPages, ViewFormPages, Open";
$spweb.RoleDefinitions.Add($spRoleDefinition);
$spweb.Dispose();

Now in your site you will have a new permission level called 'Submit Only'.

Create your annual leave list and give all users read and submit only permissions.

Now create a workflow against this list in sharepoint designer.

Add a new step which should be an impersonization step

1st action

add permission: give the user and their manager (i am presuming you are capturing this information in your list so it will be recorded against the item) whatever control you wish, i.e. full control, contribute, etc.

2nd action

remove list permission: remove the group you initially gave read and submit only permission to and select the read and submit only permissions to remove from them, i.e. if you added the 'All Users' group, then when performing this action choose to remove the read and submit only permissions for the users 'All Users'.

3rd Action

Send an Email: Email Manager with notification.

You can achieve this with a custom permission level.  Check this post for a walk through: http://blogs.technet.com/b/mediumbusiness/archive/2011/09/23/create-custom-permissions-for-sharepoint.aspx

Basically just create the new permission level and remove the Edit items permission.

Hi

the easiest way without special permissions level

Create a secondary list, which will contain all approved/finished requests

When a manager approve or NOt  ( finish hiw approval task ) the workflow attached to your list will move current:item to that new list from current list, where users will have only standard read wrights!

Hello

We are going to do the following things to accomplish your task

• create a new security permission level that will allow submit only
• create your annual leave list
• assign everyone the submit only permission
• add a workflow to send the email and modify the item permissions

Ok first things first, on the sharepoint server open a powershell window and type the following powershell:

$spweb=Get-SPWeb -Identity "<site url>";
$spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition;
$spRoleDefinition.Name = "Submit only";
$spRoleDefinition.Description = "Can submit/add forms/files/items into library or list but cannot view/edit them.";
$spRoleDefinition.BasePermissions = "AddListItems, ViewPages, ViewFormPages, Open";
$spweb.RoleDefinitions.Add($spRoleDefinition);
$spweb.Dispose();

Now in your site you will have a new permission level called 'Submit Only'.

Create your annual leave list and give all users read and submit only permissions.

Now create a workflow against this list in sharepoint designer.

Add a new step which should be an impersonization step

1st action

add permission: give the user and their manager (i am presuming you are capturing this information in your list so it will be recorded against the item) whatever control you wish, i.e. full control, contribute, etc.

2nd action

remove list permission: remove the group you initially gave read and submit only permission to and select the read and submit only permissions to remove from them, i.e. if you added the 'All Users' group, then when performing this action choose to remove the read and submit only permissions for the users 'All Users'.

3rd Action

Send an Email: Email Manager with notific

Hello,

I want add and edit but not viewitems(allitems.aspx)

In this case this permissions does not work

$spweb=Get-SPWeb -Identity "http://sp2013srv";
$spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition;
$spRoleDefinition.Name = "edit/add but not view items Forms Permission";
$spRoleDefinition.Description = "Can submit/add forms/files/items into library or list but cannot view/edit them.";
$spRoleDefinition.BasePermissions = "AddListItems, EditListItems, ViewPages, ViewFormPages, Open";
$spweb.RoleDefinitions.Add($spRoleDefinition);
$spweb.Dispose();

This does not let me goto /EditForm.aspx?ID=1 It says item has been deleted but item exists and seen by admin.

$spRoleDefinition.BasePermissions = "AddListItems, EditListItems, ViewPages, ViewFormPages, Open";

I  removed ViewListItems but then it only works for adding new item and does not work for editing existing item