Hi, I have a question how to resolve the problem with user permissions. The main scenario looks in this way that we have many sharepoint workflow processes which will be fired in the system. It's ok but the problem is that this same user can be used in different workflow process and what is the problem he can play different role, so F.ex in one process he can be a Manager IT but in another one he can be a Acceptor. So I have a problem how to correctly manage this permissions in different scenarious for this same users. Could you give me some suggestion how to manage users in this scenario ? Please help. Thank you

Hi, You can programmatically set and remove the user permissions in the workflow and thereby ensuring correct permission for the same user in the corresponding workflow. SPRoleDefinition roleDefinition = null; roleDefinition = item.Web.RoleDefinitions.GetByType(SPRoleType.Contributor); SPRoleAssignment roleAssignment = null; item.BreakRoleInheritance(false); foreach (SPFieldUserValue uv in userValueCollection) { SPUser assignuser = uv.User; roleAssignment = new SPRoleAssignment(assignuser.LoginName, assignuser.Email, assignuser.Name, assignuser.Notes); roleAssignment.RoleDefinitionBindings.Add(roleDefinition); item.RoleAssignments.Add(roleAssignment); } SPGroup group = item.Web.SiteGroups["Group name"]; roleAssignment = new SPRoleAssignment(group); roleDefinition = item.Web.RoleDefinitions.GetByType(SPRoleType.Administrator); roleAssignment.RoleDefinitionBindings.Add(roleDefinition); item.RoleAssignments.Add(roleAssignment); You can refer the above piece of code to set the permissions of a user or a group in your workflow and later in the workflow you can remove the permission. So based upon your permission requirement the corresponding workflows can have the correct user permissions. Hope this helps ! Regards, Geetanjali

Hi, it looks ok but could you explain me the code below: foreach (SPFieldUserValue uv in userValueCollection) { SPUser assignuser = uv.User; roleAssignment = new SPRoleAssignment(assignuser.LoginName, assignuser.Email, assignuser.Name, assignuser.Notes); roleAssignment.RoleDefinitionBindings.Add(roleDefinition); item.RoleAssignments.Add(roleAssignment); } What is the "userValueCollection" list ? Am I right that if you'are talking about Group from the example you mean that at the beginning we have some group of users with some permissions but in our list (or item of list) they are treat as Administrator ?

userValueCollection is actually an instance of SPFieldUserValueCollection which will be used in case you have multiple users in your assigned to field and you want to display the name of each of the user in your list item instead of showing the group name in general. If that is not the case and you are simply assign permissions to a single user or a group then you dont require it. For testing the funcationality I would recommend you to test it for a single user first. In that case you can modify the code accordingly by removing the foreach loop. in the above snippet in the RoleDefinition you can set the permissions based upon your requirement. Please let me know if you need any help. Hope it helps ! Regards, Geetanjali

OK, so F.ex when I set Administrator permission for some Group from item level as in the example above only these users would have a access to this item but others will get Access Denied message ?

Exactly. In the code to the group whom you assign the relevant permissions only they will be able to make the corresponding changes. Others will get access denied. In-case you want others to have read only permission then you can do that also by making the permissions of those other set of users for read only access so as to avoid any access denied thing...

Ok great, but what if we have a group called "Manager IT" and group "Acceptors". In "Manager IT" group there are some users, but in the some workflow process we would like to have a user from this "Manager IT" group but this time this same user would be used as user with permissions from "Acceptors" group ?

Do you mean that in the same workflow you want to have two different permissions for the same user belonging to "Manager IT" group in different stage of the workflow? Or are there two different workflows and to the same group for a particular user you want to have a different set of permissions in the respective workflows?

I mean that I have a group "Manager IT" and inside of this group there is a user which for some workflow should has permission as users from "Acceptors" group. So in this scenario this user will be able to accept some changes in the list which standard user from "Manager IT" can't. So I would like to have this same user but with changed privilages in this right workflow.

Since you are assigning permission to the group inside a workflow so you can handle it in the code. What you can do is that in the workflow where you want to give it acceptor group permission explicitly set the user's permission to the Acceptor one and once the task gets completed and before completing the workflow set the user's permission back to the one that it should have as that of a Manager IT. In this manner you can handle the scenario that you mentioned.

Great, but could you show me how it should looks in the code ? Only some example. Please.

To show the exact code will require me to create the entire workflow and test it which is difficult at the moment. But I can provide you a somewhat replica of the exact code and you can modify it when you will be implementing the workflow. Implement something like this in the complete task activity in your workflow to set the permission back to what you actually want for the user. roleDefinition = item.Web.RoleDefinitions.GetByType(SPRoleType.Reader); SPUser assignuser = //User for which you want to set the permission roleAssignment = new SPRoleAssignment(assignuser.LoginName, assignuser.Email, assignuser.Name, assignuser.Notes); roleAssignment.RoleDefinitionBindings.Add(roleDefinition); item.RoleAssignments.Add(roleAssignment); } Hope this will give you some brief idea as to how you should proceed. Also refer to the following link so as to get a better picture. http://nishantrana.wordpress.com/2009/02/10/managing-tasks-permissions-programmatically-within-sharepoint-using-event-reciever-or-using-special-permissions-property/ Regards, Geetanjali

Yes, great but if I have a roledefinition as below: SPRoleDefinition roleDefinition = null; roleDefinition = item.Web.RoleDefinitions.GetByType(SPRoleType.Contributor); So I can change some group permissions only to one of these types - (Administrator, Contributor, Reader, Guest, WebDesigner) but You know "Acceptor" group can has some other settings then for example standard Contributor group but of course there is not SPRoleType as "Acceptor".

You can create a custom Role Definition. Refer to the following links http://mitsworld.wordpress.com/2009/09/03/creating-custom-role-definition-programmatically/ http://blogs.msdn.com/b/joelo/archive/2007/10/05/sharepoint-roles-assignments.aspx Hope it helps! Regards, Geetanjali

Great, It's enough for me at this time, thank you for help !

You are welcome. :)