We've got a workflow that finds the manager of an AD user (from InfoPath field), then Replaces the Current Item's permissions with Read for the manager only and strips everything else.

The problem is that during the moments a form has made its way to the database but BEFORE the permissions are set by the workflow, a user NOT in the chain can access the record.  Has anyone run into this before?

Any tips/tricks?

It seemed like such an unlikely thing to happen yet it has happened twice already in the last few weeks and is a real problem for us. We haven't tested to see how long the "moment" is for yet but that might be a good next step.

Hi,

Can you elaborate little more about the steps you are following to set the permission for the item once you get the manager name, when we work with the workflow to edit item level permission we can edit the permission using impersonation. While editing the item  permissions , first we need to stop  inheriting  permissions  for the list where the items exists, if you are following the same, can you elaborate little bit more about your steps to come up with exact resolution.

Couple of options spring to mind...

Assuming you are storing the Manager in a field in the InfoPath Form (maybe hidden) and promote this field to the list so you can see and use it.

Option 1:

You could modify the default view so it only shows records where Created = [Me] OR Manager = [Me]. This way user's would only see there own forms, and managers would see their forms plus the forms that were "assigned to" them.

Not foolproof, but could help to eliminate the issue.

Option 2:

Use an Event Receiver to manage the permissions on Item Created. This would ensure that the permissions would be set straight away so you wouldn't get the delay period where "other" users could access the form.

Hi,

Can you elaborate little more about the steps you are following to set the permission for the item once you get the manager name, when we work with the workflow to edit item level permission we can edit the permission using impersonation. While editing the item  permissions , first we need to stop  inheriting  permissions  for the list where the items exists, if you are following the same, can you elaborate little bit more about your steps to come up with exact resolution.

Assuming you are storing the Manager in a field in the InfoPath Form (maybe hidden) and promote this field to the list so you can see and use it.

Duh, I think I might have missed something really simple.

Setting Item-level Permissions to default to "... created by the user" in the List's Advanced Settings probably handles all cases of the above before the workflow gets to it.

• Edited by grant.jenkins Thursday, May 28, 2015 9:53 PM

Duh, I think I might have missed something really simple.

Setting Item-level Permissions to default to "... created by the user" in the List's Advanced Settings probably handles all cases of the above before the workflow gets to it.

Actually this doesn't seem to work as it overrides all item-level permissions.

I didn't think you could apply Item-Level Permissions in a Forms Library?