Thursday, May 31, 2012

InfoPath 2010 - Restricting control visibility based on permissions.

Introduction


One of the common functional requirements of many InfoPath based systems is to restrict button and other control elements and associated functionality available to specific groups based on group membership. There are a number of technical approaches to this, including:


http://info.akgroup.com/blog-0/bid/69277/InfoPath-Restrict-visibility-to-users-in-a-SharePoint-Group

There is however a simple way based on a list external to the list the form is bound to, and setting the permissions that way. In this example, we look at a simple Save, Submit button configuration, but this approach could be expanded to many form elements on an InfoPath form.

Our requirements are:
  1. User group one can only view “Save” button.
  2. Users in group two can only view “Submit” button.

Creating the button list and setting up permissions


The first step in setting up this functionality is to create the button list. Create a list on the same site as your InfoPath form and associated list called “Buttons”, and change the column “title” to “Button Name”. Add the two buttons as items, one as “Save” and one as “Submit”.

Next, create two groups on your site, one called “CanSave” and one called “CanSubmit”. Add all users who should be able to save the form to the “CanSave” group. Add all users who should be able to submit the form to the “CanSubmit” group.

Go back to the button list you created, and edit the permissions for the two button items. The “Save” button should have the “CanSave” group associated, the “Submit” button should have the “CanSubmit” group associated.

Once complete these two steps, validate the permissions are working as expected. Log in as a user in the “CanSave” group (but not the “CanSubmit” group) and view the button list. You should only be able to see the “Save” button item in the button list. Login as a user in the “CanSubmit” group and ensure you can only see the “Submit” button.




Adding the buttons to the form and setting up rules


This step assumes you have otherwise already created a form and have it bound through its main data connection to a list or library. This step also assumes that you know how to configure both save and submit buttons otherwise for intended actions; the only functionality covered by this step is configuring the rules to show or hide buttons based on values in the external button list.

Click on the “Data” tab on your form in InfoPath, and add a new data connection to the SharePoint button list you created earlier. Go back to home tab, and add two buttons to the form. Right click on each, name one “Save”, and one “Submit”.

Open the “Rules” pane if it isn’t open already, “Manage Rules” button on office ribbon on “Home” tab. Click the “Save” button you just created, and, in the Rules pane, click “New” and select “formatting”. Name your rule “Hide Save". Click inside the “Condition” section and set up the condition as follows:
  1. In the first drop down list, select “select a field or group”.
  2. Change “Data Source” to “Buttons”.
  3. Open the “dataFields” folder, open the connection, and select “ButtonName”. “Title” will show up in the “Select” field due to SharePoint limitations around changing the title column. This is fine, click “OK.




4. Since SharePoint InfoPath rules default to show, and are only conditional on hide, we have to isolate the hide condition rather than the show condition. Select “is not equal to” in the second rule area, and then select “Type Text” from the drop down list, and type in the value that this button should NOT be equal to to hide the value, as shown in the next figure. Click “OK”.


5. Within the rules pane, check “hide this control” under the “Formatting” section:


6. Repeat this process for each of the buttons on your form.
7. Publish your form to a SharePoint site or form library.

Troubleshooting and Conclusion


Once you have published your form, you should be able to login as a member of each group and open the form. Only the buttons items you have permissions to in the associated list should show up in the form. If all buttons show up (instead of obeying permissions), ensure the permissions are correct in the associated button list, you should only be able to view the items in the button list that your associated group has permissions to:


If this checks out, then the problem is isolated to the rules in the InfoPath form, tweak and user “Preview” until it’s working. There are some complex ways of achieving this functionality through web services and other approaches, as seen in the blog post first linked to from this blog. However, it can be much simpler, faster, and easier to user SharePoint list permissions to achieve the same functionality in an easy to maintain way.