Workflow security – options for locking down a document

I recently was asked by a customer how they would go about setting up a workflow process where the approver doesn’t have access to make changes to the document itself. In their words:

“The individual would complete a form with activities and time spent, then save the document which kicks off the workflow.  There are three to four levels of approvers on the time report who should approve the document without being able to modify any of the time reported or other fields.

My understanding is that this would not be possible without some .net programming or something like that due to the sharepoint security scheme having document level security as the default and requiring programming to have field level security…”

It seemed like an interesting scenario so I thought I’d give it some thought and test out a few theories. I agree with the customer’s statement about SharePoint security being set at the document level, not per column. That’s definitely true. However, I did come up with a few options that could work without custom code.

Option 1: Set unique permissions on workflow related lists in SharePoint

SharePoint workflow uses a separate task list to manage tasks. You can set security separately for this list. I tested this by creating a user who had read-only permissions on a document library. On the document library I created a simple approval workflow where the new read-only user needed to approve the document. Then I went to the task list associated with the workflow and gave the user edit permissions. Finally, I created a document as a different user and saved into the document library. The workflow kicked off and assigned a task to my read-only user. I logged in as the read-only user. I could open the document but I wasn’t able to update anything in the document as expected (the user has read-only access). Then I went to the document library and clicked on the In Progress text related to the workflow. I opened the workflow task and I was able to approve as expected. The workflow completed as expected. The only issue is that the user had to approve the workflow through the SharePoint page. They weren’t be able to take advantage of the Word 2007/SharePoint integration.

Option 2: Let SharePoint invalidate the workflow when a doc has changed

This is a bit simpler. Leave the users as “contributors” so they CAN still change the document. But setup the workflow to cancel the workflow when a change has been made. For example, this would need to be checked

And this could be part of the configuration too

Option 3: Digital signatures

Probably the most secure way to accomplish this is to use digital signatures and InfoPath to officially sign the document. Once the document is signed approvers would not be able to change the data.

Hope this benefits some of you out there who are faced with a similar solution need.