Differences in Security Between Custom Lists and Form Libraries


Some of you may notice at some point that you can have nice granularity of security settings in WSS/Portal on custom lists.   If you look you’ll see that you can you allow people to add items but not delete, not see other’s people’s postings, etc.   What may seem odd to you is that the same level of granularity is not afforded document or form libraries.   There you will see that the security is much more spartan, either you have the ability to post something to a library or you don’t.   And if you do, you have full privileges to everything there.  So that creates a level of ogida (philly word for heartburn) with people that are trying to use form libraries and InfoPath to allow people to post content but not edit it once it’s there nor view other people’s postings.   It’s no secret that we don’t have item level security on document libraries in WSS, and that creates a barrier for some solutions.   I did some research and bugging of people on the products teams and found out that custom lists got special treatment due to the need to accommodate surveys.   You’ll note it’s very easy to post a survey in WSS, and in order for surveys to make sense, you’ve got to be able to lock out people from viewing each other’s data.   The guys responsible for surveys had to fight to get this in the product, and the folks responsible for the libraries didn’t go to bat for it and didn’t get it.   Unfortunately this didn’t make the cut for v.3 of WSS either – I checked.   That’s too bad, but at least we’ll have item-level security in WSS which will provide the same effect, it’ll just be more work.   The way I’ve seen this handled is either to do some business rules or views in the forms to prevent the submit button from working or having different behaviors based on the status of the form, or dealing programmatically with form libraries and doing automatically moving of postings from one library with one set of permissions to another library with a different set of permissions using some kind of event handler.   I don’t have any code snippets on that but if there is demand maybe I’ll post something somewhere down the line.

Comments (2)

  1. mcelvogue says:


       not sure whether or not you are still buried in Infopath, but I was wondering does this scenario still persist with Infopath 2007?

    I have been trying to acheive something similary to "automatically moving of postings from one library with one set of permissions to another library with a different set of permissions using some kind of event handler" which you mentioned. I am rather perplexed however at the amount of code and technology I need to learn to get something which I hoped would be there "out of the box".

    Are there any code snippets you could point me towards or even a different approach I should be taking? The solution I am working on involves infopath-based expense claims, so security is really a high priority. I already tried the sample expense tracking workflow and sample site however my concern is that everyone seems to be able to see everything.

    All and any help appreciated!


  2. Cheena says:

    How can I make users who entered a request using infopath, not able to change the request? Thanks, Cheena.