How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved

  • Article

1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval System”. Certain users will be “Editors” and they will be able to upload documents for approval. Another set of users will be “Approvers”. These users can either approve or reject the uploaded documents. The security requirement is that “Editors” should not be able to approve the documents and the “Approvers” should not be able to edit or delete the documents.

2. Create a document library where the documents will be uploaded.

clip_image002

In this document library, create an Out-of-the-box MOSS 2007 Approval Workflow. In the “Select a task list to use with this workflow”, select “New task list”.

clip_image004

3. In the text box for “Approvers”, add the windows group that will contain all the “Approver” users. Also so that an editor cannot change this “Approver” group at the time the workflow is being created, uncheck the “Allow changes to the participant list when this workflow is started” checkbox.

clip_image006

4. As you can see a new task list is created for this workflow.

clip_image008

5. Give Contribute permissions on the site to the windows group that will contain the “Editors”.

clip_image010

This group can now add, edit and delete items from lists.

6. Now login as an “Editor” and upload a document. clip_image012

Start the workflow on the uploaded document.

clip_image014

As you can see the approvers text box is disabled.

clip_image016

Once the workflow is started, a task is created in the task list specific to this workflow.

clip_image018

7. Let us see what happens if the “Editor” tries to approve the document herself.

clip_image020

We are trying to approve a workflow logged in as an editor.

clip_image022

The “Editor” will get an error message and the following will be added to the workflow history.

clip_image024

8. Now login as the “Administrator” and create a new permission level for the “Approver”. Give this permission level, edit items, view items, open items, view versions and view application pages permissions.

clip_image026

9. Create a new Share Point group for workflow approvers. Give it read permissions on the site.

clip_image028

clip_image030

Give the same group edit permissions on the workflow task list (that was specifically created for the approval workflow) using the “WorkflowApprovalPerm” permission just created.

clip_image032

clip_image034

The Share Point group “Workflow Approvers” now has the following effective permissions on the site. Effectively it has read-only permissions on the entire site, but “edit” permissions on the task list specific to the approval workflow.

clip_image036

10. Add the windows group containing all the approvers to this “Workflow Approvers” Share Point group.

clip_image038

11. Now login as an “Approver”. Go to the document library. See that the approver can neither edit nor delete the uploaded documents.

clip_image040

12. Go to the task created for approval. Try to approve it.

clip_image042

As you can see the “Approver” is able to approve the document.

clip_image044

Summary:-

This “How To” shows that it is possible using the out-of-the-box MOSS 2007 approval workflow to create a document approval system where

1. The “Editors” can only upload documents to be approved but cannot approve the documents themselves.

2. The “Approvers” can only approve or reject the documents but cannot edit or delete them.