-1

I have a question regarding security in SharePoint. I have following scenario

Custom Lists (Department, ScoreCard, ScoreCard Data Entry) User Groups/Roles (Executive, Data Entry Operator, Approver) Custom Pages/Web Parts (ScoreCard Data Entry, Pending Approvals, Approval Form) Custom Workflow (1 Step Approval Workflow)

My requirement for security is as following

  • Every Department has its own User for 2 roles i.e. Data Entry Operator, Approver.

  • Users in Executive Role can view ScoreCard Data Entry, Pending Approvals and Approval Form of all departments.

  • Data Entry Operators have right to view ScoreCard Data Entry Page but can only enter data for their respective Departments. E.g. If User A is Data Entry Operator for Department A and User B is Data Entry Operator for Department B than User A can enter data only for Department A and User B can enter data for only department B even though both have rights to view ScoreCard Data Entry Page.

  • Approver have the rights to view Pending Approvals and Approval Form. Approver when views Pending Approvals Page gets to see only its department's Pending Approvals. E.g. If User C is Approver for Department A and User D is Approver of Department B than User C only views pending approval list of Department A and User D only views pending approval list of Department B.

-Users in Executive roles can view any page and has no restrictions based on department.

Kindly help me with this as soon as possible.

Regards

David Brossard
  • 13,584
  • 6
  • 55
  • 88
zaidshah
  • 3
  • 3
  • 1
    Did you started creating this roles and assigning permissions to lists? It all seems to be easy to model with standard SharePoint stuff. What the question? – Mike Chaliy Oct 29 '13 at 13:25
  • You might also migrate this question to http://sharepoint.stackexchange.com/ – Mike Chaliy Oct 29 '13 at 13:26
  • The security requirement is not that straight forward as you may notice that entry in another list depends on entry in first list i.e. If User A is Data Entry Operator of Department AA, than he can enter data only of Department AA. – zaidshah Oct 30 '13 at 09:19

1 Answers1

0

If User A is Data Entry Operator of Department AA, than he can enter data only of Department AA

This is a great example of what I would call relationship-based access control. To achieve that you need to look at authorization frameworks that allow for relation-based access control. One such framework is XACML (wikipedia | standard page).

SharePoint doesn't accept XACML to define authorization but it is possible to convert XACML into claims which can be fed into SharePoint. The vendor I work for, Axiomatics, provides such an approach.

Do also check on attribute-based access control. NIST have a great page on that topic.

David Brossard
  • 13,584
  • 6
  • 55
  • 88