Create a secure form

Task:

  • Create a form that every employee can fill. This form will be used to register sick days.
  • After creation, only a select group of employees will be able to view/modify/delete the form.

Limitation:

  • No programming

I first tried InfoPath forms, but I couldn’t find a way to ensure the authorizations. If I create a permissionlevel and say everyone whith this permissionlevel should be able to create items, they’re automatically able to view items. All items in the library.

The perfect solution in my opinion is to create a couple of workflowactions, which make sure the authorizations get set right after the item is created. Since I’m (unfortunately) not allowed to program anything, I had to find another solution.

My Collegeau’s attended a Sharepoint Designer training. They suggested to create a list, instead of using InfoPath and manipulate the pages of the library so that the pages (AllItems.aspx, DispForm.aspx, EditForm.aspx) could only be used by the right group of employees. In my opinion I should authorize the data (listitems), instead of the interface to be really sure no evil person could view and/or manipulate the data.
However I decided to give it a thought.

I believe there are a couple of ways to view/access data in SharePoint:
– By using SharePoint Designer It’s possible to disable this by configuring permissionlevels
– By using the SDK dll’s Someone has to get access to a front
-end server, to get execute an application to access the data, so if we make sure no authorized people have access to the front-ends, we will be safe here.
– By using the SDK Webservices Webservices are accessible by all employees, however this can be disabled by configuring the permissionlevels.
– By using the webinterface of SharePoint (duh!)

This brainstorm gave me the confidence it may be possible.

I found my solution in executing the following steps:

  1. Make sure the list is invisible. This can be done in SharePoint Designer (Navigate to the list > Right-click list > Properties > Settings > Hide from browser
    This way the list won’t be found by navigating in Sharepoint.
  2. Create the audience in the Shared Service Provider. Make sure the right users are member of the audience.
  3. In SharePoint Designer edit the pages Allitems.aspx, DispForm.aspx and EditForm.aspx.
    Search in the webpart for the following tag:
    Supply the ID of the audience you,ve just created like this: ca4cd9d1-f396-4127-a4de-5237cb0255ac;;;;
  4. Disable RSS for the list.
  5. Make sure the list is not searchable
  6. Make sure the sitelevel permissions are configured to disable the use of webservices.

I believe with these steps it’s possible to create a secure form. Any thoughts on this? Let me know!

I hope I helped the community with this post.