SharePoint – Create unique permissions on document check in

If you have a metadata-oriented structure in you document libraries, you might want to use unique permissions for each document.
This is NOT a good choice if you use folders. It will create a huge permissions matrix.

I have implemented this at my customer and I haven’t noticed any noticeable performance issues.

Let’s say you create a choice field called “Security class” with 4 choices, “Base, low, medium, high” and you want this to control the permissions for the current document.

  • Base – Base permission, keep inheritance, every one can contribute. <– Default value for the field.
  • Low – Everyone can read, members can contribute, owners and created by has full control.
  • Medium – Members can read, no contributors, owners and created by has full control.
  • High – No readers, no contributors, Owners and created by has full control.

So basically, in your editform.aspx you have a drop-down with these 4 options.

SecurityclassField

Implementation

First, create a class that will handle the permissions.

Then you will have to create an Event Receiver and override ItemCheckedIn.

Let the base check in the item first or you might have a permissions conflict.

You have to elevate the privileges or you will loose your permissions when the permissions are cleared. Do not use the SPListItem from the event properties, it’s not elevated. You need to get the SPListItem from the elevated SPWeb. Call the permissionshandler with you elevated objects.

By setting permissions this way you will allow users to easily change permissions in a controlled way.

About Tobias Eriksson