Thursday, May 14, 2009

Restricting Users to see other's information

Scenario:

Any user (or role) with Read permissions can view other users details. Well, many organizations and their users need to protect their own identities and details and this is quite common.

Now, the requirements can varify. Some organizations can block every one and their own (User Information List) and that way no one can view their own details. To acheive this; please view the blog post here.

You can come up with the idea saying that why cant we alter the layout pages and security trim them. Well, 2 things to keep in mind.
1. What if you dont have access to layouts page.
2. When new service pack arrives, it would overwrite the layout pages and your changes are gone. Alternatively you can maintain the copies of the layout pages you modify but then replace them back etc etc... a big maintanance nightmare.

So, recently we had a similar situation... our hands are more tied up. The Site is hosted on a hosting server where we had no control except modifying the UI using SPD 2007 (as point 1 above). And the users need to see their own details but not others and this was mandate.

One of the solutions (I dont claim its very good but a temporary hack) is here below.

Step 1: As an Admin go to _layouts/people.aspx
Step 2: Click on Settings > List Settings
Step 3: Click on Default view (at the end of the settings)
Step 4: Go to Filter Section
Step 5: Filter column by ID 'is equal to' 0 (ZERO)
Step 6: Click OK

Repeat this for 'List View' also.

This would actually not display anything.

Now, go ahead and create another view but this time 'Personal View' instead of 'Public View' which would be available only to the person who created it.

Hope this helps for you.

2 comments:

Anonymous said...

good post ...but i cant find the list Setting in "People and Groups" list. i have only these four options(below) even when i logged in as system account.

Group Settings
View Group Permissions
Edit Group quick Launch
Set up Groups

Thanks in advance
Ram

Srini Sistla said...

If you use SPD, create a hyperlink to http://yourdomainname/_layouts/ViewType.aspx?List='listid' and embed that in a SPSecurityTrimmedControl Tags and give the proper permission string to it to secure the link.