Secure Custom Views for Everyone

This came up in the newsgroups and is a common thing that people want so I thought I would share it here (as the newsgroupie was happy with my solution).

Since the dawn of the SharePoint 2003 man, views have been ways to filter information. Of course they're public views for everyone to see. But what if you want to have views just to show data filtered by a user (for security reasons). The first answer would be "Well Bil" (as I often refer to myself in the third person) "you could just have everyone in the company create personal views and they would be, well, personal". Uh yeah. Okay, two problems with this. First, while they are "personal" they're also "public" if you know the URL to get to them. There's no security on them whatsoever and security through obscurity just doesn't cut it. Second, having everyone in a company (unless you're a company of 10) isn't really feasible. We need a better way.

Enter the [Me] filter. Yup, plain old silly little [Me] that we see in the help files for creating views. Lets say you have a list of Sales results and for whatever reason (yes, I've seen this in organizations before) the powers that be don't want Sales Guy #1 (Joe) to see Sales Guy #327 (Ricardo) information. We have a list with various Sales figures but we have a cool thing called "Created By". This is the built in field that tags the item in the list with the name of the person who created it (makes sense doesn't it?). So now we can go into the default view and add a filter. Select the "Created By" field as the filter and enter [Me] as the value it has to equal. Voila, Abbacadabra, and Presto Chango. The view now only shows Joes sales figures to Joe and Ricardo's to Ricardo. Magic huh?

If you need an "admin" view then you can just create a personal view that doesn't have the filter and do something like group by the "Created By" field. Okay, so you're looking at your browser and saying "But Bil, you just told me that the personal view isn't personal and anyone can see it". Yes, well this is SharePoint and doesn't always provide the best solutions for everyone.

An alternative that you can do though to really hide this info is possible (hide as in your security guys won't be beating you upside the head if you create a personal view). Create a new document library and give whomever access you want to it. These would be the important people with Armani suits that want to see all of the sales figures just because it's part of their performance expectations for the year. Now create a new Web Part Page and put it in this library. On this Web Part Page drag the Sales list onto it. Crack the page open in FP2003 and convert the list to a DataView Web Part (oh yeah, you're getting it now right?). Now apply whatever filters you want to the list and save it. Since the Web Part page is in a Document Library, the security is applied to the library so Ricardo and Joe won't be able to see it but the big, powerful execs will. Problem solved (I hope).

7 Comments

  • Bil, great tip. I have seen a lot of chatter about calculated values and lists lately and would like to look into building some more powerful lists. Do you know of a reference source to provide the syntax for this type of formulas. I've seen [Me] and [today] used, but do not know where to go to find out other values. Thanks.

  • Great tip Bil, I'll translate this post for italian reader... What do you think about?



    Good Work,

    - Romeo

  • Creative and simple, just how we like it :) Nice job!

  • Hey Bill, it's your ol' buddy from the Vancouver airport! Anyway, nice tips - this is exactly the problem I'm facing with a client. I'm trying to wrap my head around your ideas, and if I understand them correctly I may have found a few holes. If you change the default view to filter by [Me], couldn't Joe for example create a personal view that doesn't filter on [Me], and thus be able to see Ricardo's list items? Also, for Document Libraries, wouldn't they be able to see all items by using a Web Folder to view the docs?

  • Correct, unless you take away 'manage personal views' permission on the list -- then they have to just work with the views you have given them.

  • What if Joe notices that since his items have IDs, Ricardo's do too, and has a quick look at dispform.aspx?ID=[Someone else's item]?



    I still think this is security by obscurity.

  • That's true Linda so in the case of a list you can set the lists security so only people can read their own items. Document libraries don't have this feature and yes, it still is security through obscurity so it's not 100%. We won't have that until we have item level security with the next release of SharePoint so we do what we can for now.

Comments have been disabled for this content.