Security Trimming SharePoint 2010 InfoPath Form Fields

UPDATED for SharePoint 2013

Sources:
Security Trimming InfoPath fields with SharePoint 2010 InfoPath Forms Services Based on SharePoint User Groups & Claims-Based Authentication
Infopath List Form – hide/disable fields based on SharePoint group membership
InfoPath: Displaying SharePoint Group List Using “GetGroupCollectionFromUser” method

Additional info required for 2013:
SharePoint 2013, InfoPath and Claims – GetUserProfileByName
http://blogs.technet.com/b/rajbugga/archive/2013/08/07/infopath-over-claims-authentication-sharepoint-2010-amp-2013.aspx

All of the above sources had most of details, but some steps seemed to be missing when I attempted to follow them. However, I would not have been able to figure it out without them.

For 2013, you’ll need to create a Secure Store Service connection. See the information listed under “Additional info required for 2013” on how to do this.

Create the Data Connection

On a form that has been created and published back to SharePoint, create the data connection. Create a new connection to receive data from a SOAP Web Service.

Connect to https://WEBAPP/sites/SITECOLLECTION/_vti_bin/usergroup.asmx.

The operation we need is GetGroupCollectionFromUser.

Set the sample value for the user login name; this is an actual login – probably yours. The web application in my example has Claims Based Authentication, so instead of just domain\username, I needed to enter “i:0#.w|domain\username”.

Save and publish the form.

Modify the Schema

The schema, as it is now, can’t be used. We need to modify it to add in the data fields.

Export the source files.

It’s helpful to make a new folder for just this form (we’ll delete it later.)

CLOSE INFOPATH AND OPEN THE FOLDER JUST CREATED. The file we need to modify should be called GetGroupCollectionFromUser1.xsd. Open it with notepad.

After the line:

<s:import namespace="http://www.w3.org/2001/XMLSchema"></s:import> 

Add the following:

<s:complexType name="GetGroupCollectionFromUserType">
    <s:sequence>
      <s:element minOccurs="0" maxOccurs="1" name="userLoginName" type="s:string"/>
      <s:element minOccurs="0" maxOccurs="1" name="Groups">
        <s:complexType>
          <s:sequence>
            <s:element maxOccurs="unbounded" name="Group" >
              <s:complexType>
                <s:attribute name="ID" type="s:unsignedShort"></s:attribute>
                <s:attribute name="Name" type="s:string"></s:attribute>
                <s:attribute name="Description" type="s:string"></s:attribute>
                <s:attribute name="OwnerID" type="s:unsignedByte"></s:attribute>
                <s:attribute name="OwnerIsUser" type="s:string"></s:attribute>
              </s:complexType>
            </s:element>
          </s:sequence>
        </s:complexType>
      </s:element>
    </s:sequence>
  </s:complexType>

Find this:

<s:element name="GetGroupCollectionFromUser">
   <s:complexType>
     <s:sequence>
       <s:element minOccurs="0" maxOccurs="1" name="userLoginName" type="s:string">
         </s:element>
    </s:sequence>
  </s:complexType>
</s:element>

And replace it with this:

<s:element name="GetGroupCollectionFromUser" type="tns:GetGroupCollectionFromUserType">
</s:element>

Save and close the xsd file.

Finish the form design

In the folder with the modified schema, right-click manifest.xsf and design.

*If you don’t use a data connection library, you can skip this step. File name in the DataConnection library would be GetGroupCollectionFromUser.udcx.

** UPDATE for 2013 – You’ll HAVE to use a data connection file and update the file to use the secure store service: <udc:Authentication><udc:SSO AppId=’InfoPathWebService’ CredentialType=’NTLM’ /></udc:Authentication>

Be sure to change the approval status of the connection file to approved.

Form Load Rule

Create a new rule to execute on Form Load.

Add action “Set a field’s value”. Set the field, userLoginName, in GetGroupCollectionFromUser to userName()

** UPDATE for 2013 – Contrary to the above articles, setting the query field to substring-after(userName(), “0#.w|”) did NOT work for me. I had to set it back to userName() – but you may have to try it either way.

Add the action “Query for data”.

Data connection will be GetGroupCollectionFromUser.

Field Rule

Select the field to be secured. Add a new formatting rule.

The condition is where All occurrences of Name (these are the groups the user interacting with the form belongs to) are not equal to the SharePoint Group with permissions.

Save and publish the form.

Update: I had a scenario where we were showing a field (warning you don’t have rights to do this) only if the user was not member of the contributors group. In that case the condition was where “Any occurrence of Name” is equal to “SharePoint Group” than hide control.

2014-11-21_11-55-33

Advertisements