Limiting Document Access During Workflows
Applies to: SharePoint Foundation 2010
In some situations, you might want to limit or even deny users access to a document while a workflow is running on that document. Locking down a document in such a way guarantees that the document is not changed by users during the course of the workflow.
Setting Document ACLs During Workflows
The most powerful and flexible way of scoping access to a document is by setting the access control list (ACL) rights of users to the document. You can include code in your workflow that alters the document ACLs at the start of the workflow, and then restores those ACLs after the workflow finishes. However, setting per-item ACLs is costly to performance, and should be used carefully to prevent data loss.
A typical approach to locking down a document for the duration of the workflow using ACLs might contain the following steps:
Determine the ACLs that are set for the document.
If you intend to restore the existing document ACLs, you must first include code in your workflow that determines what those document ACLs are.
Persist those ACLs, so that they can be retrieved at a later date.
After you determine the existing document ACLs, you must persist them to restore them at the end of the workflow.
If they are unique to the item, these ACLs should be persisted in the list item itself. This helps ensure that if the workflow terminates before it restores the previous ACLs, you are able to recover access to the document. For example, you can serialize the permissions and store them as a hidden string on the item.
You might also want to store whether or not the item was inheriting its ACLs, so that you can restore this inheritance, rather than add parallel unique permissions.
Set the ACLs on the document as appropriate for the workflow duration.
For example, you could include code in the workflow that removes all access to the document except for the workflow itself. Or you might want to sets ACL permissions for only those users assigned workflow tasks. You might also want to give appropriate permissions to a trusted list administrator who can change ACLs manually if necessary.
Retrieve the document's original ACL settings, and reapply them to the document. As the workflow finishes, you will likely want to include code that restores the document's original ACL settings.
If the document inherits its ACLs from the library in which it resides, then you might not need to persist the document ACLs. Instead, you could set the document to reinherit the document library ACLs after the workflow concludes.
Checking Out Documents for the Workflow Duration
Another approach to limiting access to a document for the duration of a workflow is to include code that specifies that the workflow check out the document at the beginning, and then check the document back—in unchanged—as the workflow concludes.
To do this, use the CheckOutListItem, CheckInListItem, and UndoCheckOutListItem channel methods in UndoCheckOutListItem.
If the workflow is associated with a document library that has content approval enabled, you must also consider the following:
Checking the item in may trigger the workflow to start again, if the workflow is set to run whenever a new version of the item is published.
You cannot set the Approval Status field on items that are checked out.