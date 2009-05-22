This week, we had a situation where the client had a sign-up sheet for a volunteer activity that she wanted to post to her SharePoint intranet site. Participants needed to edit the document to indicate the tools that they would bring to the service activity. She posted the document to a site where most users had read-only access and then, to ensure that the users could update the sign-up list, she added her entire audience to the Members group on the site without realizing that this didn’t just give them permission to edit the sign-up sheet, but to edit any document or list on the site! Oops. Here are a few other ways she could have achieved her desired outcome without compromising security on the site.

I think the best option for this scenario would have been to create a custom list with three fields: Name, Tool, and Quantity. She could have enabled the entire Visitors group with Contribute access to just this list and then each person could have entered their name (selected from the “people picker”), the tool, selected from a controlled drop down list that allowed for fill-in values, and the quantity that they could bring. In addition to creating a convenient way to track and measure contributions by type, which was much harder in the Word document she started with, the existing Visitors group could be re-used to create limited permissions to just the new list, which could be removed from the site after the community service day ended. Storing the information in a list instead of a document library would have made it easier to create totals by type of tool to get a better sense of what people could bring and what they would still need.

Another option would have been to use the original Word document as she did but to have used the “manage permissions” function for the document to “break” permissions on just the one document, giving the Visitors group Contribute permissions to the document but not the entire site or library. I’m not a big fan of item level permissions as a general practice because you can’t easily tell by looking at a document library where permissions have been broken, which makes “unpacking” security on the site very complicated. However, since the sign-up process was for a one-day event and the document could be deleted once the event ended, this would have been a good use of that feature.

A third possible scenario might have been to create a document workspace for the community service event to isolate the documents for the one-off event in that workspace. The entire group could have “contribute” permissions to the workspace without impacting or compromising security on the rest of the intranet solution.

There is no single right way to answer this particular business problem, though there was clearly a wrong way – which unfortunately is what my client chose. Hope this helps you avoid a similar situation.