Wednesday, February 16, 2011

InfoPath Form Security Checklist / Flowchart

The following graphic should help most of you prevent many security issues with your InfoPath forms.  To be fair, one particular piece of functionality requires a codeplex addon called "SPDActivities" that you may have to convince your SharePoint manager to implement (if he/she hasn't already) or else you would be in SP 2010 and use the impersonation step.  These are the pre-requisites to this chart:
  1. Create the following permission levels -
    • Audit - Copy read and add the ability to "View Usage Data", "Manage Personal Views", and "Enumerate Permissions"...this permission is used for directors and auditors to see everything and do some reporting.
    • Restricted Contribute - Copy contribute and remove the ability to "Delete Items" and "Delete Versions" and "Manage Personal Views"...this is used for users who have to edit an infopath form and, with versioning turned on for the library, they can't delete the original version of the form.
    • Add Only - Copy Read and add the ability to "Add Items"...this is used for users who have to submit a form and need no subsequent access to it (or you want to secure it at that point)
  2. Anonymous Users = users who don't login
  3. Always remember that those with Contribute permissions can easily switch to Explorer view or the Merge/Repair pages to view every form in your library...so, try not to ever give anyone contribute.
  4. A couple of these things will appear redundant - it's to doubly make sure you do them :)