The situation

You have a list or library. You want all authenticated users to be able to add items to the list. But, once the item is created, you need to limit permissions to a certain subset of users, based on a column in the list or library. In my example, I have an event registration list. When an item is added to the list, permissions should be restricted to a county security group based on the county chosen in the event registration.

The Solution

    1. Set up your county list. It should have 2 columns: title, group. Group is person column set to the security group.
      Look-up List - title and group columns
      Look-up List – title and group columns
    2. Set up your event registration list. Include a county column which is a lookup to the list you created in step 1. I based my list off of a content type, so that I could do a reusable workflow. You can also use a list workflow, though.
      The main list - including the lookup column.
      The main list – including the lookup column.
    3. In SharePoint Designer, create a workflow. Create an impersonation step. (This needs to be done outside step one. Also, it's best practice to create a workflow user that has the appropriate permissions and to log in to SPD with the workflow user to author the workflow. Impersonation steps run as the workflow author.)
    4. Inside the Impersonation Step, click Action -> Set a Workflow Variable.
      1. Name your variable "County" to match your lookup list.
      2. Click on "value" to set the value. Click the "fx" button.
      3. In the "Find Data To Retrieve" section, set the Data source field to your lookup list. Set the Field from Source field to the security group column in your lookup list. Set the Return field as to "As String."
      4. In the "Lookup for Single Line of text" section, set the Data source to "Current Item." Set the Field from source field to your lookup column in the current item list (county in my case). Set the Return field as field to "Lookup Value (as Text)."
Using the lookup field to set the security group variable.
Using the lookup field to set the security group variable.
    1. Select Action -> Replace List Item Permissions. Click "these permissions." Click "Add." Click the permissions you want to replace. In my case, it was "Contribute." Click "Choose." Click "Workflow lookup for a user." In the "Field Data to Retrieve" section, set the Data source to your lookup list. Set the Field from source to your "Group" column. Set Return field as to "String." In the "Find the List Item" section, set your field to your "Group" field. Click the "fx" button. In the "Lookup for Person or Group" dialog, set your Data source to "Workflow Variables and Parameters." Set your Field from source field to the variable set in step 4. Set Return field as to "As String." Click "ok" on all dialog boxes. Click "this list" and select "Current Item." Repeat these steps for each set of permissions you want to replace.
      Return the security group matched to the local variable.
      Return the security group matched to the local variable.
    2. Your complete workflow should look something like this. (Note, I added a couple of log messages not defined in the steps. Feel free to add them or leave them out.
      Complete Workflow
      Complete Workflow
    3. Publish and test your workflow. I set mine to run automatically whenever a new item is created. Test your permissions.

Published