Forum Discussion

johnjohn-Peter's avatar
johnjohn-Peter
Iron Contributor
Mar 01, 2025

Only allow the creator of the item and the user direct manager to view the submitted item

I am facing this challenge , where we want to create a custom list, with the following logic;-

1) User submit a request asking for example for for salary increase. mentioning the amount.
2) The request need to be approved by the user direct manager
3) then the manager of the user's direct manager, need to do a second approval.

Now we need to force those permissions:-

1) once the form is submitted others users should not view this item, even for 1 minute,
2) so the item once submitted should only be viewed by the creator, without the ability to edit it
3) only the direct manager and later the manager of the direct manager can view it.

Here what i tried and what i faced:-

1) i created a custom list, define all the columns
2) create a power apps form to submit the form.
3) create a custom permission level, to allow the user to create but without edit/delete, which is mainly a copy of the contribute, without those check-boxes:-

 

 

4) then i define a power automate flow so once the item is submitted ,to send approval email to the direct manager + grant the approval manager & submitter read on the item. where i am storing the approval status inside another list that can only be edited by the service account.

this worked partially, as the item will still be visible to all users until the workflow runs. also incase the workflow fails to run the item will stay visible forever.

so i tried this second approach, benefiting from Item-Level Permissions:-

 

this will always force the item to be visible to the creator only, without the need to have a workflow. but we faced an issue , when we want the submitter's direct manager to view this item, to be able to approve or reject it. where even if we grant the direct manager full control on the item, the item will not be visible to the direct manager, since we define the above Item-Level permission. the only way to to fix this is to grant the direct manager's full control on the list, but in this case the direct manager will be able to view all items, not just the ones submitted by his team !

can we do this for example:-

1) create a custom permission level to only allow the user to submit without the ability to edit, delete, view?
2) then using a workflow to force the item permissions as we go.
3) in this case the item from the beginning will not be visible to anyone, then the workflow will do the permission modification. so if the workflow fails atleast the item will not be exposed to any one,

so not sure what u need to do, and if SharePoint support a way to create a custom permission level that allow the user to create without the ability to edit,delete and even view? any advice?

Permissions
security
SharePoint Online

11 Replies

Sort By
  • DJ_Jamba's avatar
    DJ_Jamba
    Copper Contributor
    Apr 11, 2025

    johnjohn-Peter 

    No - it is you that's misunderstanding, but I'll explain with images so it's clearer for you.

    1. Create a custom permission level in Permission Levels

     

     - Click on the Contribute permission level, then scroll down and click on the Copy Permission Level button

     - Give it a name e.g. Create and View only, uncheck Edit Items and Delete Items, then click on the Create button at the bottom

     - Now you will see a new permission level listed

    2. Go to your list settings and select Permissions for this list

    • You need to make sure there are two permission groups. One for admins (1 or 2 people with Full Control permission), the other for everyone or specific people, it doesn't matter which. Your flow (needs to run under one of the users in the Owners group).
    • For the everyone/specific people group, you need to modify the permissions as shown below and grant that group your new custom permission level:

      In my example, the Owners group contains the admins (people like you or your SP admin).

      I've changed the Visitors group permission level to the custom permission level that was setup in Step 1


    3    . Go to List Settings > Advanced Settings and configure the settings as below:


    So as of now, with this setup, NOBODY can see any list item unless they created the list item no matter how long your flow takes to trigger.
    Furthermore, the creator of the list item can only view it. They cannot delete it or edit it because of the restricted permission level

     

    4. Now you can use a flow that is running under someone in the Owners group or a service account, exactly as described by grant_jenkins with a trigger of When an item is created to add item level permissions, by breaking permissions inheritance (I also remove all permissions except the owners group), and then:
     - Granting READ permission back to the original creator
     - Granting APPROVER permission to the approver
     - Notify the Approver of a pending approval request

    Approver 1 will only be able to view the item and approve/reject it.
    When Approver 1 has approved, set the permission for Approver 1 to Read. Approver 1 will then only be able to view that item (or you can remove their permission if required).
    Repeat the process for Approver 2

    I have used this technique for years and I hear this question come up many times and advise the same solution.

    If you are not sure how to do the flow part, shout.

    • johnjohn-Peter's avatar
      johnjohn-Peter
      Iron Contributor
      Apr 14, 2025

      DJ_JambaAre you sure this will work? as if you have this settings:-

       

       

       

      and you granted the Approver's Approve permission, then Read permission, then the Approver user  will not be able to see the item... the above settings for the Item-Level Permissions, will only allow the creator of the item + the user with full control ON THE LIST to see the items.. so how come an Approver user (who did not create the item) will be able to see the item??? are you sure this is working for you?

      • DJ_Jamba's avatar
        DJ_Jamba
        Copper Contributor
        Apr 15, 2025

        johnjohn-Peter 
        100% positive - This is how I know that you are misunderstanding
        Why?
        Because Item level permissions supercede any default permissions/settings in SharePoint
        As previously stated, I have used/advised this technique for many years

  • DJ_Jamba's avatar
    DJ_Jamba
    Copper Contributor
    Apr 11, 2025

    I don't think you need anything except:
    - A permission group with a custom permission level that allows you to Create & View only. You can add specific people to that group or everyone, it really doesn't matter.

    - Configure the list as you have (Users can only see items they create)

    - The flow can take care of permissions when a new item is added and during the approval process in the same way as described by grant_jenkins and by assigning Item level permissions

    • johnjohn-Peter's avatar
      johnjohn-Peter
      Iron Contributor
      Apr 11, 2025

      DJ_JambaI think you are referring to the same approach i am talking about which does not work for me.. now if we will depend on the workflow to set the permissions, then this mean the item will be exposed till the workflow run which can take u to 1-2 minutes.

       

      also setting that the user can only view their items.. then how the manager will be able to see this item? to be able to apporve/reject it?.. in this case if we want the manager to view the user items, then we will need to grant the  manager full control on the llist which we do not want to have.. can you re-read my question, and you will see that what you proposed is exactly what did not work for me, and that why i asked this question.. thanks

  • DJ_Jamba's avatar
    DJ_Jamba
    Copper Contributor
    Apr 11, 2025

    You already have a flow that is triggered when the form is initially submitted and you have the creator, approver 1 and approver 2 details.

    So in your flow, remove all permissions on the item and set read permission to creator, approver 1 and approver 2

     

    (Typically you would use a service account or an account that has full control permission to the list)

  • grant_jenkins's avatar
    grant_jenkins
    Steel Contributor
    Apr 11, 2025

    I think the new List Form will get what you're after.

    You can have the list setup so only admins have access to it. Then you can create a List Form that allows users to submit items to the list - note that when using the new List Form the user doesn't need access to the list to submit items. The user just needs the link to the List Form, so you could add this as a Quick link on a SharePoint page.

    Then, once the item has been added (only admins have access at this point) you can run your Flow to add permissions (read) to the user that submitted the item, and permissions (approve - or similar) to the user's leader. Then, if the leader approves it, reset their permissions to read, and add the next leader with the appropriate permissions, etc.

    This should provide everything you're after based on the requirements you listed in this post.

    Collect information like a pro New Microsoft Lists forms experience in Microsoft 365

    • johnjohn-Peter's avatar
      johnjohn-Peter
      Iron Contributor
      Apr 11, 2025

      grant_jenkins i am not sure how this is supposed to work.. as if you do not have permission to add items inside the list, then you will not be able to add the item even using the list forms.. keeping in mind that the workflow will only run after physically adding the item inside sharepoint!! can you elaborate more?

Resources