Implementing Hierarchical Security in SharePoint Lists for Departmental Collaboration

Copper Contributor

Hi All,

 

I'm working on optimizing a SharePoint list intended for collaborative use among various department managers. The list contains sensitive staff information. My goal is to set up a security model that meets the following requirements:

 

Departmental Privacy: Each manager should have access to their respective department's list. However, they should not be able to view or edit the lists of other departments.

 

Staff Restrictions: Staff members (non-managers) should not have the capability to view or edit any part of the list.

 

Upper Management Oversight: There's an overarching manager who needs to be able to view all the information across different departments. I'm also considering whether this main manager should have the ability to edit the list, but that's not decided yet.

 

I'm not entirely sure if SharePoint lists can accommodate this kind of hierarchical security structure. Does anyone have experience with setting up a similar permission model in SharePoint? Any advice or insights on how to effectively implement this while maintaining strict access control would be greatly appreciated.

 

Thanks in advance.

2 Replies

Hello @HamidBee 

 

you have all the items in one list, right? Then....when you use Lists, you need to implement item level permissions with flow, here are a documentation: https://learn.microsoft.com/en-us/sharepoint/dev/business-apps/power-automate/guidance/manage-list-i...

 

Simpliest way is, to set the persons or groups direct on list element, on this base, you can set the correct permissions on the list item.

 

Departmental Privacy: Based on groups or person in the item, if they can see

Staff Restrictions: no permissions to the list

Upper Management Oversight: Based on a admin group on each element

 

Best, Dave

Hi Dave,

Thank you for your reply. Yes, all of the items are in one list. So let's assume that the list has a column which says the department name e.g. HR, IT. Now I'm guessing the flow is there to restrict users from editing items that don't belong to their department. Here is what I think the flow looks like:

1. Trigger - "When an item or a file is modified": Initiates the flow whenever a SharePoint list item or file is created or modified.
2. Action - "Get item": Retrieves the details of the SharePoint item that triggered the flow.
3. Condition: Evaluates a specified criterion related to the item's properties.
4. Action - "Grant access to an item or a folder": Assigns specific access permissions to the item based on the outcome of the condition check.

Is this correct?. Also how can I have the managers only view the items from their department?. I thought about using views but it can be changed and even if I prevent users from changing the views I believe it cannot be locked to a specific group.

Any help would be greatly appreciated. Thank you in advance.