Granting SharePoint permissions with WEBCON BPS


Granting SharePoint permissions with WEBCON BPS

WEBCON BPS Actions can be used to grant permissions to SharePoint site users. Permissions can be granted on for:

  • entire SharePoint site,
  • SharePoint list,
  • element or an object of a SharePoint list.

SharePoint permissions can be divided into following groups:

  • Full Control – this permission level contains all permissions. It’s assigned to the SiteOwners SharePoint group, by default. This permission level cannot be customized or deleted.
  • Design – allows to create lists and document libraries, edit pages and apply themes, borders, and style sheets onsite. By default not assigned to any SharePoint group.
  • Contribute – allows to add, edit, and delete items in existing lists and document libraries. By default assigned to the Site name Members SharePoint group.
  • Read – read-only access to SharePoint site. Users and SharePoint groups with this permission level can view items and pages, open items, and documents. By default assigned to the Site name Visitors SharePoint group.
  • Limited Access – the Limited Access permission level is designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site. However, to access a list or library, for example, a user must have permission to open the parent site and read shared data such as the theme and navigation bars of the site. The Limited Access permission level cannot be customized or deleted.

Granted permissions are always a sum of all permissions granted upon a user. An example would be:

User gets permissions – Read_Object_A, Read/Edit_Object_B, Edit_Object_A, Full_Control_Object_B. In result user will have – Read/Edit_Object_A and Full_Control_Object_B permissions.

There are three ways to choose a user to whom permissions will be granted:

  • Static – simply writing user name that exists in AD
  • Form field – inputting user name on a document, into a form field of type „Person or group”
  • Dynamic – using tag editor eg. {I:CURRENTUSER}

Granting permissions in a static way essentially comes down to manually providing user’s name and verifying it („Check names” button) or searching a user on an Active Directory list („Browse” button).

By using „Form Field” option user can be chosen by inputting him/her on a document, into an attribute of type „Person or group”

Dynamically adjusting permissions enforces use of a tag editor to input wanted user.

Only one user can be granted permissions for one execution of an action.

Configuration window

Main configuration window of an action, in its default size.



Choosing user



Static choice allows to input user manually or browse him/her from Active Directory search list.


By choosing „Browse” option a new window opens up, where it is possible to search for an existing user.


In „Browse” window it is possible to search for users that are defined in our Active Directory services.


Form field

Choosing user by form field requires inputting user’s name on a document, into a „Person or group” form field. It is also possible to use „Items list” as a form field and specify a column of type „Person or group”.



Dynamic user choice is essentialy about using tag editor to target a user to whom new or additional permissions are given.




Granting permissions to a user that entered into a selected step on a document, is a basic example of this functionality. By configuring action in such manner we grant appropriate site permissions to each user that enters a selected step on a document.

We add appropriate tag from editor by double clicking or using drag&drop.



In a permissions field it is required to add necessary levels of permissions. Provided selector should contain all default levels of permissions that can be given on a SharePoint site. By using „Add” and „Delete” buttons one can control level of given permissions.

Object – URL address


URL address field points at an object to which permissions should be given. It is possible to target: entire SharePoint site, SharePoint list, single element/object of a SharePoint list.

Action execution

Action can be executed in one of two ways:

  • As a part of transaction,
  • Outside a transaction

While executing inside a transaction, there is a risk of significantly prolonging its execution. However, it will be carried out only if the entire transaction completes without any errors.

Execution outside transaction ensures that the action will be carried out without considering sucess or failure of a transaction. If while processing a document error/exception is thrown the action will execute either way, which can sometimes be an unpleasant act.

By default action is set to execute outside transaction.


Attributes editor

Editor allows use of system attributes, form fields, context variables, objects’ identifiers and inputting them into a fields of a configuration form (by doube clicking or drag&drop).




Action usage example

„Test Account” user permissions for entire SharePoint site, as seen in permissions settings.


Sample workflow created to test this action:


Adding action in WEBCON BPS Designer Studio in „Realization” step. Action will be avaiable from button in toolbar (after opening a document in a browser).


Action configuration in WEBCON BPS Designer Studio. User is being provided in a static way with two levels of permissions „Contribute” and „Design”. Permissions are given to an entire SharePoint site.


First step as seen after starting a proces on a SharePoint site. We supply some test information and proceed to the next step on a path.

On „Realization” step we gain access to the action button we configured („Grant permissions to site” on a toolbar). After clicking on this button we check status of site permissions of our test user.


After executing action permissions are changed according to configuration in Studio and are visible in site’s permissions settings.

One thought to “Granting SharePoint permissions with WEBCON BPS”

  1. You can also use BPS to manage Active Directory.

    Creating users and managing groups is quite easy (comes in a form of several actions). Using the workflow engine underneath allows to streamline processes like:
    * create new AD account, automatically generating a password and sending an email to the end user (‘here’s your password’)
    * assign the user to specific AD groups
    * once created – activate it on specific date
    * ask if the account should remain active or be deactivated ‘some_time_before_the_deactivation_date’
    * deactivate or keep activated on ‘active to date’

Leave a Reply

Your email address will not be published. Required fields are marked *