Many of the same features for securing information at the site level apply to the list level, too. The following sections focus on those aspects of list security that are not redundant to managing security at the site level.
1. Content Approval
Content Approval is an advanced
setting that prevents a new item in a list from appearing until the item
has been approved by a user with approval rights. This setting must be
enabled if you plan to use approval workflows that can be initiated with
the publication of a minor version to a major version. Even in lists or
libraries in which versioning is turned off, new items will still need
to be approved before users with Read-Only permissions can view the
content item. Figure 1 illustrates a document in a Pending state that has been uploaded to a library with Content Approval enabled.
When the Content Approval
feature is enabled, existing content items will be approved
automatically. If Major/Minor versioning is also enabled, then the last
major version will automatically be approved. Any existing documents
that are checked out will automatically show as being Approved, but when
they are checked in, they will go into a Pending state until the
check-in action is approved.
The easiest way to approve a
document is to click the drop-down arrow for the document and select the
Approve/Reject menu item, then select the Approved option (Figure 2).
Another way you can approve a document is to highlight it in the
library and then click the Approve/Reject Ribbon icon in the Workflows
section. If you need to see a list of all the documents or list items that need approval, click the Library tab in the Ribbon (for document libraries; for lists,
click the List tab) and then, under Current View, select the drop-down
arrow and select the Approve/Reject Items menu option. Figure 3 illustrates what the content approval list looks like when there are one or more items in the list.
Note:
Items that are in the
Pending state can still be viewed by users who have permissions if they
have the exact URL to the content item. The Content Approval feature, is not a security feature by itself. Instead, like audiences,
it is a view-crafting feature, but unlike audiences, it helps support
approval workflows and the publishing of content items.
2. Versioning Settings
There are three types of
version settings in SharePoint 2010: None, Major Only, and Major/Minor.
When no versioning is selected, each time a content item is updated or
uploaded into the list, it is immediately available for viewing by
everyone who has at least View permissions to the list. Moreover, no
version history is saved, so the only version of the content item is the
current version. Because past versions are not saved, they cannot be
retrieved.
Major Only
versioning creates published versions each time a content item is
updated or uploaded to a list or library. The main difference between no
versioning and Major Only is that past versions of the content item are
retained in their full-text form. But new versions are still
immediately viewable and consumable by those with proper permissions.
Major/Minor versioning
was first introduced in Microsoft SharePoint Portal Server 2001. It was
taken out of Microsoft SharePoint 2003 and was put back into the
SharePoint Server 2007 product; it has been retained in SharePoint 2010.
Major/Minor versioning (M/M) allows for the development of a document
or list item by a small team of content developers who then periodically
publish updated versions of the document for a wider audience to
consume. The versioning numbers will inform you which version of the
document that you are working with. M/M versioning works with a
two-numeral decimal system in which the number to the right of the
decimal is the minor version and the number to the left of the decimal
is the major version. For example, the version designation 0.2 means
that you are on the second draft or minor version but have yet to
publish a major version. The version designation 1.0 means that you have
published your first major version of the document. The version
designation 3.3 means that you have published three major versions, the
third version is the current “public” version, and you are currently
working on the third minor version, which you are using to create the
fourth major version, which will be published for public consumption as
4.0.
Each time a document is
published, the major versioning number will increment by one (1) and the
minor version number will be reset to zero (0). Each time a minor
version is checked in, the minor version number will increment by one
(1), and the major version number will not increment or decrement.
The reason that M/M versioning can be viewed as a security
feature is that currently published documents can continue to be viewed
while updates to those documents are created in a secure, private way.
You will want to use M/M versioning for documents that have public
content that is updated periodically, such as a human resource policy
manual, but for which you also want to hide the draft updates of those
documents from public consumption.
3. Draft Item Security
Draft item security is
only relevant when you have Major/Minor versioning enabled. Draft items
are the same thing as minor versions and apply to all new documents
created or uploaded into the library. Changing draft item security settings will not apply to those documents that already exist in the library.
The three settings for draft item security are
Any User Who Can Read Items
Only Users Who Can Read Items
Only Users Who Can Approve Items (and the authors of those items)
The default setting is Any User
Who Can Read Items, which represents a problem if you want to hide
minor versions from those who would consume documents from the library
with Read permissions. The entire point of Major/Minor versioning is to
create publicly or widely consumed documents that can continue to be
consumed from the same location in which they are also being updated.
Leaving draft item security at the default setting makes the Major/Minor
versioning feature somewhat useless. However, if the published document
is consumed from another location, then those with Read permissions on
the source location where the document is created and updated may be
only those who can edit the document, too. In that scenario, the draft
item security setting isn’t that important, as long as the site owner
controls who has Read permissions to the site and list.