Enterprise software development and consulting for various organizations, industries and domains.

Saturday, January 29, 2011

Managing Security in SharePoint 2010 Based on Metadata

The most robust way of keeping your SharePoint manageable is to keep it's structure clean and clear, though business often introduces some complex rules and convoluted workflows. Degree of complexity even increases when it comes to governance and security.

One task of such kind that business demands is to secure document based on the metadata values. In SharePoint 2007 it usually leads to custom development or purchasing one of the 3rd party products (like one from the Titus Labs), luckily SharePoint 2010 came up to help. Let's say we were asked to assign custom permission level on the document based on it's category, although to make it harder assume that document can have multiple categories.

The following picture shows security matrix to be implemented:

Here are the steps to achieve this using out-of-the-box Content Organizer feature, folder based security structure and Metadata Navigation.

1. Create "MD Document" content type
2. Add Managed Metadata column "Document Category" to the content type with the following Taxonomy
3. Add MD Document content type to a "Documents" document library.
4. Create three folders in a document library "Public", "Confidental", "Top Secret". Break permissions inheritance on these folder and assign desired permissions in accordance with security matrix.
5. Go to site settings and activate Content Organizer feature.
6. Add content organizer rule to route documents having Accounting category to a Top Secret folder.
7. Create rules for all category types. Less privileged category should have higher rule priority.

Starting from that point all documents that a user uploads to a Documents library will be processed by Content Organizer and placed in a secured folder based on a document category, i.e. secured based on the metadata.

A user will be informed by the following message in the upload document dialog:

And when category field is set up, document will be automatically routed:

Also, I like to use Metadata Navigation and Filtering feature in order to make navigation over categories more convenient. Activate this feature in Site Settings, go to document document library settings, then Metadata Navigation Settings and add Document Category column to the Selected Hierarchy fields. That will add a nice looking category tree to a documents list.


  1. This method don't work for me. When i search by filters, i can view all the documents inside the folders, that i wasn't supposed to view.
    Only works when i navigate with folders!

  2. Hello,

    I have tried to do this now in multiple sharepoint environments, when I go to create the content organizer rule, when i select the category the field is then grayed out and I cannot set the rule to any specific category. Do you have any idea why this would be?

  3. Soso, make sure you did brake permissions inheritance on the folders.