Lotus Notes to SharePoint Blog

Blog about Dell's Notes Migrator to SharePoint tool and other things related to Lotus Notes migration projects

Migrating Notes workflows that implement “dynamic” document security

We have discussed various issues about workflow in the past [link].  To make a long story short, there is no way to press a button and magically translate Notes code-based workflows to SharePoint declarative workflows, but Notes Migrator for SharePoint does an excellent job at migrating your workflow state. 

Recently we have been getting a few questions about how people should handle workflows that automatically change the security of the document as it moves through various workflow stages.  For example, imagine a Notes application that lets an “Author” add or update travel requests until they are ready to submit it.  Once the request is submitted, however, the Author can no longer make changes and it us up to her “Manager” to approve it, reject it, or make further changes.  Real-world Notes applications can easily have many such dynamic access rules.

The way Notes developers typically implemented this type of workflow was was to have buttons, formulas and agents that implemented the right steps.  The actual security rules were usually implemented using reader / writer fields that listed specific people (or groups) that were currently allowed to update the document.  So when the Author pressed the “Submit to Manager” button, some code would run which looked up the manager and updated the reader / writer fields on that document so that now only the manager could edit it.

(Side note, there are also some cases where people did the security enforcement in the user interface.  That is to say, they tried to hide the parts people were not allowed to see in the UI.  But most Notes developers understood that this was not true security.)

So when we migrate this document, we have the option to map those reader / writer fields over to the equivalent document-level permissions in SharePoint.  Notes Migrator for SharePoint makes this trivial.  But it is important to remember that the security on this document is really just a snapshot of its current workflow state.  A workflow process on the SharePoint side is going to need to pick up the document from there. 

In the SharePoint world, you will really have two choices.   If you are using something like InfoPath to design complex forms, it will be possible (though not necessarily a good idea) to implement the workflow the old way:  with code on your form buttons and other form events.  It is possible that you could write code that set the appropriate document level permissions as described above. 

It is more likely however that you will want to switch to declarative workflow instead.  Declarative workflow means that you have a workflow engine interpreting a set up rules that someone (not necessarily a developer) has configured.  This could be a built-in SharePoint workflow, something designed in SharePoint Designer, or something designed in Visual Studio.  Another great choice is to implement the workflow with an add-in tool such as Nintex.  Regardless, your workflow definition will include rules to update the document level permissions according to your business rules.

The workflow capabilities in SharePoint Designer get stronger with each new release.  For example, SharePoint 2010 now has explicit actions for Adding, Removing, or Replacing the permissions on a list/library Item.  This is one more example of something powerful you can do in SharePoint 2010 without writing code!


Note that you will not see these particular actions in the standard drop-down action list; you will only see them if you are inserting actions into an “Impersonation Step”.

2 responses to “Migrating Notes workflows that implement “dynamic” document security

  1. Deb December 16, 2011 at 7:52 pm

    Actually, if the developer is worth his/her salt, document security will be role-based and will be administered at the Access Control level using access controlled sections within the Notes document template itself. So, for example, if the status of the document is BA Review, only those users assigned the role of ‘BA’ in the Access Control List (ACL) would be able to unlock and edit the BA Review fields in the document. All other roles would, perhaps be able to read the document but wouldn’t be able to edit it until it was their role’s ‘turn’ in the workflow.

    • swalch December 17, 2011 at 1:31 pm

      We see a lot of that too. Our feature for migrating Notes Roles to SharePoint Groups (plus mapping the readers / authors permissions on individual documents accordingly) is indeed very popular. Thanks for pointing that out.