Clayton's SharePoint Madness

All About SharePoint, InfoPath, and SharePoint Designer!

User Roles in Browser-Enabled InfoPath Forms Using Contacts List

Posted by Clayton Cobb on June 14, 2009

MAJOR REVISION that uses the GetCommonMemberships web method to determine group memberships for users without needing to use contact lists or any other manual data source!

InfoPath – User Roles in Browser-Enabled Forms Using Groups

So, you need to restrict certain controls in your InfoPath form, but it’s browser-enabled, and you just found out that User Roles are not supported, huh?  You also see that SharePoint permissions do not help restrict specific areas within your form, so what do you do?  There are probably several methods, but here is the one I have come up with that uses all built-in functions of InfoPath and MOSS 2007 without any code.

Here is an outline of the steps with the assumption that you already have a working, browser-enabled form:

  1. Contacts List
  2. Add GetUserProfileByName data connection to your form template if not already using it
  3. Add necessary fields to form template and configure them
  4. Add conditional formatting to applicable controls

Contacts List

In this solution, the Contacts list will provide the groupings of users for your “roles” within the form..  Here are the steps:

  • Create a new Contacts List
  • Click Actions > Connect to Outlook (this step only for Office 2007/IE 6-8 users) – Fig 1
  • Populate users from Global Address Book (or manually) – Fig 2 and 3
  • Add any extra columns for sub-grouping of users (i.e. Department) 

Fig 1 – Connecting to Outlook

Fig 2 – Add Contact from Global Address Book in Outlook

Fig 3 – Copy local Contacts to Synchronized SharePoint Contact List

 Fig 4 – Final View of Contacts List Synchronized with Outlook

What we have done is used Outlook 2007’s two-way  integration with SharePoint to ensure that our contact information in the SP Contacts List is exactly the same as what is in Active Directory, and since our profile import in this scenario is pulling from Active Directory, then our user information should all be synchronized.  Notice that I’ve added a Department column to the Contacts list, because this info is in AD, the GAL, and in the SP profile database. Note: other data has been removed but would usually be seen here (email address, phone #, etc).

User Profile Service – GetUserProfileByName method

Now we must add this superb web service to our form template as a data connection.  Please use the first 8 steps of Itay’s writeup to get this done as I can only give him credit for my extensive knowledge of this web service.  Once you’ve added it successfully, we need to do a few things with it using the later steps in Itay’s blog.

Add Necessary Fields to Form Template and Configure Them

First, create two basic text fields in your main data source: strCurrentUserEmail and strCurrentUserDepartment.  Next, drag two section controls to your canvas, and drag both text fields from above (Fig 5).

 Fig 5 – Sample Form Template

Next, we need to get those fields populated with the proper information for only the current user, which means each subsequent user who opens the form will make the data in these fields change accordingly.

strCurrentUserEmail – Tools > Form Options > Open and Save > Rules.  Add an action that sets the strCurrentUserEmail field to the WorkEmail value of the GetUserProfileByName data connection using the later steps from Itay’s writeup.  It should look like this (Fig 6).


Fig 6 – Setting field to WorkEmail value

What this does is pull the WorkEmail value from the profile database for the user who just opened the form and puts that email address in our designated field.  We could get this same value using the Default value function button on that field, but this would set the value once for the initial submitter and never change.  I leverage this notion in another field named strSubmitterEmail so that I can also check to see if the current user is the original submitter.

strCurrentUserDepartment – Tools > Form Options > Open and Save > Rules.  Add an action that sets the strCurrentUserDepartment field to the Department value of the GetUserProfileByName data connection the same way you did the previous step for WorkEmail. Note: You can add this action to the existing rule for email.

What this does is automatically pull the department of the current user and put it in the designated field.

Add Conditional Formatting to Applicable Controls

grpIT – Double-click this control on the canvas to get to its properties.  Click Display > Conditional Formatting.  Add a condition with two caveats.  The first will check the contact list against the current user.  The 2nd will check the contact list against the current user’s department.

  • After clicking Add, click “Select a field or group” in the first dropdown.  Change the data source to your Contact List, drill down to the data elements, click on E-mail_Address, and select “All occurrences of E-mail_Address” in the bottom dropdown (most people never notice this – Fig 7).


Fig 7 – Choosing All occurrences of a data connection field

For the operand, choose “are not equal to”, and for the last box, choose “Select a field or Group” again.  From your main data source, select strCurrentUserEmail

  • Click the “And” button on the right to add another caveat to the condition.  In this one, select strCurrentUserDepartment from your main data source in the first dropdown, “is not equal to” for the operand, and the text “IT” in the last dropdown.  Be sure to change the “and” on the right to an “or,” and lastly check the box for “Hide this control.”  It should look just like Figure 8.  

Fig 8 – Conditional formatting to hide sections from unintended users

What we are essentially doing is checking to see if the current user is in the overall list of approved users, and then we are breaking it down further to see what department that person is in.  If the current user is not in that list, then the section is hidden.  If the person is in the list but not in the specified department, then the section is hidden.  An alternative way to do the department filter is to make separate contact lists for each sub-group.  If you do it that way, it requires more lists and more maintenance, but it allows you to assign a regular user as the owner of his/her respective list in order to maintain it (removes the burden from us).  If you use one list with sub-categories, then you can’t as easily hand the maintenance over to regular users.

grpFinance – Do the same steps for this section as you did for grpIT except change the text “IT” to “Finance.”  Note: Be sure that the text you type in situations like this is EXACTLY the same as what Active Directory shows.  IT is not the same as it and Finance is not the same as finance.

Here is the final result.  If you reference Figure 4 above, you will see that my department is shown as Finance… 

Fig 9 – Finance user only sees the Finance section

Fig 10 – Manually changed Department to IT (demonstration purposes only)

Fig 11 – IT user only sees the IT section


Fig 12 – Log in as SharePoint Tester account

Fig 13 – SharePoint Tester not in Contacts list and sees nothing

**After it is all working, be sure to remove the text boxes from your form for strCurrentUserEmail and strCurrentUserDepartment, because they are only in this example for testing purposes.  You want to make sure you can see the data that is being put in there during testing.  Once it works, remove those text boxes, or if you want to show them, then make them read-only.

This is my first attempt at any blog post, so please feel free to critique and comment on any errors, bugs, typos, mistakes, fixes, questions, or confusions you may think of…

21 Responses to “User Roles in Browser-Enabled InfoPath Forms Using Contacts List”

  1. This is a rockin post. Nice job defusing User Roles for browser forms.

  2. Mark said

    At what level is the Contact list being created? in the infopath document library?

    or the actual parent site for the infopath forms?

    i guess this cant manage the situation where my view is dependant on a selected value in the form? ie a view is set up for the user role of the person selected in a dropdown…

    • Clayton Cobb said

      1) You can’t create a list inside of a document library. The contact list in this case is located in the same web (site) as the form library, but it can be anywhere else in the site collection, because it’s simply a data connection.

      2) What are you trying to do in this 2nd part? You want a separate view for every person? To do that, you’d have to know how many people there are, create a view for each one, and then configure the dropdown to have a rule that switches to the respective view when a person is selected, but I don’t understand that situation at all. Are you saying that when a different person selects someone in the dropdown, then when that selected person later opens the form, it switches them to a specific view? You can do that simply with Form Load rules as shown in the blog. I really just need to know what you’re trying to do, and then we can figure it out or determine that it can’t be done.

      • Mark said

        Hi Clayton,

        1) I created a custom list within the site but i dont see the option to ‘connect to outlook’ under ‘actions’ which your example shows should be there…

        2) I have a form that allows the person submitting to choose a contact from each of 2 dropdowns who will receibe an email requesting “sign-off” of the form request.

        currently within form options > rules i cater for them seeing a view that includes the sign off checkbox by choosing ‘Users current role’ = value in dropdown…

        persumably making this form browser compatible will no longer make ‘users curent role’ available to me… so was wondering how i might get this form value using your approach…

      • Clayton Cobb said

        1) Mark, my list is a Contacts list, not a custom list. You will need to use a Contacts list and modify it if you want it to be able to Connect to Outlook.

        2) You shouldn’t use dropdowns for choosing people unless you have a very small list of static people, because that is something you’ll have to maintain manually. If you use the Contact Selector, then you can choose from all people without any maintenance, and the value saved in the form can be used to send dynamic emails. The 2nd part I don’t understand, because first said that the form submitter chooses a contact from 2 dropdowns, but then you said you have rules that switch views based on the user’s current role. Are you referring to people OTHER than the submitter? You didn’t give that piece of detail. Anyway, what “value in dropdown” do you have for matching user roles? You said that names were in the 2 dropdowns, but you didn’t mention another dropdown have a defined role, so I’m not sure what the scenario is.

        Regardless, to get user roles working in browser forms, you just use the methods shown in my blog. You see right here how to use a Contacts list, but you can also use AD security groups if you check my other blog on the topic. Which part of using the contacts list isn’t working for you?


  3. Olga said

    Thank you for the post. I tried to use this solution but am stuck on this. I do not see a dropdown “All occurrences of E-mail_Address” when selecting the email field. Any idea where it could be hiding? Thanks in advance!

    • Clayton Cobb said

      Olga, when you select the node of your repeating group within the secondary data connection, you don’t see a dropdown at the bottom with multiple options? Does your screenshot look EXACTLY like mine in Figure 7? It has to be a field within a repeating group, and this should be coming from a secondary data connection.


  4. Phebe said

    I have a custom list with a Person field populated with a few people who will be acting as Reviewers for the form. Is there a way i can populate the drop down in infopath form with the list of people from the custom list?
    If No, is there an alternate approach.


    • Clayton Cobb said

      When using a list as a data source for InfoPath, the rows of that list are the repeating rows of the table in InfoPath. When you have multiple items in one field of one row, then it becomes a repeating value within a repeating value, which makes it tough to deal with. You would want your Reviewers to be separate line items in the list as opposed to multiple items within one list item. It may be possible to use multiple names from ONE list item, but I haven’t attempted it. What does the data from that People Picker field look like when you retrieve it and put it in InfoPath?

  5. Beth said

    Hi Clayton,
    Would this same process work for a form that is not browser-enabled? We created a form for our Sales Team to use, but we don’t have MOSS Enterprise so users will be filling out the form from the InfoPath client.

    Also, for my test purposes I don’t have access to Outlook. I’m wondering if this needs to be created using “Connect to outlook” or if I can create a small Contact list directly on the site and add the information myself. It’s a small group of users so the Contact lists wouldn’t take much to maintain.

    • Clayton Cobb said

      1) Yes, this works in any type of InfoPath form. It’s just that you only need it in browser forms, because rich client forms can use the built-in User Roles feature. I recommend using that before using my methods. I only made these articles due to the limitation of browser forms.

      2) You definitely do NOT need Outlook. I just show that as a more efficient means of maintaining the Contact List and to show one way that Office Integration works. You can maintain the Contact List manually – I do it quite often with different solutions I build.

  6. Robin said

    I’m wanting to use getuserprofilebyname web service in a FBA claims authenticated SharePoint 2010 site. The users who will be benefiting from the prepopulation of form data, are extranet external customers. I have successfully used this functionality in windows authenticated domain environments but FBA is throwing me for a loop.

    Any suggestions appreciated!


    • Clayton Cobb said

      What part is throwing you for a loop? You didn’t explain the problem yet.

      A few things to be aware of: 1) If using FBA, then you User Profile Sync must have a connection to import data from the FBA membership provider 2) If using FBA in a Claims Mode web app, it must be the only authentication method allowed on that web app (can’t have multiple methods allowed, else InfoPath can’t authenticate)

      • Robin said

        I have been wanting username() function, and other functions to work with FBA authenticated users. What I have discovered is that .me filter with createdby does work in this context, and I can make that work for my requirements at the moment.

        I guess my mistake was assuming that everything (SharePoint environment)that worked for Classic authenticated users would just work for Claims users when the trasition was made, and that is not the case.

      • Clayton Cobb said

        Definitely not the case.

        Filtering on [Me] only works if the person actually created the item, and even then, it’s obscurity and not security. That also only works in the SharePoint view and not inside the form itself.

  7. […] Clayton Cobb’s Contact List Method – […]

  8. Jett said

    Hi Clayton,

    Great post! I applied your method and it works perfect! I created a form which opens up different views (admin/user) depending on the user’s presence in the custom list I created in SharePoint. The custom list contains the admins for the form and not connected to Outlook. However, I connected a workflow to the form document which should notify the admins in the custom list via email whenever a new form is created. Currently, I manually added the admin’s email addresses in the email’s “To” field. Is there a way I can automatically pull the users listed in the custom list and use it in the workflow email?



    • Clayton Cobb said

      You already have a data connection to the contact list, so you have the email addresses. You need to use the double eval trick from alec pojidaev’s blog to concatenate those email addresses into a single field delimited by semicolons. The article is codeless programming #1.

  9. Himanshu said

    I want to know how the user roles under data tab can be enabled in infopath 2010

    • Clayton Cobb said

      Himanshu, you don’t “enable” it. It is only available in Filler forms and is automatically available.

  10. Kev Houston said

    Hi Clayton,

    I’m falling at the first hurdle.

    I created a MOSS Contacts List and syncronised with Outlook 2007.

    I cannot copy contacts within Outlook from My Contacts to the Contact List (create as per instruction) visible under Other Contacts. The message states “Cannot move the item. You cannot make changes to contents of this read-only folder.” I cannot see a reason why it is being deemed read only. Trying at add a new contact to the list directly I get ‘You cannot make changes to content of this read-only folder’.


    Any ideas?

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: