Clayton's SharePoint Madness

All About SharePoint, InfoPath, and SharePoint Designer!

InfoPath – User Roles in Browser-Enabled Forms Using AD Groups

Posted by Clayton Cobb on July 19, 2009

MAJOR REVISION – Now using GetCommonMemberships web method to determine group memberships for users without needing to use contact lists or any other manual data source!

So, you need to restrict certain controls in your InfoPath form, but it’s browser-enabled, and you just found out that User Roles are not supported, huh?  You also see that SharePoint permissions do not help restrict specific areas within your form, so what do you do?  There are probably several methods, but here is the one I have come up with that uses all built-in functions of InfoPath and MOSS 2007 without any code and leverages Active Directory Security Groups.

Special thanks to a co-worker of mine – Irene Clark – who I taught to use the UserProfileService and subsequently figured out on her own that GetCommonMemberships could help with User Roles.  She showed it to me, and I immediately jumped on it to come up with what you see here.   Thank you very much, Irene!

Here is an outline of the steps with the assumption that you already have a working, browser-enabled form.  If anyone needs me to write up the basic steps of doing creating a browser-enabled form from scratch, let me know via the Blog Request Log:

  1. Add GetCommonMemberships data connection
  2. Add necessary fields to form template and configure them
  3. Add conditional formatting to applicable controls

User Profile Service – GetCommonMemberships Method

We must add this superb web service to our form template as a data connection.  Please use the first 8 steps of Itay’s writeup to get this done as I can only give him credit for my extensive knowledge of this web service.  Once you’ve added it successfully, we need to do a few things with it using the later steps in Itay’s blog.  Here are the steps.  They are only text with no screens, so I will just paste them here.  Remember that we are leveraging a different web method than Itay, but it’s the same web service:

  • With InfoPath opened go to Tools > Data Connections, and click ‘add…’ to add a new data connection to the form. This opens up the Data Connection Wizard.
  • We want to receive data from the WS about the current user, so choose receive data’ and click next.
  • Our data source is a WS so choose ‘Web Service’ and next.
  • Now you will have to point the wizard to the WS. Type an address similar to this: http://ServerName/_vti_bin/UserProfileService.asmx  and click next.
  • Here you get a list of all methods for that WS, choose GetCommonMemberships and click next.
  • In this screen you can specify what parameters are sent to the method, we are relying on the method’s ability to return the current user name if no value is passed to it, so we will leave this as is (no value is passed to the method) and click next.
  • Click next and make sure ‘Automatically retrieve data when form is opened’ is checked.
  • Finish the wizard.

In this solution, the GetCommonMemberships (GCM) method of the UserProfileService will provide the values we need to check a user’s Active Directory (AD) Security Group (SG) and Distribution List (DL) membership.  This method also provides SharePoint (SP) Site membership, but that is not as useful as if it provided SP group membership, which it does not.  I will be focusing only on the AD group memberships for this write-up.  Here are some steps showing how to use and see what this method provides:

  • View this method’s node structure
  • Drag the whole repeating group to the canvas and preview to see the result
  • Reduce the table to the most useful fields and decide which ones you want to leverage
  • Filter to show only the AD groups
  • Create a dropdown control bound to an element in your main data source that will show a selectable list of groups for a given user
  • Use this information to apply conditional formatting on other controls

Notice that the node structure in the GCM method (Fig 1) is much more friendly than GetUserProfileByName.  You can clearly see the information that is available, and the nodes are self-explanatory for the most part.


Fig 1 – GCM Node Structure

Grab the MembershipData repeating group onto the canvas and choose Repeating Table when prompted.  This lays out the entire node structure nicely, although you will need to expand the table and the columns in order to clearly see the data (Fig 2).


Fig 2 – Full GCM Repeating Table Structure with Sample Data

In my opinion, certain fields are not useful to us due to either not having data or not having data that is useful for determining User Roles.  I will delete the columns named Group Type, Privacy, ID, Member Group ID, and Group (Fig 3).  Notice that Member Group ID does have some unique info, but I am not yet sure how to leverage that data.  You may also want to remove the SourceInternal field from the MemberGroup section, because it shows the same GUID each time (at least in my system).  As for the remaining fields, here are my notes so far:

  • Source: This shows whether or not the record is an AD group (noted as “DistributionList”) – or a SharePoint site membership (noted as “SharePointSite”).  Notice, these are not SharePoint groups, but rather site memberships and only where the user has been specifically added to that site with permissions as opposed to inherting permissions through AD SG membership.  The AD groups include both SGs and DLs, which is important to know.
  • Member Group – Source Reference: This shows the Organizational Unit path in Active Directory of the DistributionLists and shows a GUID for SharePointSites.
  • Display name: This is the Display Name of the group as defined in AD.  In Outlook, this name can typically be used as an addressee for an email, and the name will resolve to the email address.  This name SHOULD be unique and will be what we use for our User Role matching later.  For SharePointSites, this is just the site name.
  • Mail NickName: This is the alias for that group in AD, and it also will resolve to the email address when used in Outlook.  However, I found in my system that there were _two_ separate contacts in the GAL with the same alias.  That should not happen, and I will be notifying the AD admins, but the fact that it did happen with a common SG I use means it is not a guarantee, so be wary of that.  The same could potentially happen for Display Name, but that is a much longer and more specific name while aliases are sometimes just a few letters.  There is no nickname for SharePointSites.
  • URL: This is the direct email address for the group in the form of  This also could be a very good source for matching groups and/or for sending emails.  Again, the email address SHOULD be unique, but that all depends on how well your AD is maintained.  For SharePointSites, it shows the URL to the site.


Fig 3 – Partial GCM Table with Relevant Columns Only

If you ever plan to use this method for displaying a user’s list of group memberships, you may want to only show the DistributionList records.  To do so, simply right click on the repeating table itself and create a conditional formatting rule that hides the control if the Source node is equal to “SharePointSite” in it (Fig 4).  Interestingly, when going through the wizard to set this condition, the wizard automatically detected the available options for that node.  I am used to seeing that with my main data source, but it does not always happen when referencing a secondary data source node.  In this case, it helps to quickly choose the right selection without the potential for a syntax error.  The result will be that you only see DistributionList records in the repeating table, which is the information that would be useful.


 Fig 4 – Set Filter on GCM Table to Only Show AD groups

You may also at some point wish to show a user’s group memberships in a pulldown and then use a particular selection to trigger a rule or match some other condition elsewhere in the form.  You may even use it to see another user’s memberships (other than the current user) and then select a group to then invoke the UserGroup web service (or possibly other available web services/methods similar to this) to enumerate the users in the group.  That is outside the scope of this write-up, but it’s something to consider.  To set up the dropdown, follow these steps:

  • Create a text data element in your main data source with whatever name you prefer
  • Drag that field to the canvas, which makes a text box
  • Right-click that box and change it to a Drop-down List Box
  • Double-click the dropdown to get to its properties (Fig 5)
    • Select the radio button that says, “Look up values from an external data source
    • For the Data Source, choose GetCommonMemberships
    • For Entries, click the button, drill down through the groups, and select the MembershipData repeating group
    • For Value, choose whatever node you prefer as your primary key (unique value).  DisplayName, Nickname, and URL are all suitable.
    • For Display Name, choose the DisplayName node
  • Click OK until done and preview the form.  You should see the friendly names of your groups all listed in the dropdown.  Since this is a browser form, we cannot filter the dropdown (at least until we get SharePoint 2010!), so you will see the SharePointSites, too. 


Fig 5 – Dropdown Bound to Main Data Source and Showing GCM Group Data

Add Necessary Fields to Form Template, Create Layout, and Configure Default Values

First, manually create all the fields and groups you see below (Fig 6).  Notice that strAdmin and strFinance have default values.  Do not mimic these in your real form, because they will depend on your group names, which we’ll get to shortly.


Fig 6 – Data Structure

Next, we need to create our layout on the canvas (Fig 7).  For this example, I just simply have two sections that are bound to grpAdmin and grpFinance (do not include their child fields), respectively, along with some text and a color for differentiation.  I also have a repeating table bound to the MembershipData repeating group of the GetCommonMemberships method that is only showing the DisplayName element.  This is only on the form for now to show what is happening, but it would not be on the form when using this concept unless you have some reason for showing the current user’s groups.  You get this on the canvas by following the steps shown in Figures 2-4.


Fig 7 – Form Layout

After that, we need to assign our initial values that will play a part in the security of our form.  For this exercise, we will use two Group Check Fields. This part is important, because this is what defines the group memberships in your form that will be leveraged for User Roles.  I am using “Sharepoint Admins” and “Finance,” because those are the _exact_ words that show up in the DisplayName field of GetCommonMemberships (refer to Fig 2).  In your case, you’ll want to add a field for each group that you want to define for your User Roles and set its default value accordingly:

  • strAdmin – Set the default value to the text “Sharepoint Admins” (no function used)
  • strFinance – Set the default value to the text “Finance”
  • Remember, please use proper values for your environment based off what you see in your equivalent of Figure 2 above

Add Conditional Formatting to Sections

  • Administrators Section – We are going to set conditional formatting on this control (Fig 8) so that if the user is not in the Sharepoint Admins security group, then this control will be hidden:
    • Double-click the Administrators section on the canvas to get to its Properties, click the Display tab, then click Conditional Formatting and click Add
    • In the first field, click Select a field or group
      • In the Data Source pulldown, select the GetCommonMemberships secondary data source
      • Drill down the dataFields path until you get to DisplayName, which you should single-click
      • At the bottom of this box where it says Select, choose the phrase All occurrences of DisplayName, then click OK
    • For the Operand, choose are not equal to
    • In the last box, click the pulldown and choose Select a field or group, then choose strAdmin from the main data source
    • Lastly, in the Formatting area, check the box for Hide this control


Fig 8 – Conditional formatting to hide sections from unintended users

  • Finance Section – Do the same thing as with the Administrators Section except in the last box of the conditional formatting setup, choose strFinance.  This will compare the current user’s list of group memberships with the exact name of the Finance security group, which is what we set the value of strFinance to be.

Now, it’s time to show it in action.  In my scenario, I have two user accounts:

  • Clayton Cobb – I am in the Sharepoint Admins SG but not in Finance
  • SharePoint Tester – He is in the Finance SG but not in SharePoint Admins

I’ll start with SharePoint Tester being logged in (Fig 9) who will open a new browser form (Fig 10).


Fig 9 – SharePoint Tester logged in


Fig 10 – SharePoint Tester only sees the Finance section

After saving the file as the SharePoint Tester, I will now log in as myself (Fig 11) and open the existing form (Fig 12). 


Fig 11 – Clayton Cobb logged in


Fig 12 – My account only sees the Administrators section

**After it is all working, be sure to remove the repeating table from your form, or if you decide to show it for some reason, you may want to make that field read-only so that users can’t manually change it.

That’s all there is to it!  You can now leverage Active Directory distributon lists and security groups for providing a mock User Roles functionality in Browser Forms without writing any code and while maintaining Domain Trust. The key here is that when looking at the same form, two separate users will see different information that is available based on their group memberships in Active Directory.  Imagine the other ways you could leverage this by restricting individual controls, whole sections, or even entire views, which is very powerful!


187 Responses to “InfoPath – User Roles in Browser-Enabled Forms Using AD Groups”

  1. Great stuff. That method will be a big help for developers.

  2. Alana said

    Ah, Clayton… what a legend!!

  3. John said

    Is there any reason anyone can think of where this wouldn’t return groups for the current user? I’m logged in to my local machine, but VPN’d into a site that allows me to use “GetUserProfileByName” and it returns my domain information (based on who I’m logged in as through the VPN; testing with an InfoPath form in ‘client’ mode).

    I even tried making a list box that was populated from the data connection where accountName=DOMAIN\Administrator, and still nothing.

    • Clayton Cobb said

      Are you certain that your expected username is being sent to the web service? You mentioned that something works in client mode, but that is not indicative of what will happen in browser mode. As a test, put a new text field on your form canvas and set the default value to the function userName(). See what that says – it should default to the username of the account you’re logged into your MACHINE with, which may not be the one you prefer, and be sure to only test in browser mode.

      If you see the proper username in browser mode, and there are no data access errors, then make sure that user account actually resides within AD Security Groups or Distribution Lists that have been imported to the profile database via your SSP.

  4. John said

    My form won’t work in browser mode, and I’m not going to go into why here. Suffice it to say, InfoPath client.

    Therefore, when I run my form, userName() is simple ‘fred’ (with no machine name; I’m not logged into a domain).

    Having said that, I can use the old GetUserProfileByName service just fine, and it returns ‘PreferredName’ or anything else I throw at it.

    As a test, I hard-coded a filter where accountName = DOMAIN\fred as a test, and it still doesn’t enumerate any groups.

    Seems like none of these things end up working for me.

    Please note: GetUserProfileByName works just fine. If that works, I’m not clear as to why GetCommonMemberships would not work.

  5. John said

    I finally got this working. Turns out the problem was two-fold.

    1) Our sharepoint server wasn’t setup to do AD imports on a scheduled basis, so it only had a few imported users from when we set it up, therefore now groups we created after the fact in AD.

    2) I found this ( which says for the groups to show up, they must have email addresses.

    Now that I have that working (at least using the repeating table test just to see the groups come back for the current user), what I’d like to get working is to be able to pass a parameter as a filter to myFields\queryFields\s0:GetCommonMemberships\accountName and have it return the groups for that user.

    I tried passing currentUser as well as passing it the string DOMAIN\me (obviously replacing DOMAIN and me), and it doesn’t work.

    Is there a security limitation to not being able to query on that for someone other than the current user? Do I need to pass a formulated LDAP name for that to work, vs a name like DOMAIN\me?

    Any help would be appreciated. Almost there!

    • Clayton Cobb said

      John, you’re in luck. I explain exactly how to do that in my other blog post named “InfoPath – Get user information without writing code (extended)” at this URL: Use that technique to send a different username to the GetCommonMemberships web method so that you can get that user’s group memberships in AD. The value you want to pass is the username and not the domain name, such as “ccobb,” but not “domain\ccobb.”

      To be clear, yes, you can always send a new query value to get data. The fact that it works on form load is just a bonus that is built in, but it’s no different than sending another username as long as it has the correct syntax AND as long as it exists in the profile database.

      • John said

        That was perfect, thank you!

        One final piece to the puzzle (well two actually).

        Background on how I’m implementing this: I’m using a ‘Contact Selector’ control to let them pick a person, and because I can’t hang ‘rules’ off the Contact Selector control, I gave them a ‘Get Groups’ button. When you click it, it follows your example, and it sets values (AccountId and DisplayName) under ‘another’ Contact Selector control. The values being the groups of the person in the first Contact Selector control.

        1) It seems like the groups come back as ‘group’ and not ‘DOMAIN\group’, which I’d like to store in AccountId in the second CS control. Not a ‘huge’ problem, as the target audience is all in one domain, and I can put that in a configurable business keyword that they could change later, and concatenate it together with the ‘flat’ group names that are returned (if I have to go that way), but I figured I’d list the issue.

        2) This one is a bit more of a problem, and makes me think I’ll need to take this to some C# code-behind, which wouldn’t be the worst thing in the world. I put myself in multiple groups (that have email addresses), forced a profile import to sharepoint, verified the new group came across and the existing group was still there, as an added bonus, I put ‘another’ user solely in the new group, just to verify the group exists, and ran the button.

        If I pick the new user (who is only in the new group), it returns the new group. If I pick myself, it pulls back the first group only, and not the new group. I’m assuming this might be a limitation with it only pulling back the ‘first’ item from the data source? Doing the repeating table trick is nice to visually ‘see’ everything, but is it possible to take the repeating values from a data source result and set them as repeating values in another field?

        If that’s not possible, let me know. I’m pretty confident I can lift this up and take it to code behind.

        Thank you very much for the help thus far. Slowly but surely I’m learning.

      • Clayton Cobb said

        For #2, what is it you are trying to do with the repeating list of groups for a given user? You say you are able to display them in a repeating table the way I showed but that you can’t do something else with those values. What is that “something else” you are trying to do? Why do you need to set the group values elsewhere? Are you trying to resolve these groups into a contact selector that shows each group a user belongs to? Let me know the purpose and goal of this so that I can help achieve without code? Just in case it’s relevant to your goal, review my Copy SharePoint List Data to Main Data Source:

      • John said

        Thanks, I’ll take a look at that when some of the dust settles.

        As it turned out, I went with a programmatic solution, using AppendChild to add all the groups returned by the GCM call into each of the things under my contact selector (GroupGroup). That seemed to work out good. Now they pick a name in the first Contact Selector from the AD, and click a button next to it called ‘Get Groups’, which populates a list of all the groups they belong to.

        The reason for the two controls is you first use a CS to pick a person to retrieve groups from, and then use the second CS (which now has the groups for that person in it) to either add to those groups or remove from them, using the AD picker.

        Thanks again for all the help!

        Note: If there is a non-programmatic way to get multiple values returned by GCM into multiple entries under a Contact Selector, I’d still love to see it. Using the simple Set Field under Rules seemed to bark when I picked anything other than an end, non-repeating data value, which only every would return the first group.

      • Clayton Cobb said

        Your code makes the form require full trust, right? That’s not a best practice and is something you want to avoid always if you can. I think you will find that copy table may work, but I may need to do some of my own testing to be sure.
        Sent from my Verizon Wireless BlackBerry

      • John said

        Actually, I published it this morning still set to ‘Default’ and it’s working like a champ.

        Keep in mind, these forms all run inside the InfoPath client (as making these things web only, at least with 2007, is far too limiting at this point … but I see they are fixing some of that with 2010, which will be nice).

      • Clayton Cobb said

        Surprising. You usually can’t get away with domain trust with code as it won’t run on the client machine otherwise. Depends on the code itself, though.

      • John said

        Well, the code isn’t much of a change from what you presented here, just doing the same thing, but in code (using the same data source). The reason I needed code was to step through the items returned and AppendChild:

        public void GetCloneGroups()
        DataSource dsGCM = this.DataSources["GetCommonMemberships"];
        string clone = xnDoc.SelectSingleNode("/my:myFields/my:ExchangeSection/my:LotusNotesClone/my:Person/my:AccountId", ns).Value;
        clone = clone.Substring(clone.IndexOf("\\") + 1);
        XPathNavigator xnGCM = dsGCM.CreateNavigator();
        xnGCM.SelectSingleNode("/dfs:myFields/dfs:queryFields/s0:GetCommonMemberships/s0:accountName", ns).SetValue(clone);
        XPathNavigator xnGCMGroups = xnGCM.SelectSingleNode("/dfs:myFields/dfs:dataFields/s0:GetCommonMembershipsResponse/s0:GetCommonMembershipsResult", ns);
        XPathNavigator xnGroups = xnDoc.SelectSingleNode("/my:myFields/my:ExchangeSection/my:LNGroups", ns);
        string displayName = "";

        displayName = xnGCMGroups.SelectSingleNode("s0:DisplayName", ns).Value;
        "" +
        "" + displayName + "" +
        "" + displayName + "" +
        while (xnGCMGroups.MoveToNext());

      • John said

        Ok the embedded xml characters messed that up 🙂

        XML tags in ‘brackets’. See if this works…

        public void GetCloneGroups()
        DataSource dsGCM = this.DataSources["GetCommonMemberships"];
        string clone = xnDoc.SelectSingleNode("/my:myFields/my:ExchangeSection/my:LotusNotesClone/my:Person/my:AccountId", ns).Value;
        clone = clone.Substring(clone.IndexOf("\\") + 1);
        XPathNavigator xnGCM = dsGCM.CreateNavigator();
        xnGCM.SelectSingleNode("/dfs:myFields/dfs:queryFields/s0:GetCommonMemberships/s0:accountName", ns).SetValue(clone);
        XPathNavigator xnGCMGroups = xnGCM.SelectSingleNode("/dfs:myFields/dfs:dataFields/s0:GetCommonMembershipsResponse/s0:GetCommonMembershipsResult", ns);
        XPathNavigator xnGroups = xnDoc.SelectSingleNode("/my:myFields/my:ExchangeSection/my:LNGroups", ns);
        string displayName = "";

        displayName = xnGCMGroups.SelectSingleNode("s0:DisplayName", ns).Value;
        "[my:Person]" +
        "[my:DisplayName]" + displayName + "[/my:DisplayName]" +
        "[my:AccountId]" + displayName + "[/my:AccountId]" +
        while (xnGCMGroups.MoveToNext());

      • John said

        Nope, it hates me, oh well, I tried.

      • Clayton Cobb said

        To be clear, the CopyTable qRule does inject code into the form, so it’s not even a no-code solution itself. You just don’t have to write or test the code yourself, and it allows InfoPath form designers to incorporate the feature into every form without writing any code. Definitely not a “no-code” solution, though.

  6. Amuro Ray said

    A problem that I’m having with this is that it’s not showing me my AD groups. Would this happen because of the way I imported the user profiles into Sharepoint? I did not do the automatic import of users from AD because it’s a mess and I didn’t want to bring the mess into Sharepoint.

    • Clayton Cobb said

      How did you import them then? In order for anything to show up with any of the built-in MOSS web services, the data has to be in the SharePoint profile database. We have found several reasons for groups not to show up in the comments above, but it seems to always come back to the data not being in the profile database, but that can have several causes. You need to make sure those groups in AD have email addresses, and then you need to be sure they are in the profile database by doing a proper profile import. After that, the information will show up when calling the web service.

      • Amuro Ray said

        The way we have been importing the user accounts is by clicking on “New Profile” button and then typing in the username for “Account Name.” After that, we would press the “Check Names” button and it would know who we are looking for through AD. Then we would hit “Save and Close.” After we press that button, we can go back into the account and see that it automatically pulled in the other fields.

        When I try the process above, I am able to see my Sharepoint Site Memberships. It’s just the AD groups I can’t see.

      • Clayton Cobb said

        I’m not sure that method will pull in the groups automatically. I think the fact that it shows your other data and the SharePoint Sites, then it’s a pretty good indicator that it’s not bringing in all the necessary AD info, specifically the group memberships.

  7. dan said

    Just wondering if the process changes much for using SP groups ?

    I have a form that has an area that should only be seen by people in a particular SP group.. We use Nintex workflows, and what we do is in the form the user can select a group of users and then these users are populated into a group created just for this form.. Once the form is closed.. the group is deleted. Whilst the form is in a status of “open” the users int he group all have rights to edit the hidden field (It is a stakeholder discussion area)

  8. Joe said

    Hi Clayton, i got up to the part where i create the repeating table from the datasource created. I publish the form to sharepoint and then open a new form in the browser. When I do I get the error:

    An error occurred accessing a data source.
    An entry has been added to the Windows event log of the server.
    Log ID:6932

    First I can’t find any error on my server with that log id. Second, I googled the error and ran across a few people with the same problem that said that this was a full trust issue.

    Did you ever come across this?

    • Clayton Cobb said

      It’s a pretty common error when working with data connections, especially web services. That error likely means that the account you’re using cannot authenticate to the web service. Take the URL of the web service and paste it into a browser. Do you see results? Are you using Firefox or IE when opening the form? Are you on the SharePoint server or a client? Does the UserProfileService work in any of your browser forms?


  9. Lee said

    Thank you for the article.

    When I use a domain administrator account, things seem to work ok.

    Whenever I use my standard domain user account, I get an authentication error (5566).

    Given that the form is intended for users rather than admins, how can I get around this?

    Thanks again.

    • Clayton Cobb said

      Then you have to figure out what permission restriction you have in place so that your users can utilize it. It’s only restricted like that due to settings your particular farm. By default, this web service is readable by all authenticated users. There are a few places to check: 1) Make sure that in the SSP for this site, all authenticated users have Read permissions on the Personal Features within the Personalization Service Permissions. 2) Make sure that IIS site does not have Anonymous access enabled 3) If it’s a multi-WFE farm, convert the data connection to UDC. First create a data connection library in your site collection root (top-level site), then convert the data connection to UDC and specify that DCL library for saving it. After doing this, go to the DCL to publish and approve, because content mgmt is enabled on DCLs by default.

      #1 should be the first thing you check, because it’s easy and is usually the issue.


      • Lee said

        Thanks for the swift response Clayton – you rock.

        I haven’t had a chance to make and test any changes yet but looking at your suggestions I know immediately that I removed all personalization permissions to get rid of that pesky My Site option I didn’t want users clicking.

        There are other ways of achieving that, so I can give personalization permissions back and go through your tutorial again.

        Thanks again. Great blog.

      • Clayton Cobb said

        Actually, you get rid of the MySite link by removing “Create Personal Sites,” but you can leave “Personal Features” turned on. That way, they have no MySite link but can still use the profile services.

        Why do you refer to MySites as pesky? They are one of the most valuable parts of SharePoint in my opinion. They are great for user adoption, spontaneous collaboration, for giving users a place to play around and test without messing up production sites, etc.


      • Lee said

        That’s what I did and my permission problems are over. I’ve read over the page a few times just to be sure I am not missing anything, and I as far as I can see I have followed your steps properly – but I am only getting sharepoint memberships, no AD SCs or DLs.

        I did a ‘full import’ from the SharePoint User Profiles and Properties just in case that might help but it made no difference.

        Just to check that the username being sent back is not an issue, I made a username field and also created a separate connection for GetUserProfileByName – both worked as expected, so issues there.

        Any suggestions would be appreciated.

        (As an aside, I will consider your points on MySite – to be honest, we did not really look at it before switching it off, just made a kneejerk reaction at adoption. I have created a MySite for myself and will spend some time with it.)

      • Clayton Cobb said

        I’m glad you will consider the value of MySites. I have heard of people having that same knee-jerk reaction and thinking MySites are a bad thing, but to the contrary, they are an awesome feature of SharePoint. You really have nothing to lose with giving people the OPTION of using them. What you could do is run a pilot by creating a new AD Security Group with only a limited # of people in there, and then give that group the Create Personal Site permission in the SSP so that only those folks even see the My Site link for piloting purposes.

        For you not to see groups, they either are not in the profile database, or that particular user does not have any groups associated.

      • John Stream said

        3) If it’s a multi-WFE farm, convert the data connection to UDC. First create a data connection library in your site collection root (top-level site), then convert the data connection to UDC and specify that DCL library for saving it. After doing this, go to the DCL to publish and approve, because content mgmt is enabled on DCLs by default.

        This is money! I’ve been trying to figure out why my forms were intermittantly working in my my two WFE farm and this not only made it work 100%, but also increased the form load speed. Two days to get this figured out. Well done Clayton.

        Reference Links: (This showed me how to create the reference DCL under the site) (GetCommonMemberships is what drove me to the DCL and UCDX pages)

      • Clayton Cobb said

        John, glad that helped. However, you may want to test your forms in multiple browsers (IE/FireFox/Safari/Chrome) to be sure you don’t have any double-hop authentication issues with multiple WFEs. I need to blog all about that, but blogging is pretty low on the priority list these days. =D

      • John Stream said

        I also wanted to link back to this site which ultimately 100% fixed my issues.

        On each WFE, I edited the Host file to point our main VIP name to Once I made this change, any random 5566 errors went away.

  10. Katherine said

    Is there a way to make a forms library so the form submitter can only see their own form? I need to make a request for leave form but we want the employee’s to only be able to see their own forms. They want to use an infopath form in sharepoint but I can’t figure out how to secure it. I can make the rest of the workflow do what I want but everybody that can submit can open any form.

    • Clayton Cobb said

      Katherine, yes, this can be done. I have 2 codeless options for you – one that uses obscurity, and one that uses actual security. You can see my video showcasing this exact scenario on the front page of my blog. Here is the direct link to the vid: In this vid, I’m showing off 2010 features, and the dynamic permissions on the forms are OOTB functionality of SPD2010. However, for 2007, you will need to install a set of custom SPD workflow activities in order to get this same functionality. Anyway, here are the two methods:

      Obscurity: Simply add a view to your form that has no data and simply says “Unauthorized Access.” Use Form Load rules to check the identity of the current user, and then if that user is not the creator nor the manager (or whoever else is allowed to see all forms), then switch to the unauthorized view. Using this method, people can still ‘see’ all the forms, but when opening in InfoPath, they see no data. This method does not obscure, hide, nor protect any data that has been PROMOTED to the SharePoint form library, which means the promoted fields will show up in the library as columns even if the form isn’t opened. Also, if someone chooses to save the XML file locally and open with notepad, then they’d see all the raw XML data.

      Security: Use SharePoint Designer 2007 custom workflow activities. Go to Codeplex and get the package: When the form is submitted initially, make sure your first step is to Delete List Item Permissions (in this action, remove the group that contains all users who are allowed to submit a request), then the 2nd action is to Grant Item Permissions back to the person who created the form. For admin/HR/managers, simply give them permissions via different groups at the list level and don’t change their permissions at the item level unless necessary.


  11. pl7626 said

    Hi Clayton,

    I’m trying to follow your instructions step by step to get some practice. When I put the “Membership” into the canvas as a repeating table, it displays the membership of the sharepoint sites for me. I don’t see any of the AD group that I’m a member of. In the source, there’s a “Distribution List” entry, but when I select that, the data in other columns don’t change. Have I missed any steps?


    • Clayton Cobb said

      It means there are no DLs or SGs in the Profile Database for that user, which either means the user has no groups in AD, or they haven’t been imported to the profile database.


      • pl7626 said

        Thanks a lot Clay for the quick reply.

        I know the user account is definitely a member of a lot of AD groups. They are probably not imported into Sharepoint profile. And you mentioned this approach doesn’t give you the list of sharepoint groups that the user might be a member of. So, I guess, I won’t be able to implement user role unless I give up browser based form, which I don’t prefer.

        Let me know if you have any other ideas. I can probably create separate sharepoint lists and then retrieve information from it for users, but I don’t want to manage those lists manually. I think it’d be perfect if I could query AD directly without going through SP web services. Not sure if it’s doable, but I’ll try to do some research on this.

      • Clayton Cobb said

        Why can’t you just make sure that you import profiles fully? The groups get imported automatically unless the profile import is set to only read from a certain container, and the groups aren’t in that container. It’s definitely not perfect to query AD directly, because that is a major security risk. There is a way to do it with web services, but you either have to create your own and purchase the ADWS from Qdabra – it’s cheap – but it doesn’t make sense to do that when SharePoint exposes that info to you at no cost and no risk. Why are you not keen on just making sure you get the groups to come through the profile import? That should be happening anyway, and if it’s not, the farm is not built correctly (the SSP actually).


      • pl7626 said

        Thanks for explaining the issues with querying AD directly.

        I’m not sure why the groups are/were not set to be imported into profile. I don’t have the authority to adjust what data are imported from AD to Sharepoint. I’ll probably suggest it, but it’ll have to go through different areas and get approved by management before being implemented.

      • Clayton Cobb said

        I’m pretty sure that getting the profile import fixed – definitely not something that should have anything to do with management, but rather should be part of the daily operations of your SharePoint Administrator – will be much easier to accomplish than creating and installing a web service that directly touches a back-end business system (AD).


      • pl7626 said

        I will discuss with our SP Administrator and see if those info can be imported. That will definitely be a good starting point for me.

        Thanks for all the help so far.

  12. Scott Napolitan said

    Is it possible to use InfoPath 2010 with User Roles at all anymore? I can’t seem to get the user Roles button to light up no matter what I do! Working with views and user roles seemed so much easier and more straightforward before. 😦

    • Clayton Cobb said


      Are you working in a rich client (Filler) form? User Roles are not available in Browser Forms just like in 2007, and the templates at the top of the New page when creating a new form are all Browser forms. Go to File (Backstage) > Info > Advanced Form Options > Compatibility > Change to InfoPath Filler. Then, User Roles will work.

      Why are Views less straightforward for you? For my environment, I add my favorite buttons to the Quick Access Toolbar so that I have everything in one place without clicking around. The ones I put in the QAT are the Manage Rules cluster, Controls cluster, Views cluster, Data Connections, Preview, Quick-Publish, Save, etc.

      • Scott Napolitan said

        Thanks Clayton! This is what I was missing. I needed to chagne the form compatibility to be a Filler Form.

  13. Bil Simser said

    Clayton, any thoughts or suggestions around getting membership from a SharePoint group instead of AD? The web services are there to get users so we should be able to get groups. I think SharePoint groups are just as important (if not more) for security just because most organizations have a lot of hurdles to get through to add users to an AD group vs. just adding a user to a SharePoint group. Thanks!

    • Clayton Cobb said

      Bil, yes, you can use the UserGroup.asmx web service that is just like the UserProfileService.asmx in that they are both in the _vti_bin folder and both can pull from profile and group data. Using the UserGroup service is more complicated, but I’m sure you can take advantage of it. There are some good step-by-step blog posts out there that show how to get the members of a SharePoint group and the SharePoint groups of a user, both of which can be very useful.

  14. Pathebest15 said

    i tried the post but no success at this time. i just want to infopath just populate by himself a user display name group that he belongs to in Active directory

    Is there a specific tutorial for that or can you explain to me how to do it

    Thank you again for your help it’s much appreciated

    • Clayton Cobb said

      I don’t know what you’re asking. What does this mean:

      “i just want to infopath just populate by himself a user display name group that he belongs to in Active directory”

      That sentence doesn’t make sense to me. What I think you’re saying is already shown in the blog article I mentioned, so you must be asking about something else.

      • PATHEBEST15 said

        i know you posted it . it sounds clear to you but i wasn’t able to do it again i have a project like an inventory of users access and everyhting into a form but i just want to have the groups from active directory without adding them manually … your tutorial is amazing maybe too amazing i just want to have Display name of my group for each user from active directory i don’t know if it is more clear to you now or not .

        Let me know please

  15. Rahul said

    Hi Clayton,
    Any ideas on checking if the Current User is part of an AD User Group or not, on the form itself? (without any code behind)

    Appreciate your help.


  16. CLUELESS said

    hey Clay i tried the tuto with infopath 2003 and infopath 2010 but it’s not returning anything i did exactly the same till fig 5 . i’m completing lost i need your help

    Thank you verymuch !!!

    • Clayton Cobb said

      I’m not sure it can work in 2003, but I know for sure it doesn’t work yet in 2010. The web service connects and all, but no data is returned. I don’t think it’s even related to InfoPath, because other methods of the same web service DO work. I think that groups just aren’t getting populated into the user profile database during the profile import, which would make it a SharePOint 2010 issue, not InfoPath. I’ve submitted this issue to the InfoPath team who hasn’t resolved it yet, and when I asked Microsoft on the forums, they came back and said it was a deep enough problem that it required me calling paid support. I was not willing to do that, because I think it’s a bug, so I’m waiting on the InfoPath team to get back with me.

      In your case, when you say it isn’t working with InfoPath 2010, what version of SharePoint were you using?

      • CLUELESS said

        I’m using MOSS 2007 … I tried with infopath 2003 which doesn’t have external sources and i tried with infopath 2010 as well and it did not work . Do you have any idea of an alternative solution even using coding to get active directory group a user can be member of.

      • Clayton Cobb said

        Why can’t you use InfoPath 2007? If you’re using MOSS 2007, you should be using InfoPath 2007. It should work even if you use InfoPath 2010 to make a 2007 form. It only isn’t working for me in SharePoint 2010.

  17. CLUELESS said

    hey dude i must really do something wrong because i tried now with infopath 2003 2007 and 2010 and i don’t get any results it’s just blank … Dude do you have other solution even with coding

    • Clayton Cobb said

      I don’t write any code, but even if I did, it wouldn’t make sense to write code when this is built-in functionality. Have you made sure that the profile import is running and populating the user profile database with groups?

  18. CLUELESS said

    it might be my problem how do i verify that … i’m quite a newby for that and i really really appreciate your help right now i have no doubt your tutorial is excellent

    • Clayton Cobb said

      That’s a ShareePoint Administrator task. If you aren’t the architect or administrator for this farm, then this part is a bit tough. It’s an architectural/infrastructure piece that has to be configured on the SSP admin site.

  19. CLUELESS said

    i have admin rights on admin page so where do i Configure that

    • Clayton Cobb said

      You have admin rights but don’t know how to do this? Is this just a development environment? It is dangerous to have farm admin rights without having any SharePoint administrator knowledge.

      On the SSP admin site, you go to User Profiles and Properties, then you configure the profile import, and then you run the profile import. After it completes, you go configure search and do a full crawl followed by a scope update.

  20. CLUELESS said

    it’s a test environment not development environment i will take courses for sharepoint where do i have good tuto website to learn because my training…

    • Clayton Cobb said

      SharePoint is gigantic. It is not something you just go to a website and get a tutorial. If you do not own the test environment, I recommend not touching Central Admin. If you do own it and are the only one using it, then give it a shot, but I recommend getting some professional training and lots of support from your company’s SharePoint architect.

  21. CLUELESS said

    extraordinary it’s working thank you very much for the GREAT help it means a lot to me ! i really appreciated it. i will considere the advise for the training but it’s a test enviromnemnt and i will play around with it and see how to set up things …


  22. CLUELESS said

    hey clay how ya doing … thx again for your help now it works perfectlly but now i want to know if there is way to autopopulate group according to Contact selector directly not looking at the current credentials … And beside that thank you for the advise my company gonna pay for me the sharepoint training …

    • Clayton Cobb said

      I don’t understand the question. Please clarify what you mean by ” if there is way to autopopulate group according to Contact selector.” Auto-populate what group?

  23. CLUELESS said

    the active directory group

    i have a form that i enter the name thru the contact selector … now i want to have the correct active directory group membership for the user i choose via Contact selector. because the tuto you posted give you back the current user active directory group that it belongs.

    • Clayton Cobb said

      My tutorial shows how to retrieve ALL groups, but I don’t understand what you want to do exactly. How would you know the “correct” group out of all these groups? People have more than one group. My tutorials also show how to get this information for other users – the one that talks about getting user information without code.

      • Clueless said

        ok i will try to keep it simple this time…

        1. i have Contact Selector

        so from the user i can have his Name, phone ,accountid …. it is working fine

        the thing that i want is when i choose the user from Contact Selector it gives me back the groups which the user is member of … I’m aware there is several groups a user can be member of in active directory

      • Clayton Cobb said

        Ok, I understand that, but that is exactly what my blog shows how to do, which is why I’ve been confused. You’re asking me how to do what I show you in my blogs. Take the technique in my blog named “InfoPath – Get user information without writing code (extended)” and apply it to this one that shows how to get AD groups. You just take the AccountId value from the Contact Selector and use it to query the GetUserMemberships method of the UserProfileService.

  24. CLUELESS said

    Hi clay it’s me again i worked all day long on the infopath form i did your tutorials for Contact selector everything is working fine except the groups it keeps giving me the current user group it doesn’t look at contact selector how can i modify it for the specific active directory group … help i’m completly lost right now


    • Clayton Cobb said

      You just have to follow my blog that I mentioned. If you keep getting only the groups of the current user, then you are not setting the query field of the User Profile Service data connection to the user in the AccountId field of the Contact Selector. My blog shows exactly how to do this except that with a Contact Selector, you can’t fire rules off the data fields. You have to create the rule on the non-repeating group that contains the Contact Selector fields. When a user is chosen in the Contact Selector, the rule will fire, which will set the accountName query field of the User Profile Service (GetUserMemberships), and then it will query (you set these actions). The query will retrieve the groups of the user specified in the AccountId field of the Contact Selector if you set it up to do so.

  25. CLUELESS said

    hey it’s me again i might change my name for annoying one ! I tried the all complete tutorial get user information ( extended) it’s working fine then I tried to re do it with my form i created a rule named rule1 and the rule is applied from gpContactSelector group refering to one of the 3 tutorials who recommended . As well i tried to retrieve the right Department but it returns blank

    I have Main page

    ….gpContactSelector// Non repeating group (Rule1 Triggering here)

    …………………..Person // repeating group ( here i have 4 fields:


    Then for active Directory groups there is no rule i just kept the
    Display Name and the Url

    I’m taking it from GetuserMembership i didn’t apply any rule for that

    set field fx: AccountName=AccountId
    query using data connection: GetUserProfileByName
    set field value : AccountName = substring-after(value[Name=AccountId],”\”)
    query using a data connection: GetuserMemberships

    can you please help me to set properly the rule i’m not very good at it even i spent alot of time on this.

    thank you alot for your patience and help it’s much appreciated

  26. Katy said

    Hi Clayton,

    Can you think of anyway to make a browser enabled form via InfoPath 2010 w/ User Roles that can be used on SharePoint 2010?


    • Clayton Cobb said

      Yes, I have two blog articles on this topic, including the one where you wrote this comment. The actual User Roles functionality is not available in browser forms, so I have given some workaround techniques.

      • Katy said

        Thanks for your fast response, Clayton! I attempted the workaround… and applied it to an AD group and a SharePoint group… but the fields that I’ve locked down is still available to users who should not have permissions to it. I conditionally formatted it to say “DisplayName does not contain “FB InfoPath Admins” and to “hide this control” but it doesn’t work 😦 How should I go about debgging this issue? I’m working on InfoPath 2010 and SharePoint 2010… Thanks so much for your help!

      • Clayton Cobb said

        By showing the values that you’re comparing on the form canvas while testing. If value1 does not match value2, then the conditional formatting should be applied. What you need to do is ensure you know what values are being compared by making them visible. A few notes: 1) My method doesn’t work with SharePoint Groups, only AD groups 2) You must have the User Profile Sync Service operational and have a full profile import that includes groups in the import

      • Katy said

        Hi Clayton,

        Thanks for the super fast replies! (I’m hoping to fix this asap as I have a deadline to meet!) I apologize but I’m kind of new when it comes to SharePoint and InfoPath… Where can I go to confirm that my User Profile Sync Service is operational.. and have a full profile import that includes groups in the import? o.0

      • Clayton Cobb said

        Katy, this area is advanced architecture in SharePoint. If you aren’t the one building/administering the farm, then you’ll need to work with whoever is doing that. I am a SharePoint architect first who happens to specialize in InfoPath, but that means I do all of the architecture and building of the SharePoint farm before I ever get to the InfoPath pieces. I have spent a year learning and playing with SP2010, so it may depend on how experienced your folks are. SP2010 expertise is very rare, but it appears your company has already made the plunge, yah?

      • Katy said

        Hi Clayton,

        Thanks for getting back to me! I’ll reach out to my SharePoint support team and see what they can do… *crosses fingers* I hope they can get this resolved soon. And yes– we’ve already made the plunge! And I absolutely love SP2010! (Other than this issue I’m having with it, of course). Kudos to you on being such an expert! 🙂 Have a terrific weekend and Happy Friday the 13th!

  27. Indra said


    This is great article and its very informative and helpful, but i am facing a weird problem, i cannot see all security groups from multiple domains. We have cross domain authentication and SP web service cannot get users from another domain AD Sec Groups ( only few of them every Sec group have same permissions). I can see the full import can look at the sec group and i see a message that “spsimport: Crawled (The directory property cannot be found in the cache.)”, i am stuck, i need to switch views on AD groups.

    Another one is i can use usergroups.asmx and get the SP groups but i think you mentioned some where about this problems but i am able to get that..

    when i use sample data to get the data connection added, every time i load the form its hard coding the sample data user no matter what i do , if you can help me in that i can solve my problem.

    • Clayton Cobb said

      Indra, to get groups from multiple domains, you’ll have to make sure all of those groups are being imported through the profile import, and you’ll have to configure the farm to accept users and groups into the profile import from multiple domains.

      I don’t have a farm where I have to do that so I don’t have personal experience with doing it.

      I also don’t use the UserGroup.asmx service.

  28. clueLE$$ said

    hey clay it is me again how are you i was wondering if there is way without writting a code in infopath 2007 to retrieve all active groups into the form by querying the server ? thanks

  29. clueLE$$ said

    ok thanks

  30. Debi said

    Ok- I am trying to get this to work and I have successfully made the data connection to GetCommonMemberships and pulled the repeating table onto a form – looks very similar to yours 🙂
    In preview I get the Source Dropdown but it only includes distribution list and Sharepoint site. I was hoping for group membership from AD.
    What and I missing here?
    I do have syncronization of profiles successfully syncing to sharepoint.

    • Clayton Cobb said

      Debi, is it 2010 or 2007?

      Distribution Lists _are_ group memberships from AD. That’s exactly where they come from, and if they are showing up, then so would the AD Security Groups unless the user either doesn’t have any associated or the profile imported isn’t getting them.

  31. Debi said

    When I “preview” in Infopath 2010 – the source dropdown defaults to “SharepointSite” and I do see the name of a site that I am a member of – nice but not what I want. If I change the Source to “DistributionList” is something supposed to change (cause it does not)

  32. Debi said

    I followed your directions and now I have a form with all the fields showing – the “source” field on the form is a dropdown.

    It is good to know that no one is getting this to work. I can quit trying things and getting frustrated.
    Thanks for your quick response and your continued support of these products, you help me a great deal.

  33. Nik Patel said

    Hi Clayton,

    can you use this with sharepoint security groups in the browser enabled form?


  34. Nik Patel said

    Thanks Clyaton for this thread. I had to chuckle when they asked you for the paid service. LOL..

    Anyways, I will lookout for the possible resolution on this thread. Please update this blog if MS ever fix this issue in future patches.. User Profile Services and FIM has many issues. I really wish MS has gave us two profile sync options like two authentications (classic and claim) – one profile sync can be classic way like MOSS 2007 where you import only and other one with FIM to support both import/export. In that case, we wouldn’t have this issue at all..

    Thanks again,

  35. […] Clayton Cobb –… […]

  36. Hi Clayton,
    Thanks in advance for helping me.
    I getting stuck in this article in the point I am going to copy downwards.
    In my Info path form is there we want that forms has been submitted when we again open that form there is a field of user when the current user is same that form user then only form opens in submission mode else other wise it should open in read only mode.

    I am sticking at this part of you document

    * View this method’s node structure
    * Drag the whole repeating group to the canvas and preview to see the result
    * Reduce the table to the most useful fields and decide which ones you want to leverage
    * Filter to show only the AD groups
    * Create a drop down control bound to an element in your main data source that will show a selectable list of groups for a given user
    * Use this information to apply conditional formatting on other controls

    • Clayton Cobb said

      If you just need to compare the current user against a known user, then you would not use this article. This article is for determining if a user is part of an Active Directory group. All you need to do is create a field for storing the username of the person you want to compare, and then when the form loads, use a Form Load rule to compare the value in the field with the userName() function. If they are NOT equal, then switch the view to a Read-Only view. IF they ARE equal, then do nothing – let it open in edit mode. The key is determining who you want to put in “a field of user,” which is what you called it. I have some examples of this in my other blog regarding the User Profile Service.

  37. Hi Clayton,

    I dont from where to get these information please help me to get out of this please.

    Member Group – Source Reference: This shows the Organizational Unit path in Active Directory of the DistributionLists and shows a GUID for SharePointSites.
    Display name: This is the Display Name of the group as defined in AD. In Outlook, this name can typically be used as an addressee for an email, and the name will resolve to the email address. This name SHOULD be unique and will be what we use for our User Role matching later. For SharePointSites, this is just the site name.

    • Clayton Cobb said

      Those values come from the GetUserMemberships/GetCommonMemberships web method of the User Profile Service. When you add that as a data connection, you will see those fields.

  38. Hi,

    I want to ask a simple question from I have a Info path form in which there is a field called DO refereed to containing the name which report refer to.

    so we want that when that user which name is there in refer will only able to see the form in submission mode other user will be in read only mode

    can we able to do that by the above example.

    can you have any example for that.

    How it can be done.
    Please tell me I have submit that task.

    • Clayton Cobb said

      Ok, so when the form loads, compare the current user with the DO field – simple as that. In 2007, Form Load rules are in Tools > Form Options > Open & Save > Rules. In 2010, they are in File (Backstage) > Info> Advanced Form Options > Open & Save > Rules. You add a rule to switch the view ON THE CONDITION that DO is not equal to userName().

  39. Hi Mr.Clayton,

    Thanks for all the help you given me and for the further help you are going to provide me.

    I dont what to compare with the share point users group but to check whether the logged in user has “Full Control”,”Design”,”Contribute”,”Read only rights”.

    • Clayton Cobb said

      Oh, ok. Unfortunately, there is no feature or method I know of that can provide that information to InfoPath. If anything, it would require custom code.

      • Thanks Mr.Clayton
        For the nice piece of advice.

      • Hi Mr.Clayton,
        Any solution for this problem which I have mention above.Please let me know.

      • Clayton Cobb said

        I replied above. There is no built-in method or feature that can tell InfoPath what someone’s permission level is for a given form. It can probably be done with code, but I wouldn’t know how.

      • Hi Mr Clayton,
        Sorry to disturb you again
        You understand my problem.I need solution for that.
        Please suggest me some option to do that.

        I am again describing my problem.

        I have a Info path forms in which we have a fields called DO which refereed to some user name.So we filled that name.

        We want that when that DO user name open that form it will be he only able to see the form in submission mode else any other user will see the form in read only mode.

        But we want this condition to be follow as

        I don’t what to compare with the share point users group but to check whether the logged in user has “Full Control”,”Design”,”Contribute”,”Read only rights”.

        Please let me know if we can do this by some other method.

      • Clayton Cobb said

        Ankit, I already told you how to do this for the DO user, but that has nothing to do with user permissions. I also already told you twice that there is nothing in InfoPath that can detect a user’s permissions. Why did you ask 4 times?

  40. Srikanth said

    after submitting the form it is not showing the fields. it is showing the entire form in the email. any clues?

    • Clayton Cobb said

      Srikant, can you clarify what you mean? You said “after submitting the form it is not showing the fields.” What is “it”? What is the thing that is not showing the fields, and how/why/where do you expect to see these fields? When publishing the form template, did you promote your fields so that they could be seen?

      You also said, “It is showing the entire form in the email, any clues?” Ok, again, what is “it.” You can’t use pronouns without first saying what the pronoun is referring to. As for email, are you saying that you are only submitting to email? If so, why do you not expect the entire form? What did you expect? What clues do you need?

  41. Anita said

    Hi Clayton,
    Here you have shown how you can apply security to certain sections in a Infopath form.
    But what if I have to apply this kind of user role based security to filter out values in a dropdown.
    is that possible?

    • Clayton Cobb said

      If the dropdown is populated with items from SharePoint, then security trimming already applies. Users will only see items that they have permissions to in SharePoint. If the items come from somewhere else, then each row of data needs to have some way to associate itself with a given user. How do you know which users are allowed to see which items? What determines this?

      • Anita said

        ok Clayton, yes the dropdown options are coming from Sharepoint list.
        So for each item in the SP list, I have to apply security for each user?

      • Clayton Cobb said

        That’s one way to do it that is guaranteed, but how are you currently deciding who can see what? If you don’t already have granular permissions on those items, then how are you doing it, or how did you plan to restrict data from certain users (before even thinking about InfoPath)? The other way would be to add a metadata field to that source list that stores group names, and then only show items to people who are in the groups associated with the items. This would require filtering on the data connection, though, which can only be done in Filler forms for 2007, but it can be done in browser forms for 2010.

  42. Cliff F said


    In InfoPath 2010, data connection wizard, I get to the point of entering the URL that points to the web service – I enter http://spintappsrv01/_vti_bin/UserProfileService.asmx

    I receive the Internet address http://spintappsrv01/_vti_bin/UserProfileService.asmx?WSDL is not valid.

    spintappsrv01 is a test Windows 2008 R2 server and also has SharePoint 2010 Central Administration running on it.

    Perhaps someting is not configured e.g. user profile service?

    Not sure, any ideas?


    • Clayton Cobb said

      Cliff, is that the URL to your content web application? If not, then you need to give it the right URL. You don’t give the machine name – you give the full URL to wherever your content site is. That may still be at the machine name path, but it doesn’t sound like you have a site there, and I’m not referring to Central Admin. You need to create a web application, then create a site collection, then browse to that site collection. Whatever the URL is you use to browse to that site is what you should put in for the UserProfileService data connection.

  43. Karla Langhus said

    Thank you for taking the time to read this and helping people out. I too am a novice when it comes to InfoPath.. at least I think I am. I hope that you or others reading this might be able to help me out. I have an InfoPath 2007 web based form that has 6 views and has several data connections to include Getuserprofile database. I would like to have one of the views only be available to the “Manager” but not the user. The problem is that when the manager opens up the form , the form thinks that the current user is the manager. I saw that you posted a reply to another person that you can use “obscurity” by using a Form Load rules that checks the identity of the current user and if it’s not the current user, they don’t have access. I was thinking about using the same principle, as to see who the creator of the form was, if they were their supervisor (via GetUserProfile) then they would only see a view, and if they were not , then they would get an “unauthorized user” view. My problem is that I have no idea how to check the identity without code or with code …. I hope this made sense.. any help would be greatly appreciated.


    • Clayton Cobb said

      Well, it depends on how you define your users. The first thing you should do is create a group of Submitter fields where you store the submitter’s username, account name email address, and full name using userName(), AccountName (from UserProfileService), WorkEmail (from UserProfileService), and PreferredName (from UserProfileService). You do this by setting the default values of those fields and setting those fields NOT to recalculate the formula – this causes them to be set initially when the form is first opened (this is the Submitter) and never set again. You will need this data later. Next, you create a set of CurrentUser fields just like the Submitter fields except these will get set using a Form Load rule with several actions to set those fields to the values of the current user. Store the same values as the Submitter. The reason you use a Form Load rule is so that it fires every time the form is opened so that you know who the current user is.

      Once you have the above pieces setup, you can then add another Form Load (must come after the previous rule) that has a condition to compare the Submitter username with the CurrentUser username. If equal, then do nothing. If not equal, then switch views to the “Unauthorized User” view. In your case, you want to take it one step further with supervisor. This can be done dynamically AS LONG AS you know who each user’s supervisor is. If this value is set for everyone in Active Directory, and profile imports are being done regularly, then you can use this value in your forms. The field in AD is named “Manager,” and it’s the same property name in the User Profile Service. If you aren’t populating this value in AD, then you would need an external database or SharePoint list that defines the supervisor for every user – hopefully, you can’t rely on AD. So, you would add a Supervisor field to your group of Submitter fields for storing the Manager value of the Submitter when the form is first opened. Then, instead of comparing the CurrentUser with the Submitter, you would compare the CurrentUser to the Submitter Supervisor. Make sense?

      • Karla Langhus said

        Hi Clayton

        THANK YOU SOOO much for the quick reply! Normally I would be very quick in figuring this out.. however I am 4 months pregnant and my brain isn’t working like it should be 🙂 All the blood that normally goes to my brain…well it’s making a life 😉 At least that is what I think the reason is I have gone absent minded 🙂

        I totally understand what you are proposing.. and I want to see if it will work for my form. As it turns out in my form I do have a field for supervisor.. so we are good to go in that aspect.

        Just to give you some background on the form, I do have a “Welcome” view that describes what the forms is and how to go about it. I figured I create a section called “Submitter information” , in there I have the fields for the submitter information (username, account name, e-mail address, full name) all being pulled from “GetUserProfile” data connection and they are not being recalculated.

        The next step was to create a set of Current User field, but the information we would get from the form load rule.

        This is were my brain just said “does not compute”.. for some reason I just can’t get my brain around it.

        From what I gather is that I would create another section , below the submitter section in the welcome screen called ” Current User”, there I would have the currnet user fields ( Username, Account Name, E-mail Address, Full Name), so instead of clicking on the field itself , I would go to “Form Options”, “Open and Save”, “Rules”, and add my first rule, I called it “Current User”, there is not condition? (Right???), and the “Action” would be ” Set a field’s value” , select the field (Current User Account) and the value would be “CurrentUser”???

        I just don’t know what the fields are for the currentuser?

        I hope this made sense 🙂

        Thanks again for your help!


      • Clayton Cobb said

        Karla, you have to make the fields for CurrentUser. They will be a new group of fields in your main data source, and you will set them just like your Submitter fields except within the Form Load. Yes, there will be a condition, and the condition is that the form is not new. I always determine “new” by using the strFilename field from my Auto-Generating Filenames blog. If that field is not blank, then I know the form is not new..

      • Karla Langhus said


        Thank You!

        So far this seems to be working as it should 🙂

        I did exactly as you showed under the Auto Generating Filenames blog.. and at first it didnt’ work due to the fact that I had another submit connection. Once I deleted it; it worked great.

        Which brings me to my next question, is it possible to have to submitt connections, or is it better to just have one?

        The other submitt button that I had was to send an e-mail to the supervisor if the user had a question about the form.

        Thanks again,


      • Clayton Cobb said

        Karla, you can have multiple submit data connections…it’s no problem. However, i dont recommend submitting to email for that purpose, because it sends the form. What you mentioned would be done with a simple workflow.

      • Karla Langhus said


        Thanks again 🙂

        I really appreciate everything.. and I think this is my last question.. just curious for the Form Rules.. is there a limit? I really like the idea of having a view that has “unauthorized access”; however, each time I create that rule , as the last rule, each time I open any form , or a new one, I get that view “unauthorized access”?

        For the Form Rules I have:

        1. Current User (strFilename is not blank)
        2. Compare users (submitter username = current Username)
        3. Compare to Supervisor (currUserName = Manager)
        4. Compare to Unauthorized (submitter username doesn’t equal Current User Name or Manager does not equal Current User)

        If I take the last rule out everything works so far.. (still need to check on the supervisor view).. but the last rule just supersedes the rest.

        Again, I really appreciate this 🙂


      • Clayton Cobb said

        Karla, rules always run in order top to bottom, so if that’s your last rule, then you would expect it to be the last thing that happens. This does not indicate a limit – it’s just logic. If you don’t want to be sent to that view, then make sure you don’t tell it to send you to that view. If you don’t want your rules to be evaluated if a previous condition was met, then you need to check the box that tells InfoPath to stop processing rules. Or, maybe your logic is wrong. It should be AND instead of OR.

  44. Shaune Vetter said

    This is a great tutorial. I’ve used it a few times but haven’t responded until now. Thanks for all the great help in getting infopath and SharePoint playing nicely!

  45. Hamid said

    Hi Clayton,

    I have a question that I would be grateful if you can give me any clue to solve it. I have a Browser-enabled info path form that has a section. This section needs to be hidden if the form is viewed by users who are not in an specific SP group. I have had a look at your post regarding the same problem however it was checking if the user is member of AD Group.

    Is there anyway that I can check what SP group the user belongs to when he/she opens up the form without any coding.

    Thanks for your kind help.

  46. […] published a good article showing how to interact with SharePoint users. and John has summarised 10 tips for InfoPath […]

  47. Heather Z. said

    Hi Clayton,
    Thank you for this very helpful information on integrating the AD groups with the InfoPath forms, very useful! Quick question for you…..have you found any issues with integrating this into Optional Sections in a form? I had some optional sections and for some reason the user roles didn’t work for those….they really didn’t work until I removed the optional sections and then added them as sections instead. Just curious why I might have had this issue and if you knew why it might happen.

    As always, thank you for sharing your knowledge!

    • Clayton Cobb said

      Why use optional sections? Are they “optional” based on the user’s identity, or are you saying they have two sets of logic – one determined by the user’s identity and one determined by the user’s decision to add the section? I don’t ever use optional sections, because I make them shown/hidden based on logic in the form or in the workflow status, so there may be an issue I’m not aware of.

  48. Heather Z. said

    Thanks Clayton. When I first started working on these forms months ago, I always used optional sections because I didn’t understand the difference between option and just regular sections. I am now going through and updating my forms so the optional sections are now just normal sections so I can get this to work for every section of the form. If that makes sense. 🙂 Thanks again!

  49. Karen said

    Clayton, is it possible to use this concept outside of InfoPath? In other words, is it possible to apply this concept in a SharePoint (2007) list form (e.g. EditForm.aspx, etc.) using SharePoint Designer 2007? Thanks in advance!

    • Clayton Cobb said


      It’s definitely not easily available in a regular list form. SPD does let you create DFWPs where you can do heavier customization, but it’s not like using InfoPath. You’ll need to create data sources first and then reference them in your custom list forms. I personally haven’t gotten the UserProfileService.asmx to work in an SPD data source the way it does in InfoPath.

  50. Tracy said

    Hi Clayton – great post. I am a novice to Infopath, we have had to resort to the Qdabra solution as we were unable to retrieve from active directory I am trying to create a form that loads certain views depending on whether the current user is in a certain “group” , my question is I have set up 2 “load” action rules”

    set a fields value – which looks at the logged in user name
    Query using data connections to “getGroupsforUsers”

    I am now not sure how or where to set the Load rule as these 2 rules have to run first to determine the user and the group, then I want to it to open a certain view depending on whether the user is in a certain “group”, how where do I acheive this?

    • Clayton Cobb said

      You set these rules in the Form Load rules area. It’s a section in the Data ribbon. I use that exact Qdabra ADWS and that exact web method, so I know it works and works very well. You switch the view based on the same Form Load rule. You first retrieve the user’s groups using the getGroupsforUsers, and then you switch the view ON THE CONDITION that “any occurrence of Group is equal to .” I have this concept on my blog…the one you commented on. It’s the same concept but using a different web service.

  51. Hi Clayton,

    Is there any way to overcome error 5566 in Infopath 2010 on browser enabled forms? If I open up my form with Infopath client the Content Selector works with usernames but Job Title, Department are not accessible on browser enabled forms if I am using secondary datasources (UserProfileService.asmx).
    We have MOSS2007 and I save my forms as IP 2007 Web Browser Form Template to be able to publish to MOSS2007.
    I guess it is a security issue on Sharepoint, but what and where needs to be checked?
    Appreciate your help!

    • Clayton Cobb said

      Sandor, it’s not just a random error. It is caused by very specific authentication issues or blockages in your environment. You have to find the actual issue by digging into the ULS logs. This always happens with browser forms, because browser forms are invoked by the web front end itself on your behalf, so it introduces authentication issues if your farm is not set up correctly.

  52. devia said


    I was wondering if retricting access to view/ controls in infopath 2010 is possible without using a web service. If so, how do i go about doing it.

    • Clayton Cobb said

      Devia, you don’t need a web service to put conditional formatting on controls nor to switch views. You just have to decide what sort of data you want to use to make your logic decisions. You can base the decisions off data in a list, data in a database, data in an XML file, data in the form, or you can use the User Roles feature if you’re building Filler (client) forms.

      • devia said

        Hi once again 🙂

        The issue is, i am actually trying to restrict access to a view based on a SP group grp. We are not making use of InfoPath2010 filler instead we are using designer. Is there any other way besides the web service?

      • Clayton Cobb said

        What do you mean using Designer and not Filler? The Designer is always used to design forms, but it isn’t used to fill in forms by the user. It’s either a Filler form (uses the InfoPath client) or a browser form (only used in the browser).

        You can’t leverage SharePoint groups without using the UserGroup.asmx web service or using User Roles (requires Filler form; cannot be used in Browser forms). My article does not talk about SharePoint Groups though; it only talks about AD Security Groups. How are you expecting to leverage SharePoint Groups without touching a web service, and why can’t you use that web service?

      • devia said

        The web service which i am using is getcommonmemberships as mentioend in ur article. However, when logging in as a “IT Support” in SP, he/she is allowed to only view the “IT Support View”. What is happening now is when if a user is not part of the “IT Support” SP group, an error is prompt and upon clicking “OK” the IT Support view is still visible despite of the user not being in the IT Support SP group.

        And yes i am using browser forms and not filler forms.

      • Clayton Cobb said

        Devia, you should have mentioned this information in your original comment, because asking if this can be done without the web service is not the root of your problem. Your problem is that your form logic just isn’t correct yet, and you need to track down the error. The error is telling you something, but maybe you didn’t read it? You should not just hit “ok” and continue. If an error occurs, then that means something is wrong. The rule is not firing to switch the view, and you need to fix that rule. Don’t just blow away everything without trying to fix the error first.

        Also, these are NOT SharePoint Groups you’re working with. I clearly explain that in the article that these are Active Directory Security Groups. You have said multiple times now that you’re working with SP groups, but you’re not. These groups come from AD and are synced into the SharePoint profile database. The only other way to get AD group memberships is to build your own custom web service to retrieve them directly from AD.

      • devia said

        I have no idea as to why this is happening and is there any other alternative to access control to InfoPath view based on SP group besides making use of the web service

      • devia said

        Hi Clayton,

        Is there any web service which caters for SP groups.

      • Clayton Cobb said

        Devia, I gave you that information in my earlier reply. I’m giving you my free time here, so you can at least pay close attention to my responses.

      • devia said

        To be specific, the error i encountered was unable to connect to the web service and the only web service which i am having is getCommonMembership

      • Clayton Cobb said

        Ok, then you have a problem connecting to the web service. You need to figure out why. This should have been the only thing discussed so far – it has taken far too long to get to the root of the real problem. You need to have whoever runs this farm troubleshoot it with you by reviewing the logs and finding the issue. If it only fails for certain people, then it’s specific to permissions for those people.

      • devia said

        Thank You very Clayton!

  53. Danny said

    Hi Clayton,

    This article is excellent, but I’m unable to actually see all the memberships of other users.

    When I query the web service with another username it just returns the membership I have in common with them. Obviously this is quite a pain for testing purposes.

    Is there a reason that I wouldn’t be able to see the memberships of other users? I’ve also tried this with the GetUserMemberships method but that returns nothing for other users. Is this a security restriction?

    • Clayton Cobb said


      GetCommon does exactly that…it gets groups you have in common with specified user. GetUser is better, because it gets all memberships of the specified user. If you can see the common ones, then you shouldn’t get an empty data set for GetUser. Are you on 2007 or 2010? This doesn’t actually work in 2010 due to a bug that I have submitted and that is supposed to get fixed by this summer.

      • Danny said

        Thanks for your quick reply. I’m using MOSS 2007.

        I want to be able to see all the memberships for another user. So when I query GetCommonMemberships using somebody elses username the data returned is the memberships I share with them (which is expected).

        When I query using GetUserMemberships using somebody elses username it returns nothing, which leads me to suspect that I do not have access to see other peoples memberships. I did not think this was an issue though but I obviously may be mistaken.

      • Clayton Cobb said

        Can you see that person’s memberships if you go to his/her profile page in the MySites area? You shouldn’t be able to see common memberships if you can’t see their regular list of memberships. The list of common memberships would have the same restrictions. All of this does get driven by the Personalization Services Permissions in the SSP administration area. You have to make sure all users have rights to “Personal Features.”

        Clayton Cobb 202-413-3036

      • Danny said

        I can see a list of memberships on their mysite page. Thanks for this idea, I didn’t even think to use mysite as this is something that isn’t really used at this organisation.

        So just to clarify, are the memberships listed on a user’s mysite what the GetUserMemberships WS would return? If that’s the case I can just check on mysite to make sure the correct membership is present.

        Thanks again for taking the time to help me out! I really appreciate it.

      • Danny said

        Hi again Clayton,

        Sorry to bother you with this. Just wanted to say that I never got this to work.

        In the Personalization Services Permissions users had access to ‘Personal Features’ and ‘Personal Site’ but the GetUserMemberships service would still not run for other users. After a little testing I found that giving ‘Manage Audiences’ access allowed it.

        Is this not how it’s meant to work? I am a bit hesitant to give this access in our prod environment because I don’t really know what else it does.

        Do you have any thoughts/advice to share on this?

  54. Irhad Babic said

    Hello Clayton.

    I know this may sound dumb, but I’m unable to create any custom groups in my main data connection. So I’m stuck here:”First, manually create all the fields and groups you see below (Fig 6)…” I’m using Sharepoint 2010 so I’m aware that I will have more problems with this as there are some changes in SP2010 that prevent using UserProfileService.

    Is it still doable with SP2010 though?

    Thanks a bunch

    • Irhad, are you trying to customize an InfoPath 2010 list form? If so, then you can’t create groups in the data structure and are bound by the normal list fields. If that’s not what you mean, then I need more clarification.

      As for changes in SP2010, I’m not aware of any that prevent using the UserProfileService unless you’re referring to the issue where AD Security Groups no longer show up in the results of the GetUserMemberships method due to how they are stored in the profile database (this is being fixed in a CU, btw).

      • Irhad Babic said

        Yes, this is list form. I have a really big form (dozens of views) implemented in a wizard like manner. Client needs to prevent non-Manager persons from filling out some of the views (actually they need the wizard to skip these views in that case). First I wanted to do this by using sharepoint groups, but I failed. Luckily, they have similar user groups on their domain controller so I wanted to try following this awesome article…

        Yes, that’s what I thought. Sorry for my silly questions (I’m new in SP development, as you can see :)), but what’s CU?

      • Ok, so you won’t be able to use this method in 2010 for AD Security Groups, but you _CAN_ use it with AD Distribution Lists if they have a Managers DL already (or if they are willing to create one). You would then be able to reference that DL using my article to hide/avoid/skip certain views for non-Managers. A CU is a Cumulative Update, and it’s how Microsoft provides major updates every 2 months for SharePoint. This fix is supposed to be in the October CU and would cause AD Security Groups to start showing up when using my method.

      • Irhad Babic said

        Thanks for clarification on CUs and thank you for your precise and clear answers.

        Can you tell me which service should I use in case they’re willing to create distribution lists? And of course, as this is a list form, how can I follow your article for creating groups in my main data connection?

      • It’s the same for DLs as SGs – they show up when using this technique and this exact web method. You don’t have to do anything different. The reason I use SGs instead of DLs is because SGs can be used for permissions in SharePoint while DLs cannot, so DLs are not as efficient. However, they can still be used to meet the needs you’ve stated in this thread. I thought you said a Manager group already existed on the domain controller (Active Directory really). You can’t create groups in an InfoPath list form, but you shouldn’t need to. You can use sections, and the sections have to be bound to the existing group (the SharePointList_RW group) that holds all of your data elements. List forms are very restricted in terms of data structure. My technique in the article is intended for full library forms, but the concept in general can still be leveraged.

      • It’s the same for DLs as SGs – they show up when using this technique and this exact web method. You don’t have to do anything different. The reason I use SGs instead of DLs is because SGs can be used for permissions in SharePoint while DLs cannot, so DLs are not as efficient. However, they can still be used to meet the needs you’ve stated in this thread. I thought you said a Manager group already existed on the domain controller (Active Directory really). You can’t create groups in an InfoPath list form, but you shouldn’t need to. You can use sections, and the sections have to be bound to the existing group (the SharePointList_RW group) that holds all of your data elements. List forms are very restricted in terms of data structure. My technique in the article is intended for full library forms, but the concept in general can still be leveraged.

      • Irhad Babic said

        Well great, I did not realize I can use SGs. That’s one thing We already told them to create, but I was afraid it’s gonna be in vain.

        I will try with sections then

        Yeah, they told us they’ve created several manager groups on AD, but I’d rather use Sharepoint Groups, as SGs will be used for some custom workflows as well. ATM I’m waiting for them to send me urls of their AD web services.

        I’m gonna try this once more. Hope you don’t mind me bothering you again if I get stuck

        Thanks a bunch.

      • I think you meant you didn’t realize you could use DLs? Anyway, you may be confusing some items here, so I want to clarify a few items:SharePoint Groups are not related to this at all. You can’t use SharePoint Groups at all in this scenario. The method for using SharePoint Groups to determine group membership is a completely different technique and different web service. It requires exploding the template and making internal modifications, and I haven’t tried that with list forms to make sure it worksUnless your IT team has actually CREATED custom AD web services, then you would not be asking them for URLs. You’re already using the UserProfileService.asmx web service to retrieve group membership from AD via the SharePoint User Profile Service. That is the web service you should be using if you’re using my article, and you already have the URL – it doesn’t come from IT.If you requested AD groups, then the key is whether they are SGs or DLs. The difference is simply a radio button, so one can be converted to the other easily with a button click. Just be sure the SGs are email-enabled, which is a key factor.

  55. William Pincumbe said

    I am attempting to ultilize the GetUserMemberships service and when placed into a Browser form I receive a Microsoft sharepoint error: #5566, any ideas on this.

    • William, it is common to get the 5566 error, and there are many things that can cause it. Your organization is an existing client of ours in case you want to dig into it more directly.

  56. Robin Thakur said

    Hi Clayton, I’m an avid reader 🙂 I’m doing this on SharePoint 2010 with a customised infopath 2010 form and am looking to lock down the view based on whether a user is a member of an AD Security Group. When I drag the repeating table onto the form for MembershipData it only shows one group (A Sharepoint group) but on other users it shows more groups. What’s causing that? The account I’m using is detected properly and is a SharePoint Admin but is a member of loads of AD Security groups which are not shown. I am fairly sure that Groups are being synced by the UPS (the option is ticked in sync options to do both) and the containers for the groups are ticked in the Import Connection. Any assistance you can offer would be much appreciated.

    • Robin, this hasn’t worked in 2010 from the beginning. AD security groups do not show up in 2010 when using this method. I’ve been fighting to get it fixed since 2010. It’s an open ticket that Microsoft is working on directly in order to fix it.

      • Robin Thakur said

        Thanks Clayton, pretty unbelievable behaviour from MS…I found that DL’s don’t seem to show up reliably either!

    • Robin Thakur said

      Hey Clayton. Sorry, I did some more searching and came across the fact that this is a bug with Sharepoint 2010/Infopath 2010. Did you ever manage to get this resolved with MS? I guess we could use DL’s at a pinch but I’d really rather not, and we don’t have budget for QDABRA sadly.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: