I'm having difficulty with the automatic permissions of document classes that are getting automatic permissions from an object called Case.
Scenario
- I have a Case Object that tracks
- reviewers,
- uploaders, and
- supervisors.
- A given case can have many "Case Documents" and "Reporting Documents" associated to it. (Case is a property definition picklist of the case object on each document class with automatic permissions enabled)
- Case Documents and Reporting Documents take on the permissions of the Case, as expected, due to automatic permissions being enabled on the property definition related to a case.
- Uploaders have read access to the case throughout the lifecycle of the case.
My Problem:
I need to remove read rights on the Reporting Documents from the uploader while still allowing the uploader to see the Case object in the picklist in the event that they need to provide additional "Case Documents".
My question is the following:
How do hide Reporting Documents from the Uploaders while still allowing uploaders to see the original case object? When I attempt to use automatic permissions on the "Reporting Document Class" it "overwrites" the Case Permissions and is only performing the deny.
Another layer of complexity is that the permissions of the case fluctuate as the workflow progresses. It looks like I cannot dynamically set a deny for the Reporting Document class while maintaining the allow provided by the "Case". I thought about setting up a workflow on the Reporting Document to automatically switch between Locked and Unlocked but seems that I cannot setup an automatic transition between two statuses due to the issue of possible infinite loop.
My only thought is to control permissions through vbscript in the case workflow steps but trying to avoid that for now.
Thanks in advance!