I have a requirement to lock down access to a SharePoint library: Only users that belong to all the groups associated with the library should have read access; others should not be allowed to read.
Let's say I have a document library that concerns three projects:
12345
13579
24680
I have users that belong to one or more projects:
Joe: 12345, 24680
Jane: 13579, 24680
Jim: 24680
Harry: 12345, 13579, 24680
I need to restrict access to this library to only users who belong to ALL projects. I.e., only Harry should have access; the others should be denied. We'd use SharePoint groups named after each project to represent the 'belongs' relationship.
Edited with more detail:
We plan to create the doc lib and set up the initial security via a workflow. However, more projects may be associated with the doclib after it's created, based on info entered in a form, and people can get moved in and out of project groups by admins (e.g. for promotions, new hires....)
For now, if a form submission adds a new project after inital setup, an admin will probably create a new group if necessary, and assign it access to the doclib. Eventually, we'd do this in a workflow.
Currently, we're writing code to assign the initial security state for the site:
We scan a list of projects entered by a user into a form, create new project groups if necessary, create a site and a couple of doclibs, break role inheritance and assign our groups read access to the doclib. We add some users to each project group.
At this point, any of those users have read access. What we don't know how to do is restrict access to only users who are members of all the groups.