I am using MOSS 2007 and InfoPath 2007 on a government network. I have created a form that allows users to enter a request for TDY (trip) and submit to his/her supervisor for approval. The form must be approved/digitally signed at several levels in a chain of command. I use views in InfoPath to manage the process.
My challenge is limiting access to submitted forms so that only the requestor and his/her supervisory chain of command can view it. Since all potential requestors (everybody in the organization) need contribute access to the form library to submit a new request, they can also go to the form library and view other users' request forms. I need to prevent this.
At each stage of the process, the requestor or approver must manually type the e-mail address of the next approver in the chain (because there are too many possible supervisors to provide a set list to choose from, and they change frequently). My first attempt at security was to capture the account name before the '@' symbol in the e-mail address (entered by the requestor or previous approver) and compare that with the account alias of the person attempting to open the form. The account alias is taken from Active Directory. The problem with this method is that the account alias is not always the same as the first part of the e-mail address. For example, [email protected] might be the e-mail address while christopher.jones is the account alias.
Has anybody dealt with this issue? Is there another way to limit access to specific users when those users are not known until the previous stage of the process?