Pages

Friday, June 8, 2012

Nintex Workflows: Good to know(2) - User Context

If you want to get your permissions right, you have to know under which user context a workflow runs.
Basically that user is always the one who started the workflow. Not the one who designed the workflow or who last interacted with the workflow (e.g. the approver)!
As you may have noticed, this post is longer than 3 lines, so there are exceptions to this rule.

Exception 1 - The designer selects custom credentials for an activity
While designing your workflow you have to select custom credentials for some activities to use. For example a web service call.
Of course we don't want to allow every user who starts the workflow to have access to every LOB system.


Other actions e.g. "Create List" run in the workflow initiators context by default, but you can optionally choose different credentials. This is a great feature and helps a lot to limit your users permissions.



Exception 2 - Some activities run with higher privileges by default
What?!? Please, explain:
One of SharePoints default group is the member group, which allows users to start workflows and to edit items. But they are not allowed to manage permissions - we don't want every editor to mess up our security concept.
Unfortunately that is often a requirement.
Think of a workflow that starts with a form to be filled out by any user and is submitted for approval. (Could be any form in your company). After the manager approval we don't want the document to be modified anymore.
So we build this workflow, initiate it as a normal user and it works! No access denied happened!
Why?
Manage Permissions is a Nintex activity (in Nintex there are SharePoint Designer and Nintex activities) and it is designed to run with elevated privileges by default.
Unfortunately I don't have a complete list of all those activities. If anybody got a list of those activities please mail them!

Exception 3 - Run with designer credentials.
Some activities allow you to select the workflow designer as the executing user. This is also a SharePoint Designer feature. I have to say, that I am not a big fan of this, because it might easily get you in trouble.
It is exposed to the UI through a checkbox, which can be found in many actions. It might be of special interest in the "Action set" activity.



What about scheduled workflows?
They run as the user who last created/modified the schedule.

Attention: Please note that we are talking about Nintex Workflows 2010. Please refer to this document for differences between NW2007 and NW2010.

No comments:

Post a Comment