With the new 2013 workflows there are a few scenarios that can cause issues which may not be obvious to those coming from 2010. One such scenario is configuring list items to have Create and Edit access set to Create items and edit items that were created by the user and have a user who did not create the item initiate a 2013 workflow. By default, this will result in the workflow failing due to unauthorised access exceptions.
Lets walk through the scenario in more detail.
Start with creating a new custom list and then in SharePoint Designer, publish a simple List workflow to it.
As you can see, a very simple workflow 🙂
Configure the list to allow users to only edit items that they created.
For testing this scenario, configure the workflow to Allow this workflow to be manually started by an authenticated user with Edit Item permissions
Create a new item and initiate the workflow. Assuming no errors in the workflow itself and it completes with no user interaction, i.e. no tasks, etc. the workflow will successfully run and finish.
As a different user, initiate the same workflow against the same list item.
This time, with the item being created by me and not SPDev Member, the workflow fails and is cancelled. Looking through the ULS logs, there are a few items that will help to indicate why. These include:
- SPRequest.AddOrUpdateItem: UserPrincipalName=
- Exception occured in scope Microsoft.SharePoint.SPListItem.UpdateWithFieldValues. Exception=System.UnauthorizedAccessException:
- Original error: System.UnauthorizedAccessException:
All point to an unauthorised exception adding or updating the item, which makes sense considering we set the edit settings to only allow the user who created the item to edit it. To resolve this we need to tell SharePoint to run the workflow with elevated permissions. This is done by doing the following:
Activate the web scoped feature Workflows can use app permissions.
From the Site Settings page, click Site App Permissions.
Find the app titled Workflow and copy the first Guid in the App Identifier column, highlighted in the following screenshot.
Basically everything between the first pipe character | and the first ampersand @
Navigate to ~/_layouts/15/appinv.aspx, there’s no link to this page so you’ll need to manually enter it into the address bar.
Paste the Guid you copied earlier into the
Next, paste the following XML into the Permission Request XML text box and click the Create button.
<AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests>
Lastly, confirm that you want to trust all workflows for the current site by clicking the Trust It button.
Now try initiating the same workflow that failed previously, running as a user who did not create the item. This time the workflow will run and complete without error.
This really helped me, thanks a ton!