Workflow App Permissions

With the new 2013 workflows there are a few scenarios that can cause issues which may not be obvious to those coming from 2010. One such scenario is configuring list items to have Create and Edit access set to Create items and edit items that were created by the user and have a user who did not create the item initiate a 2013 workflow. By default, this will result in the workflow failing due to unauthorised access exceptions.

Lets walk through the scenario in more detail.

Start with creating a new custom list and then in SharePoint Designer, publish a simple List workflow to it.

Publish SPD Workflow

As you can see, a very simple workflow 🙂

Configure the list to allow users to only edit items that they created.

List Permissions

For testing this scenario, configure the workflow to Allow this workflow to be manually started by an authenticated user with Edit Item permissions

Workflow Start Settings

Create a new item and initiate the workflow. Assuming no errors in the workflow itself and it completes with no user interaction, i.e. no tasks, etc. the workflow will successfully run and finish.

Successful Workflow

As a different user, initiate the same workflow against the same list item.

Failed Workflow

This time, with the item being created by me and not SPDev Member, the workflow fails and is cancelled. Looking through the ULS logs, there are a few items that will help to indicate why. These include:

  • SPRequest.AddOrUpdateItem: UserPrincipalName=
  • Exception occured in scope Microsoft.SharePoint.SPListItem.UpdateWithFieldValues. Exception=System.UnauthorizedAccessException:
  • Original error: System.UnauthorizedAccessException: 0x80070005

All point to an unauthorised exception adding or updating the item, which makes sense considering we set the edit settings to only allow the user who created the item to edit it. To resolve this we need to tell SharePoint to run the workflow with elevated permissions. This is done by doing the following:

Activate the web scoped feature Workflows can use app permissions.

Web Feature

From the Site Settings page, click Site App Permissions.

Site App Permissions

Find the app titled Workflow and copy the first Guid in the App Identifier column, highlighted in the following screenshot.

Workflow app permission

Basically everything between the first pipe character | and the first ampersand @

Navigate to ~/_layouts/15/appinv.aspx, there’s no link to this page so you’ll need to manually enter it into the address bar.

appinv page

Paste the Guid you copied earlier into the text box and click the Lookup button. This will automatically populate the Title, App Domain and Redirect URL text boxes.

App Id Lookup

Next, paste the following XML into the Permission Request XML text box and click the Create button.

<AppPermissionRequests>
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

Permission Request XML

Lastly, confirm that you want to trust all workflows for the current site by clicking the Trust It button.

Trust Workflow

Now try initiating the same workflow that failed previously, running as a user who did not create the item. This time the workflow will run and complete without error.

Successful Elevated Workflow

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve the maths problem shown below before posting: *

Follow

Get every new post delivered to your Inbox

Join other followers: