I have set up a form where when someone presses the "Submit" button it initiates a site workflow to create a list item. It all works well when I (full control permissions) do it, but if someone with contribute permissions tries, it fails. I tried adding an impersonation step, but that doesn't seem to be working either. Also, I am trying to record the person who created the list item, and the impersonation step uses my name (workflow author) for "Created By."
Any suggestions as to what I could've possible done wrong, or what I should try to do/add? Thanks in advance...
Simple answer is No.
As you can see the checkboxes in workflow property, you can set the trigger to be
trigger itself when item added or modified.
manually start by users.
For the read-only user, they are not able to click the "start a workflow" button. Also, these users do not have permission to add or modify list item.
You can configure your workflow with "impersonation step". In this way, the workflow will be running under the account of "workflow creator" instead of the user trigger the workflow. However, even you applied "impersonation step", the read-only user still not able to trigger a workflow
Related
I authorized the group of a user to the cockpit-application. I gave the group full access to the Process Definition and Process Instance authorizations. (so pretty much as described in the documentation)
When I try to log the user in, I see the Welcome screen and in the application overview the option to navigate to the cockpit-application.
However, when I click this, I get the Login screen again.
For a fraction of a second I see the cockpit application, but then it immidiatly redirects to the login page. When I try to log in again, it keeps redirecting me to this login screen.
I configured another group to use the Tasklist application and that is working as expected.
I tried to give the authorization on user-level instead of group-level but the same problems occurs.
(n.b.: I am using the Spring-Camunda-Starter for this application.)
I found the problem, I accidentally removed one of the authorizations the system automatically creates when the user is created. I think I might have removed this, as I thought it was not necessary.
It is in the User Authorizations, every user has an authorization from it's own user to that user. When I added this, it fixed the problem.
I found the solution when another user logged in and had no problems. And the found this to be the only difference between the two accounts.
Hopefully this will help someone in the future!
Being in a view and you know the area-name, controller-name and action-name of a destination to which you want the user to provide a link to, how can I figure out if the area/controller/action is authorized for the authenticated user.
Imaginary Use-case:
I have a table with a list of books (the result of bookscontroller.index). To the far right are some icons to edit or delete a specific book. The edit link refers to bookscontroller.edit and the delete link to bookscontroller.delete.
On the actions there are custom authorizationattributes and this works perfect. If a user want to access books/edit/1 and the user is not allowed to edit books, the user gets redirected to the logon page.
It is a bit stupid to have that edit-icon there if the user is not allowed to edit books. So at view level I would like to be able to figure out if the user is allowed to use the edit action of the bookscontroller. If he is, show the icon if not, do not show the action.
Goal: use that knowledge to create a custom tag-helper.
The go-to method is reactive, i.e. you check if a user can do action when the user tries to do. Since you do not want to go that way, here is how. (yet, this is anti-pattern)
Have the authentication token of the user send back to backend. The backend should have an API end point for each button on the page user can click. With the authentication token, the back-end resolve whether to dim or enable the buttons.
Now, what the backend does to resolve this is not very efficient. The backend needs to literally attempt certain actions and aborts the transaction. For create and retrieve, it is trivial (you can pre-resolve them) but for edit and delete, this requires a lot of resources.
The standard way of controlling such actions on UI is to use role based authorization.
For the buttons or other such UI elements, setup role tags, e.g. "admin:edit", "viewer:readonly" etc.
When you are authenticating a user, send the applicable roles from the backend server, store them in a way that is globally accessible to your UI and use them for filtering UI elements across your application.
I have been struggling over this for some time now.
What do I need:
I need to open calendar item of a user who has shared his/her calendar with me.
What I have done so far:
So I have a userA who wants to access to UserB's calendar event and edit it.
To access the item, first thing I did is, make UserB share its calendar with User A and give edit permission like below
Now this userA (test1 on pic) have full access. I go ahead and create a new meeting on User B's calendar. Then I open fiddler and grad the event ID from Response:
I am running an add-in on UserA mailbox that has 1 button and onclick it calls
Office.context.mailbox.displayAppointmentForm(itemId)
When I click it, as you may expect I get the event details like below:
Everything is smooth so far. Now I go ahead and click Edit. Since I gave the edit permission , I am expecting to be able to edit it. I go ahead and click edit and this is what I get:
The action could not be completed. Access denied error.
I thought may be it is permission issue, may be giving it edit does not really let it to edit. So I tried giving User A full permission over user B's Mailbox - Not just calendar, whole mailbox- but that did not solve it either.
I have been in contact with Microsoft Dev Chat but unfortunately they could not reproduce my situation, and it seemed to work for them smoothly.
Love to hear some insights and hopefully a solution.
Currently, Outlook add-ins are not fully supported in shared calendars/mailboxes. However, this is a feature that we are currently investigating.
We would like to update workflow, where Time Tracking module should only be visible to Assignee of the Issue.
We've tried assert, required but that only allows restriction on main field but Time tracking entries still gets generated.
In general you can't do that via workflow, because you can't limit visibility of anything from workflows.
FYI: there is a permission 'Update Work Item' which allows users to add work items. If a user doesn't have this permission, he can't add work items in the Time Tracking tab. There is a permission 'Read Work Item' which allows to view work items. In some cases you can configure your permissions so that only some users can view/edit work items.
We're working on a publishing site with sharepoint 2010. It allows anonymous access, and these anonymous users can fill out certain forms. The form submission works fine as the anonymous user has permission to insert to the lists.
There is a simple workflow attached to each form that emails the contents of the form to an internal user. This works fine if you add the list item manually (ie logged in as a certain user), but the workflow can't be initiated by an anonymous user. It hangs in progress, then eventually fails.
I tried this:
http://blog.furuknap.net/enabling-declarative-workflows-for-anonymous-users-in-sp20102007
But it didn't seem to work either. Some comments from users refer to this same issue - and no one stated a resolution.
I'm worried that the only solution is the run with elevated privileges on each form as a custom web part.
Any solutions out there?
thanks.
The steps described in the mentioned post only work for items added to the list by email. So any items added (new form, new document, new event) added using the sharepoint UI will NOT trigger the workflows. (see the related MS KB article).
There are 2 things I can think of you could try:
Use an ItemEventReceiver bound to the list to send the email in the ItemAdded event.
If all the workflow does is send an email to a user, just have that user subscribe to the list using an alert