Create a workflow with elevated permissions by using the SharePoint Workflow platform


Hello,

There are various reasons that one requires elevated privileges to list/site workflow. Most common use case is, if workflow need to fetch data from some other list/library at site collection/sub site level.

SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online. Below steps show how to setup an app principal with tenant full control permissions, but obviously you could also grant just read permissions using this approach.

Applies To
  • SharePoint 2013/2016
  • SharePoint Online

This blog is also targets resolution of following error:

The Workflow was Suspended with Unauthorized HTTP

OR

Unauthorized HTTP to /_vti_bin/client.svc/web/lists

Issue:

By default, the SharePoint workflow doesn’t have sufficient permission to access the SharePoint lists, and this process requires a full control permission level.

Some important point before enabling App Step:

  • To allow the workflow to use APP permissions, you must be a Site Owner or Site Collection Administrator.
  • App Step can be activated at Tenant/Site Collection/Web.
  • The Workflow Manager platform must be configured properly to be able to activate “Workflows can use app permissions” feature.
  • The App Management Service must be configured to be able to grant a full control permission to a workflow.
  • App step provides the workflow authorization for its Identity as a Full Control and ignores the current user permission.
  • The SharePoint 2010 workflow is not supported in App Step,
  • If you don’t elevate the permissions for the SharePoint Workflow, The App Step will be disabled in the SharePoint Designer.

Solution:

To begin the elevation process, follow below steps:

  1. Allow workflow to use app permissions
  2. Grant full control permission to a workflow
  3. Develop the workflow actions inside an App Step using SharePoint Designer

Lets deep dive in details of all three steps mentioned above.

I. Allow workflow to use app permissions: 

The Workflow Manager platform must be configured properly to be able to activate “Workflows can use app permissions” feature. This feature is scoped to the web level feature so in case of site collection or web. This feature is available under web features.

  • Open the SharePoint Site > Site Settings.
  • Below Site Actions > Select Manage site features.
  • Activate Workflows can use app permissions feature.

In above step, we have ensured that after activating this feature, workflow can able to use permission which we will define under next step.

II.  Grant full control permission to a workflow

  • Open the SharePoint Site Collection > Site Settings >Below Users and Permissions > Click on Site App Permissions.

  • Copy the client section of the App Identifier. The App Identifier is the identifier Guid between the last “|” and the “@” sign, as shown below.

  • Navigate to grant permission to an app page by browsing the “appinv.aspx” page of the web site.

http://siteurl/_layouts/15/appinv.aspx.

  • Paste the client section of App Identifier to the App Id field.
  • Click Lookup to fetch the required info.
  • The App Management Service must be configured to be able to lookup your identifier. If the App Management Service is not installed you will get the below error when you clicked on Lookup button.

  • Paste the below APP Permissions Request XML to grant full control permission. Make sure tags and attribute names are in correct casing because small case will not be detected.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl">
</AppPermissionRequest></AppPermissionRequests>

 

 

  • You will then be asked to trust the Workflow app, Click Trust It.

III. Develop the workflow actions inside an App Step using SharePoint Designer

The App Step option will be disabled in the SharePoint Designer, in case you are not followed above mentioned steps. Using App step will allow the workflow to be authorized with its identity as a Full Control and ignore the current user permissions. This is will ensure that the workflow will be executed successfully in case the current user has no permissions.

Good to Go !! Once it is added it to workflow, it is easy to write any action under it.

NOTE: If you still see app step as disabled then close the SPD instance and reopen it. If still not see it enabled, then make sure you have done above steps in correct site collection/web.

NOTE: Make sure, Under Workflow Settings >  Uncheck the “Automatic updates to workflow status to the current stage name“, then click Publish.

If you didn’t uncheck “Automatic updates to workflow status to the current stage name“, the current user will require Edit permission on the list to can edit the workflow status.

Happy SharePointing !!

Advertisements

Reassign a workflow task – Task update was not accepted. To edit a task associated with a workflow task process, you must be the person to whom the task is currently assigned.


Hi guys,

Recently one of my client has faced this issue while reassigning a task of default Approval workflow. Here is the screen shot:

      

SharePoint by default only allows the assignee to re-assign the task. If you try to re-assign a task that is not assigned to you, you get the following message:

Task update was not accepted. To edit a task associated with a workflow task process, you must be the person to whom the task is currently assigned.

Solution

To overwrite this behaviour:

  1. Open SharePoint Designer
  2. Open the Workflow you wish to modify.
  3. On the step where you start the workflow task ‘Start <workflow task name> process on Current Item with…’, right click on the task name.
  4. Select Properties and look for the attribute TaskProcessOwner.
  5. Click on the ‘‘ button to select a group or specific user.
  6. You may wish to create a SharePoint group specifically for this purpose. All members of this group will have permissions to re-assign tasks that are assigned to other people.

Hope this post help you to fix this error.

Happy SharePointing.

SharePoint : Custom Task Email with Outlook ribbon control “Open this Task”


Hi Guys,

It was really interesting to work with my latest client. They had an very interesting and innovated idea to automate their manual file approval process.  The requirement was to create a multistage state machine workflow where users have privilege to approve and reject documents with some comments. It was very interesting to work with end client(as they them self don’t know what they actually want).

I will not go deep into the workflow but surly will come back with another post explaining it. This post is more about a requirement which I faced during the development of the workflow. Just wanted to share the design of the Workflow:

WF

Requirement:  As a user, I should have receive an email from workflow with custom subject having document name embedded to the subject where I can directly do some action like approve/reject or comment on the document. I should see a button in email “Open this task” which will redirect me to the page where I can take actions.

1

It looks bit easy but have hidden challenges in it. Most us are aware of the fact that when a task item is created, either directly in the task list or through a Workflow an alert email would be sent saying a task has been assigned to you (provided alerts are enabled). When we look at that email in Outlook we see an additional control in the ribbon “Open this Task” under the group “Open” as shown in above figure. Let me rephrase the requirements:

  1. We have to customize the body and subject as per their request
  2. Ribbon button “Open this Task” should present when the email is sent

The above mentioned two points are two sides of the coin, which means if you are able to see one then second will not be visible to you. So the final solution’s must have some trick to achieve both cases.

Solution: 

One point is clear that we can not go along with the default workflow email feature, we have to use “SmtpClient” or “SPUtility” to create email with custom body and subjects. Now question is how one can get ribbon button using SPUtility send email function.

  • I have used “SPWorkflowTaskProperties” class in the Task Created Event and sent it two properties “SPWorkflowTaskProperties.HasCustomEmailBody = true” and “SPWorkflowTaskProperties.EmailBody= <My Custom HTML Email Body> ” With this I can satisfy requirement 1 & 2 but not 3 (listed above).  Also if I were to create a task and if I want to send an email using Event Handler on item created I may not be able to use this. So for the generic purposes this would not fit in.
  • Next I thought of modifying the alert template but then it would have an impact on all task lists which is not a recommended option.
  • So, I have decided that I have to disable the alerts for that Task list and use “SmtpClient or SPUtility” class instead to send email which can be used at different requirements such as “event handlers/workflows or any other for that matter. With this class we do have control over all the aspects “From, To, Subject, Email Body, etc”. The only problem with this to achieve the requirement # 2 (Ribbon control in outlook). I always wondered how would outlook recognize that an email is for Task, how is this ribbon control activated as soon as it sees an email.

I believed that the alert email sent has some headers which mark this as Task which is understood by outlook and displays the controls accordingly. So now the question is what are those headers. After some research I figured out the Mail message headers. Below is the code for sending an email which also includes those headers and satisfies all the above mentioned requirements (1 & 2)

/// <summary>
/// Method used to send the task created email instead of default SP WF email notification
/// </summary>
/// <param name=”web”></param>
/// <param name=”htmlBody”></param>
/// <param name=”ToEmailId”></param>
/// <param name=”listItem”></param>
/// <param name=”emailSubject”></param>
/// <returns></returns>
public bool SendTaskMail(SPWeb web, string htmlBody, string toEmailId, SPList taskList, string itemId, string emailSubject)
{
try
{
string domain = web.Site.WebApplication.OutboundMailSenderAddress.Remove(0, web.Site.WebApplication.OutboundMailSenderAddress.LastIndexOf(‘@’));
var messageHeaders = new StringDictionary();
messageHeaders.Add(“to”, toEmailId);//author.User.Email);
messageHeaders.Add(“subject”, emailSubject);
messageHeaders.Add(“content-type”, “text/html”);

messageHeaders.Add(“Message-Id”, “<3BD50098E401463AA228377848493927” + Guid.NewGuid().ToString(“D”) + domain + “>”);
messageHeaders.Add(“X-Sharing-Title”, ConvertToBase64String(“Body”));
messageHeaders.Add(“X-AlertTitle”, ConvertToBase64String(“System”));
messageHeaders.Add(“Content-Class”, “MSWorkflowTask”);
messageHeaders.Add(“X-AlertWebUrl”, ConvertToBase64String(web.Url));
messageHeaders.Add(“X-AlertServerType”, “STS”);
messageHeaders.Add(“X-AlertWebSoap”, ConvertToBase64String(web.Url + “/_vti_bin/alerts.asmx”));
messageHeaders.Add(“X-Sharing-Config-Url”, “stssync://sts/?ver=1.1&type=tasks&cmd=add-folder&base-url=” + Uri.EscapeDataString(web.Url) + “&list-url=” + Uri.EscapeDataString(taskList.RootFolder.ServerRelativeUrl) + “&guid=” + Uri.EscapeDataString(taskList.ID.ToString(“D”)));
messageHeaders.Add(“X-Sharing-Remote-Uid”, taskList.ID.ToString(“D”));
messageHeaders.Add(“X-Sharing-WssBaseUrl”, ConvertToBase64String(web.Url));
messageHeaders.Add(“X-Sharing-ItemId”, ConvertToBase64String(itemId));

SPUtility.SendEmail(web, messageHeaders, htmlBody);

return true;
}
catch (Exception ex)
{
Utilities.UpdateLogErr(ex, “Error while sending email. Please find details in audit logs”);
return false;
}
}

Hope this helps!

Thank you for your time.

Happy SharePointing 🙂 !!