Giving Correct Permissions to Workflow on Sharepoint

By | August 19, 2016

I am in the process of moving self hosted SharePoint to SharePoint online and a part of this exercise we are starting to use Project Online. I used the Project Portfolio many years ago and I love how it collaborates different MS Projects into one portal, sadly the product is obsolete and the newest iteration is this Project Online. During those days we create a project starting from the proposal where it triggers an approval workflow that adds the project to the portfolio once it’s approved. Sounds easy? well not that straightforward and definitely there are some issues that need to be addressed.

With the workflows on our SharePoint foundation instance doing this is quite easy but online it is a different ball game. Creating the whole thing from forms to workflows is not the issue instead how it behaves inside SharePoint in terms of permissions is quite different hence on the first run when I approved an item and trigger that workflow I had this error:

Retrying last request. Next attempt scheduled in 
less than one minute. Details of last request: HTTP 
Forbidden to 
https://xxxxxxxxxxxxxx/sites/pwa/_api/Project
Server/WorkflowActivities/CreateProjectFromList
Item(webId='{some web id guid}',
listId='a352ed9d-3b99-4405-b2a3-2fc3c2678335',
itemId='2',
eptId='09fa52b4-059b-4527-926e-99f9be96437a') 
Correlation Id: f9d2736f-8a66-4425-a5cc-cb30adf980ff 
Instance Id: 3e7695ad-5913-4bb0-b6c8-cbf29e4e877a

PJClientCallableException: 
GeneralSecurityAccessDenied 
GeneralSecurityAccessDenied

2016-08-19 09_25_05-Workflow Status

Well that gives me an idea that either the user or the workflow does not have access to create an item, to add to that complication you cannot find the details that relate to the correlation ID anymore apart from contacting the Support. I have a very bad experience here, the third-party company that does the support for Microsoft is not as par as others and somehow technically challenged, the accent was bad and it was just frustrating, trust me Stack Overflow and even MS communities is faster and you will get different opinions. Anyways enough of that rant and let’s go to the issue.

With a bit of guidance from StackOverflow had hope and was put to the right direction. So how did I solved this problem?

Well it looks like the Workflows need elevated permissions to do its job and there are several places to configure for this to happen.

First lets allow the workflow to use app permissions.

So on the Settings -> Site Settings

Sharepoint Online 01

Open Manage Site Features

Sharepoint Online 02

and go to the most bottom part and activate “Workflows can use app permissions

Sharepoint Online 03

Now that workflow can start using app permissions lets grant full access to it.

Back to the Site Settings, go to the Site App Permission

Sharepoint Online 04

And get the GUID of the Workflow Service User, the guid is the Hexadecimal number between the | and @ as illustrated/highlighted below

Sharepoint Online 05

Copy that GUID, keep them for the next step.

Now lets add the principal information for that Workflow in SharePoint.

Go to http://<SharePointWebsite>/<Sites>/<SiteName>/_layouts/15/AppInv.aspx if you are doing this on a sub SiteCollection
or
http://<SharePointWebsite>/_layouts/15/AppInv.aspx if you are doing it in the root site

Paste the GUID on the App Id then click on Lookup, it will populate the Title, App Domain, and Redirect URL all you need to do now is to paste the following code below as it is into the Permission Request XML

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

It should look like this

Sharepoint Online 06

then click create then Trust It.

Sharepoint Online 07

Now that part is done let’s do the next step.

Lets Wrap the actions inside an App Step.

So what is this App Step? Basically it is a mechanism provided so that you can elevate permission for workflow. So anything encapsulated inside the App Step is run by the App, in our case its the workflow. In short it will use the application credentials and have the permissions we assigned above.

Doing this is easy, just click the App Step so it will be placed on your workflow and place any actions you want your App to run, in our instance its the creation of project.

Sharepoint Online 08

Save it then lets publish it but before doing so untick the “Automatically update the workflow status to the current stage name

Sharepoint Online 09

Now lets see if the workflow now works.

Well still not!

2016-08-19 09_23_17-Workflow Status

I am now encountering a different issue so instead of “GeneralSecurityAccessDenied” I now have the “Access denied. You do not have permission to perform this action or access this resource”

Upon further investigation it looks like we are out of scope for the permission so let’s go back to the URL http://<SharePointWebsite>/<Sites>/<SiteName>/_layouts/15/AppInv.aspx and add a different scope to give rights which tell the App Principal what it can do in that Scope.

So if we did this before

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

we add another one like this

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

Now your workflows will run as normal.

But wait if your workflow is creating a list to something that needed a license you will have another error like such.

PJClientCallableException: GeneralNotLicensed
 GeneralNotLicensed
 method = CSOM.CreateProjectFromListItem
 user = i:0i.t||app@sharepoint
 resuid =

2016-08-19 09_46_00-Workflow Status

But if not you are all good and workflows should run as normal.

Recommended

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.