none
Approver Rights

    Question

  • I am looking at a 2-step Approval process, using SharePoint 2010 Approval workflows in SharePoint 2013, using SPD.

    So, we want an item to go to Group 1 first, and then to Group 2 if Group 1 Approves it; and Group 2 does the final Approval.

    Now, while the Workflow creates and allocates Approval tasks, Group 1 and Group 2 both need Approve rights on that List.

    So, members of either of those groups can completely ignore the Workflow, and just click Approve against the actual file itself, completely breaking any real control of the flow of Approval that the Workflow was meant to provide.

    My question is; is there any way to allow a user to Only have Approve rights on items they have been allocated to Approve, at that specific stage of the Workflow? (for example, If sent to Group 1 for initial Approval, Group 2 users at that stage shouldn't have Approve rights on that document yet, as Group 1 has not yet done their Approval)?

    Thanks

    David


    • Edited by Jude_44 Friday, February 03, 2017 12:49 PM Typo
    Friday, February 03, 2017 12:48 PM

All replies

  • The approval function is permission based. Users must have the approval permission to make approvals. There is a specific group created by default for approvers, but full control users will have this permission as well. Create a group for this specific list and set the permission such that those users can approve.

    Thanks, Danny Hickman IT Support Specialist

    Friday, February 03, 2017 1:07 PM
  • Hi Danny

    Thanks for that - but my issue is the all-or-nothing approach for Approval. I don't want a means to completely work around an Approval workflow by just selecting Approved against the item itself; instead of allowing the Approval process in the Workflow to progress.

    Assume you have an Expenses workflow. It goes to the Manager, then once they approve it in the worklow, it goes on to the CEO for example.

    Manager and CEO both need Approve rights on the list to do approvals.

    Now, user submits an Expense form - it goes to the Manager via the workflow for their initial approval within the workflow and the related generated Task.

    BUT the Manager can just go to the top of the item and select Approve (nothing to do with the Workflow - this is Approve/Reject for the item itself) - so the item gets fully Approved, and the CEO didn't even get to see it.

    What am I missing here? Is there no way to do a fully reliable, multi-stage secured Approval workflow in SharePoint, where Approval is limited to each Group depending on the Stage of the Approval Workflow?

    Friday, February 03, 2017 2:40 PM
  • I think you may have content approval enabled on this list... is that correct? There is a difference between approving and item for content approval and approving an item in the workflow.

    Question: Does the CEO still get an email saying that there is an item that needs his approval after the manager approves the "workflow" task?

    Thanks, Danny Hickman IT Support Specialist

    Friday, February 03, 2017 7:47 PM
  • Hi Danny

    Correct, I need Content Approval enabled, and then I have as part of the Approval Workflow, in the final approval, it sets the Approval status to Approved at that point.

    I need this to ensure that only after Approval can this item be viewed by other users.

    This all works fine, the whole flow is fine - my problem is twofold:

    1) Full Approval can be done at any point by any user with Approve rights, outside of the Workflow

    2) While task access is limited to the users allocated the task; Approval can still be done by Any of the users who have Approve rights, regardless of which stage the Workflow is at

    This should really be bread-and-butter functionality for anything calling itself a Workflow system. X item passed from A to B to C to D for Approval; but no way to stop C person for example from approving while still at Stage A

    Many thanks

    David

    Monday, February 06, 2017 8:11 AM
  • Hi David,

    You could create an approval workflow in SharePoint Designer and assign the approval tasks to approvers one by one. It means if the first approver (Group 1) rejects the task, the second approver (Group 2) will not be assigned the task; if the first approver (Group 1) approves the task, the second approver (Group2) will be assigned the approval task.

    To achieve it, we need to customize “Start Approval  Process” action:

    1. Create a list workflow with SharePoint 2010 Workflow platform type for the list.

    2. Add a “Start Approval  Process” action.

    3. Select the process participants and select Serial to assign approval tasks one by one.

    Note: Pay attention to the order of participants, the first approver must before the second approver.

    4. Click on the Approval process to edit the approval task process.

    5. Change the behavior of a single task.

    6. In the “Before a Task is Assigned” step, add “Set Workflow Variable” action to set Variable: CancelonRejection to yes. Then if one user reject it, the task is completed.

    For example, if the first approver rejects the task, the second approver will not be assigned the task. Otherwise, the second approver will be assigned the approval task if the first approver approves the task.


    Best Regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 08, 2017 9:22 AM
    Moderator
  • Hi Linda

    Thanks for your response.

    My issue is that it seems that EACH of those Approval groups needs to have full Approval rights, from the start.

    So, there is nothing stopping someone in Any of those groups manually Approving the full item, OUTSIDE of the workflow - so regardless of whether Tasks get created or not, or the Workflow process defined - someone in ANY of the Approval groups (as they all have Approve rights) can at Any point (regardless of where the Workflow is at) just set the Approval status of the whole item to Approved.

    Is there any neater way to deal with this?

    Thanks

    David

    Wednesday, February 08, 2017 9:30 AM
  • Hi David,

    I think your scenario is you only want to give CEO permissions to approve/reject the Content Approval, not for mangers.

    Manger approve the Approval Workflow > Then, CEO approve the Content Approval.

    As Stark365 mentioned, Content Approval is different with the Approval Workflow. User with Contribute permission or above on the Workflow Task list can approve/reject the Approval Workflow. But if the user wants to approve the Content Approval, he must have “Approve Items” permission.


    You should only give CEO the “Approve Items” permission.

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 16, 2017 1:53 AM
    Moderator
  • Hi Linda

    Thanks for your response. Do I understand correctly then that only the very last person in a Workflow Approval process should have Approver rights; and then for all other approvers in the flow up to that point, if they are granted Read rights where the items are stored, and Contribute rights on the Workflow Task list, that will be enough for them to view and approve their steps in the workflow?

    And related to that - would granting then Contribute rights on the Workflow Tasks list not enable those users to Approve any tasks they want in that list, and to delete some if they chose to?

    Thanks again

    David

    Thursday, February 16, 2017 5:42 AM
  • Hi there

    This actually only helps assuming you have only one single final Approver - if you have say two workflows, for two Content Types, for items in a in a single list, and each Content Type had its own completely different workflow - the final Approver of the final step in each case would need list "Approval" rights - which means that an Approver for an item of Content Type A (with Workflow A and Final Approver A) cant be prevented from Approving an item of Content Type B (with Workflow B and Final Approver B) at any point regardless of the status of whichever Workflow is running - as if I understand it correctly, Approval rights are provided at List level, and there is no way for a Workflow's Approval rights to limit Approval to only specific people at a time.Thanks

    David

    Tuesday, February 28, 2017 12:08 PM
  • The only way I see this being able to work for you is if you drill down permissions for the site and you'll really have to restrict access at either site or list level.

    So go to list A and break permissions from the site. Then create a group for "Approvers" add the CEO into that group. This will allow only the CEO and anyone with Site Collection Admin rights to approve.

    There is no way to really to just allow the CEO to approve. You can only fine tune it enough to limit the access of everyone else who you don't want to approve. Mainly because your Site Admins and Site Collection Admins... but breaking inheritance for the list will get you closer to your goal.  

    Tuesday, February 28, 2017 1:17 PM