none
workflow edit permission in share point 2013 RRS feed

  • Question

  • I have created a share point 2013 workflow on custom list using custom workflow task. My list is related to a leave form where in the assigned person has to approve the leave, but the problem is anyone with edit rights can edit the Workflow tasks list no matter to whom the task is assigned, and complete their task, I want task completed by assigned user only, i want to achieve this functionality in share point online 2013.
    I searched on this, the answers i got,
    -activating workflow to use app permissions 
    -Grant full control permission to workflow
    -Develop the workflow to wrap actions inside an App Step
    -And also to remove list item permissions action under Impersonation step which is available only in share point 2010
    So is there any way to do this? As i need only assigned person to approve or edit the task
    • Edited by Navyashree Wednesday, February 10, 2016 6:00 AM
    Tuesday, February 9, 2016 1:38 PM

Answers

  • Hi NavyaShree,

    To check if the workflow task list has been stopped inheriting permissions successfully, you should select one item > click Tasks on the ribbon > click “Shared With" > click “Advanced”. If “This list item has unique permissions” shows on the page, this item has been stopped inheriting permissions successfully. Then Check permissions to check if it has been removed all users’ permissions successfully

    The “targetGroupID” is principalid, it is ID of user or group within current site collection. The “roleDefId” is internal ID of Role Definition. By default, the roleDefId of Full Control is 1073741829, the roleDefId of Contribute is 1073741827, and the roleDefId of Read is 1073741826.

    To assign full control permission to the user whom has been assigned the task, you should add a lookup for “Assigned To” field, returned field as “User Ids”.

    Then copy this action and lookup for “Created by” field to assign full control permissions to “Created by” user.

    If there are multiple users in “Assigned To” field, please add theses users into a group. Then Assign the task to the group instead of multiple users. Because principalid only can be set as one value.

    Best Regards,

    Linda Zhang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 4:14 AM
    Moderator

All replies

  • Hi Navyashree,

    According to your description, you want to create a workflow on the Task List to replace the default permissions on the task list item.

    Here is the steps to do this:

    1. Allowing a workflow to use app permissions in a SharePoint Server 2013 site.

    Go to Site settings > Manage site features > Active "Workflows can use app permissions".

    Go to Site settings > Site app permissions > Copy the client section of the  App Identifier. The client section is in between "|" and "@".

    Grant permission to the app by going to http://{hostname}/{catalog site}/_layouts/15/appinv.aspx. Paste the client id in the App Id field, and click Lookup. Then the following Permissions Request XML to grant full control permission.

    <AppPermissionRequests>
    
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
    
    </AppPermissionRequests>
    

    Click Create, then click Trust It.

    For more details, you should refer: https://msdn.microsoft.com/en-us/library/office/jj822159.aspx

    2. Restrict a workflow task to its assigned users.

    Create a workflow with SharePoint 2010 workflow platform type on the Task List to replace the default permissions on the task list item.

    Add an Impersonation Step, then insert a “Replace List Item Permissions” Action to allow only assigned users have access to edit the task list items.

    An article about how to restrict a task to its assigned users for your reference:

    https://community.spiceworks.com/how_to/66248-restrict-a-sharepoint-task-to-its-assigned-user-group

    Best Regards,

    Linda Zhang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, February 10, 2016 3:41 AM
    Moderator
  • Hi,

    Thanks for the reply 

    I have followed the step 1 and have successfully activated the "Workflows can use app permissions"  and granted full control permission.

    But for the step 2, there is a problem! As i am using share point  online 2013 workflow,i am not able to find Impersonation Step but instead APP Step which does not have actions like "Replace list item permission".

    So can u suggest me how to Breakdown the permission in workflow 2013

    Regards,

    NavyaShree


    • Edited by Navyashree Wednesday, February 10, 2016 5:59 AM
    Wednesday, February 10, 2016 4:44 AM
  • Hi NavyaShree,

    For SharePoint 2013 workflow, we can use the endpoint below to break inheritance on the specific item:

    <sitepath>/_api/web/lists/getbytitle('LIST TITLE')/items('ITEM ID')/breakroleinheritance(true)

    Or use the endpoint below to break inheritance on the item which you start the workflow:

    [%Workflow Context:Current Site URL%]/_api/lists/getbytitle(‘[%Workflow Context:List Name%]’)/items([%Current Item:ID%])/breakroleinheritance(true)

    A detail article about how to set unique permissions on item level:

    http://spsite.pro/Blog/Post/3/SharePoint-2013-REST-API-%E2%80%93-How-to-set-Unique-Permissions-%28Item-Level-Permissions%29

    And an article about how to break inheritance and assign permissions for items step by step for your reference:

    http://blog.bullseyeconsulting.com/archive/2014/08/31/conditionally-set-permissions-on-new-documents-in-sharepoint-2013-workflow.aspx

    Best Regards,

    Linda Zhang

    Thursday, February 11, 2016 4:50 AM
    Moderator
  • Hi,

    Thanks for the reply 

    I have followed the above steps i have successfully  breakdown the inheritance and i have removed all the permissions, but while setting the role how can i set permission to the assigned person only and what should be the "targetGroupID", "roleDefId" ?

    I want to assign full control permission to the user whom i have assigned the task and the current user. How to achieve this in set role step.

    if i set the "targetGroupID" to created By User Id ,other users can still edit and approve task ! is that mean it is still inheriting the permissions? 

    Also can i set permission to two or more  selected users in this step?

    Regards,

    NavyaShree

    Friday, February 12, 2016 4:18 AM
  • Hi NavyaShree,

    To check if the workflow task list has been stopped inheriting permissions successfully, you should select one item > click Tasks on the ribbon > click “Shared With" > click “Advanced”. If “This list item has unique permissions” shows on the page, this item has been stopped inheriting permissions successfully. Then Check permissions to check if it has been removed all users’ permissions successfully

    The “targetGroupID” is principalid, it is ID of user or group within current site collection. The “roleDefId” is internal ID of Role Definition. By default, the roleDefId of Full Control is 1073741829, the roleDefId of Contribute is 1073741827, and the roleDefId of Read is 1073741826.

    To assign full control permission to the user whom has been assigned the task, you should add a lookup for “Assigned To” field, returned field as “User Ids”.

    Then copy this action and lookup for “Created by” field to assign full control permissions to “Created by” user.

    If there are multiple users in “Assigned To” field, please add theses users into a group. Then Assign the task to the group instead of multiple users. Because principalid only can be set as one value.

    Best Regards,

    Linda Zhang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 4:14 AM
    Moderator