How can I prevent workflow users from being added to permissions? RRS feed

  • Question

  • We have a subsite that has unique permissions. The members group of the site has the "Everyone except external users" in it with Contribute rights - so everyone has access to the subsite.  

    On a forms library, we run a 2010 workflow to get the manager for the person who created, and then set the permissions on the item to be the manager, the person who created, and the Approvers group. What is happening, is that a "Workflow Users" group is being added to the permissions with "Limited Access". The individuals being added to that group are the names being set as unique permissions. So what is happening is that everyone can see all the entries, when SOX compliance is that you can only see your own entries or whoever works for you if the manager. 

    I delete the group, and then next entry that is created populates it. I can live with the group getting populated, but not with it being added to the permissions in ANY capacity. I don't even see why the group is created as the users HAVE access to the site. I have even tried adding individuals to the Members group, but that "Workflow Users" keeps getting created and populated. 

    I didn't see this when doing a Proof of Concept on a top level site. A group was created, but the group wasn't added to the permissions. 

    I just want that group to NOT be added to the permissions of the item where I am setting unique permissions. While the library has unique permissions, that same group is in the permissions. On my POC site, the library had unique permissions but we still didn't see this behavior. 

    Any suggestions? I am considering a PNP job to run every hour to delete the group if it exists but it shouldn't be added to these entries when the people HAVE access. This is a form library so I can't set permissions to only edit your own entry in the library settings. 

    Monday, August 12, 2019 6:44 PM

All replies

  • Hi Robyn,

    It’s the default behavior.

    In the workflow, “add permissions” action creates this Workflow Users group and grant the group Limited Access permission automatically. This group is being used by workflows to grant Limited Access to people who do not have access to the SharePoint site.

    "Limited Access" permission doesn't actually give the user the ability to see those items but is instead used under the covers to make things work.

    Best regards,

    Grace Wang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, August 13, 2019 8:34 AM
  • Grace,

    The problem is this: 1) the group keeps adding members and 2) this group is added to each entry. So that means that it goes against the SOX compliance for everyone to be able to see all entries. So contrary to your statement, in this case "Limited Access" is allowing them to see the items. 

    We didn't see this behavior on the other site - the group was created, but not added to the entries. So what permissions need to be in place for the limited access to not be needed? I have added individuals to the members group but each time they create another entry they are added to the group and the group is added to the entry.

    At this point, I delete the group regularly. It gets re-created, but it is removed from all entries where it was at the time.

    Tuesday, August 13, 2019 1:09 PM