none
Providing authenticated site Visitor w/contribute permission on list and associated workflow but they are unable to start the workflow. Getting Access denied. RRS feed

  • Question

  • The initial challenge was that I needed to allow users (employees on our intranet) to submit a form anonymously on a site (Office365 Enterprise version of SharePoint) they are authenticated on. They needed to fill out info, hit submit, and have that info be emailed to another individual in our company. 

    The solution I found and thought would work entailed:

    Step 1: creating a custom list

    • Disinheriting permissions for list from parent
    • Adding Contribute permissions for the Visitors group.
    • Adding a single item to the list.  

    Step 2: creating an associated list workflow in SharePoint Designer 2013.

    • Chose to Manually Start workflow
    • Adding my form fields via the Initialization Form Parameters.
    • Chose Send as Email Action /formatted with fields from Initialization
    • Disinherited permissions from parent and then changed permissions for Visitors on the actual initialization form (WFInitForm.aspx)
    • Disinherited permissions from parent and then changed permissions for Visitors on the associated Task List
    • Disinherited permissions from parent and then changed permissions for Visitors on the associated History List
    • Some other miscellaneous tweaking for usability that aren't really related like hiding the custom list from the browser, changing Start to Submit on the WFInitForm, modifying where the cancel button directed user, and a couple others.

    Step 3: Copied the Start workflow URL from the list item ribbon and added it to a link on the Home page of site.

    Step 4: Published

    During the course of troubleshooting I turned "Limited-access user permission lockdown mode" off in the parent collection features.

    I'm not sure if this would affect anything but Publishing is turned On for the site collection but was left OFF for this sub-site.

    Anyway, when I enter the site as a Visitor and click on the link to start the workflow I get an Access Denied message right away and am given the option of requesting permissions.  If I add Contribute to the Visitors group for the site, then the workflow starts. But Visitors can't have Contribute on the entire site. They need to have Read for most things and Contribute on just a couple. 

    I feel like I've missed an item that I need to change the permissions on but don't know what item. Any ideas? 



    Thursday, August 20, 2015 7:03 PM

Answers

  • Hi,

    If setting the workflow to be started manually, users will have to access the “/_layouts/15/Workflow.aspx” page which they don’t have permission to access and start the workflow.

    As a workaround, I suggest you set the workflow to be started when new item created, then users will not have to access the “/_layouts/15/Workflow.aspx” page to start the workflow.

    If there might be a need to let users decide whether trigger the workflow for sending email, a suggestion is that, you can setup an extra column(such as a Yes/No column) to indicate whether to send email in the same list, composite the logic inside the workflow to execute the send email action accordingly.

    Thanks                 

    Patrick Liang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 26, 2015 2:38 AM
    Moderator

All replies

  • Hi,

    Per my understanding, you might want visitors be able to submit data, start a workflow to send the data via email.

    By default, it would require “Contribute” permission to start a workflow, as well as submit data to SharePoint site.

    To avoid users have “Contribute” access to the entire site, a suggestion is that, you can set unique permissions on a list only, attach the workflow to this list. Then when visitors come to this list, they can add items, trigger the workflow to send an email. Meanwhile, they won’t have “Contribute” access to other resources of the current site.

    About how to grant unique permissions to only one list/library:

    http://social.technet.microsoft.com/wiki/contents/articles/18203.sharepoint-2013-break-document-library-permissions-inheritance.aspx

    More information about Edit permissions for a list:

    https://support.office.com/en-us/article/Edit-permissions-for-a-list-library-or-individual-item-02d770f3-59eb-4910-a608-5f84cc297782#__toc254960351

    Thanks                 

    Patrick Liang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 24, 2015 5:36 AM
    Moderator
  • Hi Patrick, Thanks for the response. What you suggest is actually what I did. Let me reiterate but with the language you use.

    • I created a custom list and granted the Visitors group unique permissions to it- "Contribute" in addition to "Read"
    • I created a workflow associated with that custom list  and thought that the workflow would inherit the permissions from that associated list. That wasn't the case. I found that the Initialization Form associated with the workflow that's named WFInitForm.aspx hadn't inherited the custom list's permissions. So I then granted the Visitors group unique permissions for the workflow initialization form WFInitForm.aspx - "Contribute" in addition to "Read"
    • I also checked the Task List and History List associated with the workflow and found that they did not reflect the permissions set on the custom list so I had to grant the Visitors group unique permissions for these lists as well- "Contribute" in addition to "Read"

    I can add items to the lists using the test user account that's a member of the Visitor's group. So I know that the Contribute permission level is active on the custom list.

    However I'm not sure why the  workflow is not reflecting the list's permission settings. I thought it might have something to do with the collection feature called "Limited-access user permission lockdown mode" and so turned this OFF....and then redid everything. Same result.

    Monday, August 24, 2015 7:14 PM
  • Hi,

    If setting the workflow to be started manually, users will have to access the “/_layouts/15/Workflow.aspx” page which they don’t have permission to access and start the workflow.

    As a workaround, I suggest you set the workflow to be started when new item created, then users will not have to access the “/_layouts/15/Workflow.aspx” page to start the workflow.

    If there might be a need to let users decide whether trigger the workflow for sending email, a suggestion is that, you can setup an extra column(such as a Yes/No column) to indicate whether to send email in the same list, composite the logic inside the workflow to execute the send email action accordingly.

    Thanks                 

    Patrick Liang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 26, 2015 2:38 AM
    Moderator