I am sure most of us a familiar with App Step and that it is a mechanism provided to developers of SharePoint 2013-platform workflows (Designer workflows or Visual Studio workflows) to elevate permission of the workflow. Just wanted to share this post to make it clear as to what we need to do when we grant permissions to workflow app (needed for app step to work).
I recently helped on a support case where customer had a scenario which I thought is very common in business process oriented scenarios which is where we would leverage workflows. They had a list created with item-level security setup out of the box. Here are the steps to do that.
- Create a list (use the custom list template).
- Go to list advanced settings.
- Under Item-level Permissions sections choose the radio buttons shown below.
1. Create a list (use the custom list template).
2. Go to list advanced settings.
3. Under Item-level Permissions sections choose the radio buttons as shown below.
4. Hit OK.
This will ensure that the item-level permissions are such that only the user that created an item in the list will be able to view and edit it.
Now create a SharePoint 2013-platform list workflow using SharePoint Designer 2013 that has a simple Log to History List action (as shown below) associated to the list created above.
Publish this workflow to the list that has item-level permissions. Now, login to the site as a user who has contributor rights and create an item in the list created with item-level permissions. Login to the site as a user with site owner (or site collection administrator) permission. Go to the list and this user should be able to view the item created by the user with contributor permissions. Now, start an instance of the workflow on this list item.
You’ll see that the workflow fails with the following error indicating that the list item was not found!
And on subsequent retry.
And in the ULS you will see the following entries.
Clearly this is one of the many scenarios where you’ll use an App Step.
So I first enabled workflows to use app permissions by following the steps outlined in the articles reference above (for convenience, I’ve replicated it here: Create a workflow with elevated permissions by using the SharePoint 2013 Workflow platform) and then granted full control permission to workflow (steps: also provided in the same article).
And then comes the part where I had to grant permission to an app. The referenced MSDN article suggested to change the Scope attribute to the actual SharePoint 2013 site URL. But that did not work. If I provide the permissions request XML with Scope parameter set to my site URL like:
I still see the same error telling me that the workflow cannot find the list item to execute on if I set the Scope parameter to my own site collection URL.
It looks like the permission request XML should just be as what’s shown in the below screenshot for the app step to work correctly.
If you have developed SharePoint Apps, the permission request XML is the same as the app permissions we specify in the app manifest.xml file.
Once that is done, I hit the create button in /_layouts/15/appinv.aspx page and I am asked if I trust the workflow.
I “Trust It”.
I then changed my SharePoint Designer 2013 workflow design as shown below and Publish it. When publishing I am shown this warning, since I am fully aware what this workflow is going to do, I hit the OK button.
After this when I invoke the workflow as a site owner (or site collection administrator) on the item-level permission enabled list on a list item created by another user, the workflow completed w/out problems.