Symptoms

Getting an "Access denied: You do not have permission to perform this action or access this resource" error message when trying to run the Appit registration wizard in QA(DEV) SP site collection. See attached screenshot for details of the error.
This was working last week so I'm not sure what changed.

My account has global admin rights as well as site collection admin rights on the site. Also tried removing the app principle permission by deleting the K2 Appit for SharePoint permission, and re-adding it to re-trust the K2 Appit application, no luck - same error still gets surfaced.

I will be requesting the ULS logs for the correlating correlation ID surfaced in the error exception, and provide that once I have it.

Please note this is a QA(DEV) SP site collection that points to our Prod Appit instance. However I'm not seeing this issue in Prod SP site on the same SP tenant.
 

Diagnoses

There was some confusion around who actually owned the admin token on the site collection in question. This account needs to have site collection admin right on the SharePoint site where the Appit application is install.
This is also true for all SharePoint site where the Appit application is installed.


 

Resolution

As noted in the "Diagnosis" section this all came down to which account currently owned the K2 Appit app admin token. This is crucial information because that account NEEDS to be a Site Collection Admin on the site collection where the K2 Appit is installed.

A new feature request for the ability to surface the current “owner” of the admin token in the Management page has been logged.