Hey guys,
I was wondering, from a security point-of-view, is there a way to modify a FlexiTask's assigned username from the Database?
Is the username stored as plain text inside a DB table? and if yes, which one?
Page 1 / 1
Come on guys, no one has tried to do this??
First rule of the SharePoint: You do not execute write operations on your SharePoint Databases.
Second rule of the SharePoint: You do not execute write operations on your SharePoint Databases!
Same applies for Nintex as (afaik) write operations arent supported either. If you break something you won't get any support. I inspected the Nintex DB to see if I can find a table storing the tasks but without success.
Can you describe your actual use-case? There may be a workaround available.
Cheers
Philip
Hey Philipp,
I'm trying to determine the security of day-to-day operations regarding Nintex Workflow Tasks, and if possible, find ways to make it secure-er! 
Here are the 2 use-cases I had in mind:
- gain access to the DB and change the internal reference ID of the Task's assigned SP user?
- execute a SOAP request that would modify the Task metadata, without affecting any related workflows and not showing up in any logs?
I haven't found any table that stores the id of the Task's assigned user yet. But if you have a lot of time, feel free to inverstigate the DB completely. I'd love to hear about your findings!
Regarding the SOAP request, you can use the Nintex Webservice<http://help.nintex.com/en-US/sdks/SDK2013/#Reference/SOAP/NW_REF_SOAP_DelegateTask.htm%3FTocPath%3DNintex%2520Software%2%E2%80%A6>. For example you can delegate a task to change the assignee. This shouldn't affect any related workflows but I'm not sure if you can see the delegation in the history. I only know there is a table called "DelegationHistory" that stores information about delegated tasks. Additionally there is the nwadmin tool<https://community.nintex.com/docs/DOC-1026-nwadmin-operations-nintex-workflow-2013> which can be used to delegate tasks.
Hope this helps.
(First time I reply directly via email because hotel wlan won’t let me replay on website, lets see how that works)
Best Regards
Philipp
Von: themos
Gesendet: Mittwoch, 13. September 2017 08:31
An: Lucas, Philipp <Philipp.Lucas@adesso.de>
Betreff: Re: - Re: Change FlexiTask username from Database
Nintex Community <https://community.nintex.com/?et=watches.email.thread>
Re: Change FlexiTask username from Database
reply from Themos K<https://community.nintex.com/people/themos?et=watches.email.thread> in Dev Talk - View the full discussion<https://community.nintex.com/message/69459-re-change-flexitask-username-from-database?commentID=69459&et=watches.email.thread#comment-69459>
I was aware of the DelegateTask SOAP call but didn't remember the DelegationHistory table!
So it seems plausible that someone could manually clear the DelegationHistory entry after the Task has been delegated and nobody would find out!
Maybe an SQL Profiler trace would be helpful in identifying the table storing the Task User IDs, now all I need to do is find the time to investigate it 
Reply
View our Community Site Map
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.