Symptoms

The issue brought forth here deals with adding new users/ groups into SharePoint and the potential security of newly created sites after these users have been added to SharePoint.

What is occurring is after creating a workflow that creates a new subsite, deletes user permissions and adds new ones, there appears to be an issue with adding new users/ groups to the SharePoint environment after the workflow has been deployed. What happens after adding these individuals and accessing the workflow that creates the new subsite you will notice that these groups are added into the events that are utilized to delete and add user rights, but they are not configured to have their rights deleted or added. At face value this means that whenever a new subsite has been created, these user rights will not be removed and means that they will have access to the new subsite by default.

 

Diagnoses

This can be easily reproduced by doing the following:

1. Create a new list.
2. Appify the list, adding Forms, Workflow and Reports to the list of artifacts to be created.
3. After the workflow designer opens, drag the "Create Subsite" workflow event into the first empty workflow step.
4. Configure this event to create the new subsite.
5. Create a new workflow step from the Create Subsite step.
6. In the new workflow step drag in the "Stop Inheriting Site Permissions" event.
7. Create another new workflow step.
8. In this empty workflow step drag in "Remove Site Permissions", configure this event to remove the necessary users from the subsites permissions list.
8. Create another new workflow step.
9. Drag in the "Add Site Permissions" workflow event into the empty step.
10. Configure this event to add the necessary user permissions to the site.
11. Deploy the workflow.
12. In SharePoint create a new user group to test this issue. Make sure this is an easily remembered name.
13. After creating this new group access the workflow in question.

After accessing the workflows site permission events the newly created SharePoint group is shown on the list of available users to configure. This is where the questioning of security comes into play.
 

Resolution

While it is true that users/ groups are added to the list of available users to be configured in these events, there is one thing to keep in mind on this subject. When first configuring and deploying a workflow process, the workflow is configured using the settings that were available to it at that time. This means that when looking at the permissions events later, these new users will show, but the currently deployed workflow has no context of these users yet. The only time that this would become a security issue is if the workflow is deployed again without configuring the new users/ groups.