Skip to main content

Hello,


I've given a SharePoint group Start, and View Participate permission for a process, however users still can't submit the InfoPath form to start the process. This group's only member is NT AUTHORITYAuthenticated Users. This includes all users currently validated in AD. We use this group for every other site on our SharePoint farm.


If I give the user permission directly they can submit the form. If I add users individually to this group, they appear to able to submit this form as well.(Though something strange did happen, the first time a user tried under this setup, they got an error message in InfoPath saying the form couldn't be submitted, but they also immedieatly received the email that is sent at the start of the process. Subsequent tries to submit the form worked.) Adding users individually obviously won't work if I need to all all staff to start a process.


What's extra odd is this: I removed all user rights except my own admin rights and when logged in as my test user I was still able to submit the InfoPath form to start the process!


So my questions are these:



  2. Why can't users submit forms when permission is granted to a SharePoint group containing NT AUTHORITYAuthenticated Users?
  3. Why can my test user still submit the form even though all his permissions have been removed.

I think the issue is because authenticated users are not an actual group but rather an AD object like everyone. What is the behavior when using Domain Users group? What version are you running? The fact that the user can still submit after removing his rights, I think is the caching that comes into play. The user’s rights are read form cache and the cache was not refreshed (yet) after removing the user.


Restarting the K2 Service should refresh the cache. This is if you don’t want to wait for the cache refresh interval which is by default 10 min if I remember correctly.


If you are running KB1370 – identity service will handle the cache. The K2 docs will have some more info on how to configure different refresh intervals etc. you can also refer to this article


http://www.k2underground.com/blogs/johnny/archive/2011/10/03/working-with-the-identity-service-caching-mechanism.aspx


If you have pre KB1370, you can set the refresh intervals in the K2HostServer.config file. Changing the GroupCachePollingInterval and GroupCacheInterval.


 


Note changing these settings can have performance impact. The shorter the refresh interval the more likely to hit performance issues.


HTH


Vernon

Unfortunately those controls for cacheing aren't available in the blackpoint management console. I've bounced the K2 service a few times to get around this for now.


But cacheing issues aside, I think I've found part of my problem. I had my security set as follows:




  • SharePoint All Staff Group

    • AD All Staff Group

      • Head Office

        • Head office 3rd Floor








I had a test user in the 'AD All Staff Group'. That account was able to start workflows. But my manager and CTO are in the Head Office 3rd Floor group and they couldn't submit the infopath form to start the process. I moved my test user to Head office 3rd Floor and now it's unable to start the process. How can I make K2 dig recursively through the AD groups?


 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings