andrew.beals@nintex.com

ApproveReject.aspx page permissions - "You are not authorized to respond to this task."

Blog Post created by andrew.beals@nintex.com Support on May 23, 2016

Since this behavior continues to be a hot issue I have explained this behavior further.

 

As it was mentioned previously in the thread ("You are not authorized to respond to this task." message ), in order to view tasks assigned to other users, a user must have at least "Manage Hierarchy" permission levels at the site level which is *technically* correct as that permission level includes permissions applied when "Full Control" is given to a user. To be more specific I have provided the exact permission levels needed to access a Flexi-task not assigned to you.

 

Here are the exact minimum permission level requirements at the site level to view tasks assigned to users other than you:

(This assumes you already have the required "Edit permissions" aka contribute)

 

List Permissions:

View Items  -  View items in lists and documents in document libraries.

Open Items  -  View the source of documents with server-side file handlers.

View Versions  -  View past versions of a list item or document.

Site Permissions:

Manage Permissions  -  Create and change permission levels on the Web site and assign permissions to users and groups.

Manage Web Site  -  Grants the ability to perform all administration tasks for the Web site as well as manage content.

Add and Customize Pages  -  Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Microsoft SharePoint Foundation - compatible editor.

Browse Directories  -  Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.

View Pages  -  View pages in a Web site.

Enumerate Permissions  -  Enumerate permissions on the Web site, list, folder, document, or list item.

Browse User Information  -  View information about users of the Web site.

Open  -  Allows users to open a Web site, list, or folder in order to access items inside that container.

Now with that being said, these permissions are required due to how the NintexWorkflow/ApproveReject.aspx page checks if you are qualified to view the task. There are a number of checks that happen onpageload.

 

The first check this pages does is to see if the user has at least "EditListItems" permissions. (This is the "Edit items" permission level which is included in contribute). This is to confirm if you have permission to edit the ask item.

 

Next, the page will attempt to check if the user viewing the task matches the HumanWorkflowID of the user assigned to the task. This ID is stored within the Nintex Workflow database. This is to confirm if the task is assigned to the person requesting this item.

 

If the user does not match the HumanWorkflowID the page then checks if the user has elevated permissions via a custom "isadmin" check. The permission levels required by this "isadmin" check are the following:

Manage Permissions

Manage Web Site

View Pages

Open

Add and Customize Pages

As you can see these permission levels are the same as those included in the list above. The only difference being my list includes the dependent permission levels.

 

If you pass either the HumanworkflowID check or the "isadmin" check the page will display the task page successfully. All of the aforementioned permissions checks are done onpageload.

 

For reference those permissions are listed in full detail here: https://technet.microsoft.com/en-us/library/cc721640.aspx

 

Cheers,

Andrew Beals

Outcomes