This topic is about finding the best practises to fulfill the customers need regarding security and permissions.
We have decided to use a cloud only user to design and publish Nintex Workflows for Office 365.
A small Team of Workflow-Designer will create Workflows when requested from departments with this user.
If we create a new Workflow, for example on /sites/sales we add this user to the site collection admins on this particular site.
Until here, everthing is fine.
We want to have the ability to call SharePoint REST Services via "Web Request"-Action, for example to create a new Teamsite with /_api/GroupSiteManager/CreateGroupEx and therfore we also need the request digest by calling /_api/ContextInfo
For this site provisioning process, we have a list with Nintex Forms and a related Nintex Workflow (2 staged approval). When we call /_api/ContextInfo to determine the request digest, we get Status code 403 Forbidden.
Do we need an App Registration with AllSites.FullControl and then get the bearer token in the Workflow Web Request from https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token to get it done?
And if so, do we need to assign Username and Password which should have tenant admin credential in latest mentioned request?
This would be a problem to us because we have Privileged Identity Management (PIM) and nobody has a permanent admin role. Every role have to be requested.
What could be a possible solution? - Thanks in advance...
Solved! Go to Solution.
We are now able to get the Digest from _api/ContextInfo with a "Call HTTP Web Service Action" instead of using "Web Request Action".
Key-Point was to use this Action and to use "Get Item from Dictionary Action" to get the Digest Value from the Response Dictionary Variable and assign the Output to a Text-Variable. The path had to be defined like this: d/GetContextWebInformation/FormDigestValue
So, the game changer was to use "Call HTTP Web Service Action"