Our O365-based travel request workflow contains permissions we can't quite nail down. Initially built by a vendor, we were not provided technical documentation so we're troubleshooting in-house.
Permissions we need:
Permissions set by vendor:
We understand that Grant Site Owners disinherits permissions affecting Grant Submitter/Traveler ability to assign permissions to this group of users. Nintex Support says “Since you are breaking inheritance and removing existing permissions you are removing any permissions assigned to the item for the workflow initiator”, which we understand, but haven’t provided direction toward a solution.
Here’s what does not work (test users all have Contribute permissions via SP settings):
In addition, we’ve tried publishing the workflow as the service account (Site Collection Admin permissions) and placed Grant Site Owner and Grant Submitter/Traveler actions within an App Step, neither of which appeared to have any effect on results.
We need to understand which action(s) will 1) prevent everyone from having access to all travel requests while 2) enabling Initiator/Traveler/Approvers to view items that pertain to them 3) allowing Site Owners access to all items while items submitted by Site Owners are not visible to all users.
Any feedback/direction would be greatly appreciated!
Screen shot of Grant Site Owners workflow permission:
Screen shot of Grant Submitter/Traveler workflow permission (and all Grant Permissions actions in State Machine):
Solved! Go to Solution.
Wowowow! This is quite complex to go through only by reading. Naturally the best option would be to log in and to click-test the workflow.
From what I understood is that your vendor did you a workflow but had not tested it deeply and now major use cases are not working properly? And - by "not working properly" I understands that actions setting permissions should set them the way you expect so that access to the items is limited as you need, but for some reason it os not working, right?
When I was working with the action to set O365 permissions I realized, that no matter how I'm declaring the set of groups/ users directly into field "User or group name" - whether as a string or set of variables semicolon delimited - it just doesn't work, the permissions are not set.
However when I declare list of users and group names as a variable, and the variable "inside" has semicolon delimited values and then I put only the variable to the "User or group name" field - it works smoothly.
Maybe this is your case too?
If not - we can make together deeper analysis on the issue.
Hi Tomasz. It is a lot, I know. Thank you for taking the time to review our issue and respond. I understand your suggestion and have put it on the list of recommendations. Other members of the team have received suggestions as well, we're going to put them all to the test and see what we come up with.
Thanks again for your input!
I need a screen shot of the workflow error (if it does error), but in saying that I've dealt with this may times, torn most of my hair out over the past few months, these custom Nintex actions are very temperamental in the Office 365 environment.
Things to try to resolve
Thank you, Tomasz and Warwick, for your responses. We've found a solution that gives us the level of view privacy we need and corrects the flaw in the original workflow. We knew that the workflow permission step that disinherited parent permissions was causing us the most grief, with Nintex Support's input we determined that we needed to swap the order of workflow permissions to give the action Grant Submitter and Traveler something to 'attach' to.
Nintex recommended swapping the two original actions. We tested without Grant Permissions to Site Owner and found that everything works the way we want it to. We opted not to add an unnecessary action to an already leggy workflow.
Again, many thanks to those who replied. As always, your support is greatly appreciated!