cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Access Denied when publishing workflow on a subsite with Full Control

My user's are experiencing the following error:

Access Denied. Exception: Attempted to perform an unauthorized operation., StackTrace: 

at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)   

at Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask)   

at Microsoft.SharePoint.SPFieldCollection.AddFieldToWeb(String strXml, Boolean checkDisplayName, Boolean isMigration, Boolean ignoreExistsError, Guid featureId, Guid solutionId)   

at Microsoft.SharePoint.SPFieldCollection.AddFieldAsXmlInternal(String schemaXml, Boolean addToDefaultView, SPAddFieldOptions op, Boolean isMigration, Boolean fResetCTCol)   

at Microsoft.SharePoint.SPFieldCollection.AddFieldAsXmlInternal(String schemaXml, Boolean addToDefaultView, SPAddFieldOptions op)   

at Nintex.Workflow.Common.NWSharePointObjects.UpgradeWorkflowContentType(SPWeb web)   

at Nintex.Workflow.WorkflowRepository.UpgradeForUpdatedContentType()   

at Nintex.Workflow.WorkflowType.GetWorkflowRepository(SPWeb web)   

at Nintex.Workflow.ApplicationPages.WorkflowGallery.Page_Load(Object sender, EventArgs e)   

at System.EventHandler.Invoke(Object sender, EventArgs e)   

at Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase.OnLoad(EventArgs e)   

at Microsoft.SharePoint.WebControls.LayoutsPageBase.OnLoad(EventArgs e)   

at Nintex.Workflow.ServerControls.NintexLayoutsBase.OnLoad(EventArgs e)   

at System.Web.UI.Control.LoadRecursive()   

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)   

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)   

at System.Web.UI.Page.ProcessRequest()   

at System.Web.UI.Page.ProcessRequest(HttpContext context)   

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)   

at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)   

at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)   

at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)   

at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)   

at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)   

at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)   

at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)   

at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)   

at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  .

As well:

Permission check failed. asking for 0x800, have 0xb008431061

Redirected to the access denied page:

Name=Request (GET:http://teamsites:80/sites/training/Nintex/_layouts/15/AccessDenied.aspx?Source=http%3A%2F%2Fteamsite...)

The nintex interface displays:

401: Unauthorized

The user has Full Control on the http://teamsites/sites/training/Nintex site but only has visitor at http://teamsites/sites/training.

http://teamsites/sites/training  is a site collection

This is a pretty straight forward out of the box setup.

We have also disabled the "Limited-access user permission lockdown mode" feature.

Labels: (1)
0 Kudos
Reply
11 Replies
Automation Master
Automation Master

Re: Access Denied when publishing workflow on a subsite with Full Control

It looks like in one of your actions in the workflow you need it to create/modify a content type or fields in a content type. Maybe you have a task action with specified fields or a flexi task with additional outcomes?

In which case you are affecting Site Collection data and require the permissions on the site collection to make those changes. If you are granted permissions on the site collection level (you stated you have visitor rights) then you should be able to publish the workflow then. Or a site admin on the site collection could publish a saved workflow for you.

0 Kudos
Reply
Not applicable

Re: Access Denied when publishing workflow on a subsite with Full Control

Unfortunately, I get the error when I have a super simple workflow, just a notification task.

0 Kudos
Reply
Automation Master
Automation Master

Re: Access Denied when publishing workflow on a subsite with Full Control

Ok, but it is probably the same issue being a task. If you cannot change the permissions in the site collection then you can test by creating a workflow that only has log to history list. If you cannot publish that then it is another issue, but if it publishes then it would most likely be a permission issue on the site collection.

0 Kudos
Reply
Not applicable

Re: Access Denied when publishing workflow on a subsite with Full Control

The problem was caused by the Site level Minimal Download Strategy feature. Deactivate the Minimal Download Strategy feature and suddenly the full control site owner can access the manage workflows, and publish workflows properly.

0 Kudos
Reply
Automation Master
Automation Master

Re: Access Denied when publishing workflow on a subsite with Full Control

Wow, glad that helped. But I would suggest that there is an underlying issue that is not yet resolved. I have about 30 farms for 2013 that are running Minimal Download Strategy and workflows without issue.

It may be that the caching accounts/setup is not proper.

0 Kudos
Reply
Not applicable

Re: Access Denied when publishing workflow on a subsite with Full Control

I’ll investigate, thanks!

0 Kudos
Reply
aaron_labiosa
Nintex Newbie

Re: Access Denied when publishing workflow on a subsite with Full Control

Hi Kevin,

Were you ever able to find anything with your investigation or does it still look like it was just the Minimal Download Strategy Feature?

Cheers!

0 Kudos
Reply
Not applicable

Re: Access Denied when publishing workflow on a subsite with Full Control

The Portal Reader and Portal User cache accounts are configured correctly under user policy, and the property entries are on the web app object as well.

Doesn’t seem to be a problem related to the cache accounts.

When this happened in dev, we had to disable “Limited-access user permission lockdown mode” site collection level feature as well. This was disabled before the Minimal Download Strategy Feature, and it was still a problem until we disabled the minimal download strategy feature.

It may have been possible that having both of the features enabled could cause the problem.

Here’s the specific reproduction scenario:

1. Create a site collection with minimal permissions (Read access to test user)

2. Create a sub site with Full Control permissions (Test user added to Owners Group)

3. Have both “Limited-access user permission lockdown mode” and “Minimal Download Strategy” features active.

4. Activate nintex related features.

5. Have the Test user try and publish a minimal workflow (just a regular notification task added).

a. Should receive a 401 access denied / multiple prompts for authentication.

6. Deactivate “Limited-access user permission lockdown mode”

7. Close browser, then open again and attempt to publish again, should still have the problem.

8. Deactivate “Minimal Download Strategy”

9. Close browser, then open again and attempt to publish again, problem should be resolved.

0 Kudos
Reply
Automation Master
Automation Master

Re: Access Denied when publishing workflow on a subsite with Full Control

Could you check that the following lists are inheriting permissions to the sub site:

  • List that the workflow is being added to
  • Workflows library at site/Workflows
  • NintexWorkflows library at site/NintexWorkflows

This is also checked when you go to site settings and click on Managed Allowed Designers.

the limited access lockdown mode issue is making me think there is a permission issue within the site.

thanks,

Andrew

0 Kudos
Reply