cancel
Showing results for 
Search instead for 
Did you mean: 
missymae6
Nintex Newbie

Add User to Group Workflow is overriding Group Settings/Owner

I have a successful workflow that adds a user to a Sharepoint Group. It is so successful that it does not error even if the user initiating the workflow is not in the group that owns the group in which the workflow is adding them to.

 

How to I restrict the workflow so that it complies with the Group settings and errors if the user initiating the workflow is not an owner of the group the user is being added to?

(Screen shots are helpful in my case #noob)

Labels: (1)
0 Kudos
Reply
16 Replies
Automation Master
Automation Master

Re: Add User to Group Workflow is overriding Group Settings/Owner

@missymae6 ....I'm guessing you're using web service to add user into SP group, if so then it means that action is running under some credentials (Nintex Constant) which will have a higher previlage like SCA.

 

You need to first check if the user is in the SP group, if it is only then run actions otherwise not.

 

Now coming back to your description, on one end you're trying to add the user into SP group but you don't want the Initator of the workflow to do so. May I ask what exactly is the process?

0 Kudos
Reply
missymae6
Nintex Newbie

Re: Add User to Group Workflow is overriding Group Settings/Owner

@kunalpatel Yes! You are correct - I am using "Call a web Service" to use the usergroup webservice that will allow me to use the AddUsertoGroup WebMethod. (It is all right here - https://www.c-sharpcorner.com/uploadfile/anavijai/how-to-add-user-to-sharepoint-group-using-nintex-w...)

 

The issue is that I have to enter my credentials to call the webservice which is then used for any user who in itiates the workflow. I was hoping for a solution that would allow me to use the credentials of the initiator vs those of the Workflow designer (as a side note I did check the Contorl settings under the workflow to make sure it was not impersonating - that box however is not checked).

 

In the scenario that i followed to build my workflow, they have you build a choice field to choose the SharePoint Group which in my case is not ideal because some sites that this Application will be implementedx on have over 400 user groups. I would like to instead use a people/groups picker to allow the user to find the group they want, however this would allow users outside of the Owner Group to be able to add users to resulting groups.

 

This applications purpose is the backend of an Access Request process. The user will request Access to sites using a Nintex form (well, Infopath at the moment). Currently my Admins have to process those forms and then go to 2 or 3 sites and manually add users to one of 400 possible groups. This solution will add them to the Groups more efficiently however I need to remain within the settings of the Group itself and only allow the Group Owners to be the users adding or removing group members.

 

In the meantime i have implemented a Run If and am using a password. Not ideal but it works like a charm - and I actually like the idea of password protecting some of these workflows. But ideally, for this one, I would like to use the credentials of the initiator in lieu of a password/column.

 

Any help with this would be great!

0 Kudos
Reply
Automation Master
Automation Master

Re: Add User to Group Workflow is overriding Group Settings/Owner

@missymae6 ......First of all it's not the best approach to use your own credentials to run web service or any other actions which needs credentials. You need to create a service account and add it as a Nintex Constant and use that for credentials. If you published the workflow with your credentials and if you left the company then those workflow will have lot of issues unless you're running each and every workflow of yours using impersonation concept which will allow initiator to run workflow as workflow owner. For this you need to use action set.

 

Now coming back to your requirements, correct me if I'm wrong....

 

  • You want your users to fill out the form and they know in which group they needs to be added or someone else needs to be added
  • You don't want to add users into those SP group automatically

 

If this is your requirement then how about below approach?

 

  • Create a SP group called Admin group. I'll use this group as the group who can manage users in your SP groups.
  • Now let your users submit their requirement. Once they submit, your workflow will be triggered.
  • Now you can assign task to Admin SP group, I'll also enable lazy approval for this and will provide all the item details in task notification e-mail. This will help your Admins to see details in the email and approve/reject/RMI from email itself
  • If they approves then you can call web service to add the user into SP group.

 

If you don't want to assign task to Admin SP group then you can see who is the owner of the SP group and assign task to them instead.

0 Kudos
Reply
missymae6
Nintex Newbie

Re: Add User to Group Workflow is overriding Group Settings/Owner

Thanks - that approach won't work. In one instance I have 7 sites all with their own Admin groups already built (the group that owns the groups we would be adding users to).

 

Do you know of a way to query the Owner group and if the user is in that group then set the run if statement on their membership to the group that owns the group chosen to add/remove the user?

0 Kudos
Reply
missymae6
Nintex Newbie

Re: Add User to Group Workflow is overriding Group Settings/Owner

I do not have any way to set up a service account

0 Kudos
Reply
Automation Master
Automation Master

Re: Add User to Group Workflow is overriding Group Settings/Owner

@missymae6 

  • Using web service "/_vti_bin/UserGroup.asmx", get "GetUserCollectionFromGroupResult" XML
  • Using Query XML and above XML as a source, you can get:
    • XPath for Name -  /defaultNS:GetUserCollectionFromGroup/defaultNS:Users/defaultNS:User/@Name
    • XPath for UserID - /defaultNS:GetUserCollectionFromGroup/defaultNS:Users/defaultNS:User/@LoginName
  • Now you can check if your user is in above collection(s) or not and build your logic accordingly
    • If it is then add the requested user into the group
    • If not then assign task to the users in collection to approve it (you can use lazy approval too)
      • If they approve then add the requested user into the group

 

Nintex Constant:

  • Regular credentials password keeps getting change on a regular interval. This can cause your workflow to fail if password is incorrect.
  • Also, it will show your name if you're doing some operation with your credentials. It's best practice to do updates using either service account or the users who should actually do so.
  • I'll still suggest to work with your IT (AD team/IT security to request a service account and with SP Admins to grant appropriate permission at web app policy levels and in Nintex configuration)
  • Also, service account's password will never change unless it has to be change by IT

 

0 Kudos
Reply
missymae6
Nintex Newbie

Re: Add User to Group Workflow is overriding Group Settings/Owner

Thank you so much! Is this Query XML looking at the group we are adding to or the owner of that group? My Owner Group(s) members are not members of the groups they add to (there are too many and we try to add users to one group only for easier maintenance) so the query I would use would need to direct me to the "ManagedBy" XML I think (I have been over searching this and starting to confuse myself now), and if the initiator is a member of the Owner group then allow the workflow to proceed.

Could you direct me along this path?

 

In the meantime i can try to reach out to our IT department to work on creating a Service Account however it is not likely as they do not like to give us anything. I have created a Workflow Constant and am calling that credential now. I am not sure if that makes it any better or not.

 

 

0 Kudos
Reply
missymae6
Nintex Newbie

Re: Add User to Group Workflow is overriding Group Settings/Owner

I built out your suggestion above and it is only returning my information and not information about all users in the owner group of the Sharepoint Group noted. Any suggestions on returning information on the Group Owner?

0 Kudos
Reply
Automation Master
Automation Master

Re: Add User to Group Workflow is overriding Group Settings/Owner

@missymae6 .....I'm sorry but I'm little confused with your entire requirement. Below is my understanding about your request:

 

  • I'm the user who wants access to a Site A. Am I the one who will select the group and submit the request to be added or I'll be reaching out to someone else e.g. Site Owner?
  • If I'm the one who will submit the request then:
    • How will I know the name of the group since I don't have access any kind of access to that site.
    • In this situation, I'll then need to reach out to someone who can do that, then instead of submitting, why they can't simply go and manage from accept access request?
  • Now if someone who has access is submitting the request then instead of submitting the request, why can't they simpy grant the permission directly?

 

Also your group owners don't have to be in the group in order to add users. For e.g.

 

  • KP Owners - Owner group of KP site
  • KP Members - Member group of KP site, now in group settings of this group
    • Owner - Select KP Owners
    • Group Settings: 
      • View membership - Depend on your requirement
      • Edit membership - Select Group Owner
0 Kudos
Reply