I was wondering, from a security point-of-view, is there a way to modify a FlexiTask's assigned username from the Database?
Is the username stored as plain text inside a DB table? and if yes, which one?
Solved! Go to Solution.
First rule of the SharePoint: You do not execute write operations on your SharePoint Databases.
Second rule of the SharePoint: You do not execute write operations on your SharePoint Databases!
Same applies for Nintex as (afaik) write operations arent supported either. If you break something you won't get any support. I inspected the Nintex DB to see if I can find a table storing the tasks but without success.
Can you describe your actual use-case? There may be a workaround available.
I'm trying to determine the security of day-to-day operations regarding Nintex Workflow Tasks, and if possible, find ways to make it secure-er!
Here are the 2 use-cases I had in mind:
I haven't found any table that stores the id of the Task's assigned user yet. But if you have a lot of time, feel free to inverstigate the DB completely. I'd love to hear about your findings!
Regarding the SOAP request, you can use the Nintex Webservice<http://help.nintex.com/en-US/sdks/SDK2013/#Reference/SOAP/NW_REF_SOAP_DelegateTask.htm%3FTocPath%3DNintex%2520Software%2%E2%80%A6>. For example you can delegate a task to change the assignee. This shouldn't affect any related workflows but I'm not sure if you can see the delegation in the history. I only know there is a table called "DelegationHistory" that stores information about delegated tasks. Additionally there is the nwadmin tool<https://community.nintex.com/docs/DOC-1026-nwadmin-operations-nintex-workflow-2013> which can be used to delegate tasks.
Hope this helps.
(First time I reply directly via email because hotel wlan won’t let me replay on website, lets see how that works)
Gesendet: Mittwoch, 13. September 2017 08:31
An: Lucas, Philipp <Philipp.Lucas@adesso.de>
Betreff: Re: - Re: Change FlexiTask username from Database
Nintex Community <https://community.nintex.com/?et=watches.email.thread>
Re: Change FlexiTask username from Database
reply from Themos K<https://community.nintex.com/people/themos?et=watches.email.thread> in Dev Talk - View the full discussion<https://community.nintex.com/message/69459-re-change-flexitask-username-from-database?commentID=69459&et=watches.email.thread#comment-69459>
I was aware of the DelegateTask SOAP call but didn't remember the DelegationHistory table!
So it seems plausible that someone could manually clear the DelegationHistory entry after the Task has been delegated and nobody would find out!
Maybe an SQL Profiler trace would be helpful in identifying the table storing the Task User IDs, now all I need to do is find the time to investigate it