Set item permissions: different custom permission levels in dev and prod

  • 24 August 2017
  • 5 replies
  • 2 views

Badge +1

dear community,

when publishing a workflow from SharePoint development environment to productive environment via export/import we found that the permission levels get scrambled up.

We use the action 'set item permissions' and assigned our own permission level "company reader" (a copy of the permission level 'read') to the item. In the same workflow in productive system it got converted to another permission level "company editors" after import. We had to re-assign all levels in prod again manually.
did anyone of you ever experience this before? Do you know a solution for it?

thank you

Anna


5 replies

Userlevel 6
Badge +13

I suspect there is an ID assigned to the Group when they are created and these ID's are different for the 2 environments. Is your dev Site Collection a copy of your production site collection (i.e. backup and restored to the dev farm) or was it built independently? 

If you inspect the URL when in the People and Groups page for the group, check the MembershipGroupId value in the query string

https://domain/sites/sitename/_layouts/15/start.aspx#/_layouts/15/people.aspx?MembershipGroupId=7 

I would suspect that the ID for Company Readers in your dev environment is the same as the ID for Company Editors in your production environment. This is because the ID's are assigned in the order they were created, so if your 2 site collections were created independently then you may have created these groups in a different order.

Check this and let us know

Badge +1

Dear Ryan,

thank you very much for your quick reply!

My assumptions headed into the same direction that there is a mismatch with the ID's in the background. The SiteCollections in Dev and Prod have been created independently from each other (unfortunately).

The link you suggested to me directs to the site group definitions. In the workflow action we don't use groups but only direct people-assignments, so I can exclude, that the groups don't match each other. 

I find the configuration of the permission levels with this link:

http://domain/site/_layouts/15/editrole.aspx?role=Company Reader

This led me to the issue that there is only a name, no ID for the permission level which could mismatch then.

Any idea is appreciated happy.png

Edit: with the help of a little PowerShell ($site.RootWeb.RoleDefinitions) I found that the permission levels have got their own internal IDs which are created consecutively. I attached a screenshot with the result. At least it's clear now why Company Reader in DEV is Company Contributors in PROD.

Now I'm a little helpless... :-/

Userlevel 5
Badge +14

then I'd say you will have to edit workflow's XML before you import it to target environment.

once you are able to export IDs from both environments, it should be quite easy happy.png

this is how set permission action settings look like in workflow analyzer's editor

207207_pastedImage_1.png

‌ form xml‌ permission level ID‌

Badge +1

thank you for the tip with editing the exported XML. I will do it this way :-)

Userlevel 5
Badge +14

Hi ‌, were you questions answered?

if so could you close the thread and select correct answer?

Reply