We are trying to resolve the following situation, and are looking for advice on how to do so.
We have an Owners and a Designers SharePoint group.
Both groups can create workflows. In order to call web services in a workflow, the Nintex Service Account (NSA) is used.
If NSA is in the Designers group, both Designers and Owners can run Lists.asmx web service workflows, but not UserGroup.asmx web service workflows. This is because of the difference between Owner and Designer privileges.
The Owners need to be able to run UserGroup web service workflows, without giving access to the Designers to do so. But, putting NSA in the Owners group would give users in the Designers group the ability to run UserGroup web service workflows.
We have a SharePoint service provider, so are not able to access anything above the Site Collection level.
Is it possible to have two NSAs, one that is only visible to Owners? Are there any other possible solutions?
When you say you are not able to access anything above the Site Collection level, does this mean you can not get into your Central Admin settings where the Global Settings for Nintex are set?
If you can get into Central Admin, or have someone do it for you, you can use the techniques listed here:
This page explains how you can edit permissions for workflow constants to allow only specified users and groups to see and use the workflow constant when designing a workflow.
It does also note that permissions are checked when the workflow is published.
You'd probably want to be very clear when adding your constants, ie "NSA - Owners" and "NSA - Designers" so they know which they are able to use.
Other than that - if you are saying you can not get into Central Admin - the only thing I can think of at present is to have 2 accounts, one that only the Owners know the credentials of in the Owners group, and 1 in the Designers group that both groups know the credentials of.
Let me know if this helps or if you need more info.
Thank you so much for the reply.
We do not have access to Central Admin. And the service provider is not typically willing to make changes for us.
I will check out the workflow constants link and see if it's something we can possibly request from the service provider.
When you suggest two separate accounts - is that something that would need to be set up in Central Admin? We do not control the existing service account, the service provider does. Are you suggesting that we request a second account that's only visible to Owners. Do you know if that's possible or not?