I am wondering if anyone knows how to set item level permissions in a workflow to where an item can be viewed by the workflow initiator's manager, and then also that manager's manager, and so-on until there is no-one left in the managerial chain. I am trying to figure out how I can either query AD or one of our SQL tables that contains all of this data in order to accomplish this task.
Solved! Go to Solution.
I tried to follow that but the problem is that rather than just trying to populate an approval task, I am trying to give permissions. I pushed all of the supervisor names into a collection, but that didnt give them permission to view. I am not sure if I am using the collection variable correctly.
what is the format of users/managers you store in database?
important is that manager identifier you get from database is recognized as valid user identifier by nintex/sharepoint.
you may test that so that you send a mail notification to such (collection of) users or try to store them in people&group list field.
btw, what database do you read managers from?
I'm quite sure you should be able to get whole managers tree with single SQL query. no loop should be needed.
I did a test by using a collection get action and pushed it to a column in my list and the workflow is pulling the managers first and last name in to the collection variable so Nintex and SharePoint should have no problem recognizing that. But for some reason the set permissions action does not seem to be working.
I am just reading the managers from an SQL list. How would you pull the full list without a loop?
pushed it to a column in my list
did it work?
could you see in list view or form all the user correctly recognized?
workflow is pulling the managers first and last name
these are not considered as unique users identifiers, you might have several users with the same name, or one user with several account - in such cases people&group-like fields need not recognize user or need not to know which one to select out of several
How would you pull the full list without a loop
exact syntax depends on database..
yes, in the list I can see the user is correctly recognized. I am able to use the "get" action on my collection to push the user to a people type column on my list. I am thinking that something is not working with the permission action itself. Can you run permissions on a collection variable?
Can you run permissions on a collection variable?
sure, that's possible.
I've tried to reproduce your scenario - if I populated collection with user identifiers in a form like claim|domain\loginname, permission were set correctly.
if I populated collection with users like 'FirstName LastName', set permission action was executed and inherited permissions were removed, but permissions for new people were not set, since thy were not recognized. in history log I could see reported errors like "No user was found with the specified username"
have you checked history log whether you do not get the same errors?
We had a similar issue but our IT department does not complete the managers field, So I created an section in the form called "Approval Framework". See image below
This functionality requires that you have a list setup with all the managers for departments and so forth.
Once this is setup, You will use the below form controls to pull this information into the form.
This method works pretty cool, when you need to update an position then you only need to do it in a single list lookup and automatically updates this for all the forms created in future.
However, There is quite a process for this If you think this can work for you please let me know and I will create a "How to" document for you.
I was able to get this to work. I had to manipulate my people variables to get them into the correct format for SharePoint to recognize them and set permissions to them.