+3
I have a successful workflow that adds a user to a Sharepoint Group. It is so successful that it does not error even if the user initiating the workflow is not in the group that owns the group in which the workflow is adding them to.
How to I restrict the workflow so that it complies with the Group settings and errors if the user initiating the workflow is not an owner of the group the user is being added to?
(Screen shots are helpful in my case #noob)
+12
@missymae6 ....I'm guessing you're using web service to add user into SP group, if so then it means that action is running under some credentials (Nintex Constant) which will have a higher previlage like SCA.
You need to first check if the user is in the SP group, if it is only then run actions otherwise not.
Now coming back to your description, on one end you're trying to add the user into SP group but you don't want the Initator of the workflow to do so. May I ask what exactly is the process?
+3
@kunalpatel Yes! You are correct - I am using "Call a web Service" to use the usergroup webservice that will allow me to use the AddUsertoGroup WebMethod. (It is all right here - https://www.c-sharpcorner.com/uploadfile/anavijai/how-to-add-user-to-sharepoint-group-using-nintex-workflow/)
The issue is that I have to enter my credentials to call the webservice which is then used for any user who in itiates the workflow. I was hoping for a solution that would allow me to use the credentials of the initiator vs those of the Workflow designer (as a side note I did check the Contorl settings under the workflow to make sure it was not impersonating - that box however is not checked).
In the scenario that i followed to build my workflow, they have you build a choice field to choose the SharePoint Group which in my case is not ideal because some sites that this Application will be implementedx on have over 400 user groups. I would like to instead use a people/groups picker to allow the user to find the group they want, however this would allow users outside of the Owner Group to be able to add users to resulting groups.
This applications purpose is the backend of an Access Request process. The user will request Access to sites using a Nintex form (well, Infopath at the moment). Currently my Admins have to process those forms and then go to 2 or 3 sites and manually add users to one of 400 possible groups. This solution will add them to the Groups more efficiently however I need to remain within the settings of the Group itself and only allow the Group Owners to be the users adding or removing group members.
In the meantime i have implemented a Run If and am using a password. Not ideal but it works like a charm - and I actually like the idea of password protecting some of these workflows. But ideally, for this one, I would like to use the credentials of the initiator in lieu of a password/column.
Any help with this would be great!
+12
@missymae6 ......First of all it's not the best approach to use your own credentials to run web service or any other actions which needs credentials. You need to create a service account and add it as a Nintex Constant and use that for credentials. If you published the workflow with your credentials and if you left the company then those workflow will have lot of issues unless you're running each and every workflow of yours using impersonation concept which will allow initiator to run workflow as workflow owner. For this you need to use action set.
Now coming back to your requirements, correct me if I'm wrong....
If this is your requirement then how about below approach?
If you don't want to assign task to Admin SP group then you can see who is the owner of the SP group and assign task to them instead.
+3
Thanks - that approach won't work. In one instance I have 7 sites all with their own Admin groups already built (the group that owns the groups we would be adding users to).
Do you know of a way to query the Owner group and if the user is in that group then set the run if statement on their membership to the group that owns the group chosen to add/remove the user?
+3
I do not have any way to set up a service account
+12
Nintex Constant:
+3
Thank you so much! Is this Query XML looking at the group we are adding to or the owner of that group? My Owner Group(s) members are not members of the groups they add to (there are too many and we try to add users to one group only for easier maintenance) so the query I would use would need to direct me to the "ManagedBy" XML I think (I have been over searching this and starting to confuse myself now), and if the initiator is a member of the Owner group then allow the workflow to proceed.
Could you direct me along this path?
In the meantime i can try to reach out to our IT department to work on creating a Service Account however it is not likely as they do not like to give us anything. I have created a Workflow Constant and am calling that credential now. I am not sure if that makes it any better or not.
+3
I built out your suggestion above and it is only returning my information and not information about all users in the owner group of the Sharepoint Group noted. Any suggestions on returning information on the Group Owner?
+12
@missymae6 .....I'm sorry but I'm little confused with your entire requirement. Below is my understanding about your request:
Also your group owners don't have to be in the group in order to add users. For e.g.
+3
@kunalpatel - I am sorry let me break it down a bit more so you can understand why I need the retreive the owner group members before allowing the workflow to proceed -
I have 7 Sharepoint sites that all work together in one large process. Most members only need access to the Home site and one other site, some members need multipl points of access. We have approx 5000 users so to keep permission maintenance organized and as easy as possible, we use a 3 tier permission system - Group A owns Group B, Group B owns most of the other groups. We also have several mini owners groups and their purpose is only to add users to one group - we will call this Group A1 and they can only add users to Group A2. Mmembers os A1 are not in Group B - they cannot add users to any other group than the one specifically built for them to control.
No one user has access to the site content - only Groups get access to site content. All permissions are done thru Groups and the ownership isn't accross the board for any one group because of the three tier system plus the A1 type groups.
My Access Request form is the only content on the site that the domain has access too. In order to see anything else the users must be in a group that has permission. (Using a library I set up an email address which I use for my site access requests, and when an email for access comes in it launches a workflow that sends the user the link to the Access Request Form.)
When the form is received a workflow alerts the Site Admins (i set it up so the correct Admin Groups are alerted) of the new request. From there the Admin will determine which user group the requestor should be in - so the user themselves are not choosing the group.
I would like to use a People/Group Picker Field so that I do not have to build a drop down choice field for the Group selection. The admin could just pull up the group they would like to add the user to and proceed with the workflow.
This is where my issue comes in - using this People/Group Picker field allows someone from Group B (who doesn't own Group A) to choose Group A in the People/Group Picker Field and the workflow will not see they do not own that group and allow them to add users to groups they do not own.
So you can see how this would affect my process. What i need to to confirm that the Admin that is adding the user has permission to do so and since I have tiered permissioning I can't just let people bypass then group setting because they were built purposly to control permissioning at a very high level. I need to use the Group Picker because building a choice field with all the group names would be unreasonable for the user to have to sort thru to find the correct group (Which would also mean I would have to build something for each individual Owner Group limiting what Groups they could choose which is also not ideal).
So what I think I need is a step in the workflow that returns the data on the group owner of the group that is chosen, then when it returns the name of the group that owns it, wuery the initiators group memberships and if that user is in the owner group then proceed.
Could you instruct me on how to query (XML or LDAP - I am not sure) the Owner group of the group chosen to add to, and then stoer that data in a variable, then I can run a query that will return the initiators group memberships and then compare one variable to the other and only proceed if there is a match.
I hope that makes it a little more clear :)
Thank you so much for your help on this!
+12
@missymae6 .....Just another thought came to my mind after seeing your description.
What if you create another lookup list where it will have who is the owner of the group? For e.g. if Admins select GroupA2 then from the list it will try and find the corresponding owner group using lookup value. Then you can send notifications to those members in the group (you can use the web service I mentioned to get group memebers).
+3
+12
@missymae6 ....Using GroupInfo I'm getting OwnerID but not sure how to get the name using that OwnerID and also that OwnerID will really give me the name from the Group Owner or something else.
You may have to look into it !!!!
+3
That sounds promising! Could I bother you so screen shot how you grabbed the Group ID? I tried it and was unsuccessful -
I set up a Call WebService Action for WebMethod: GetGroupInfo
I am using my "add to group" field in the GroupString
I initially was storing the result in a multiline vairable but getting an error: Failed to invoke web service. Error returned from server: <soap:Fault mlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>soap:Server</faultcode><faultstring>Exception of type 'Microsoft.SharePoint.SoapServer.SoapServerException' was thrown.
It will not take a collection type variable but it would take a Person/Group so I created a person/group variable and swapped it out for ther multi line. This time the workflow did run however the Logged Data from that Call WebService Action was blank.
How are you pulling the group information? I would like to pull all data available and see what I could pick out of it from there - if i can match Group ID's that may work, but i would need to be able to start by pulling the Intended group - get the owner group ID, then match that ID to the ID's of the groups the initiator is in, which means I would need a second (or even thrid) call webservice action that would retrieve the initiators group memberships then query xml(?) for the id's and store them in variables and then use a run if to compare them, and proceed if there is a match?
I am in a little lover my head but if i can start to pull info about the owner group I would be at least moving forward. If you can help that would be great!
+12
@missymae6 ...please see below screenshots...you can store the result in either SLT or MLT w/f variable. Also if you're emailing yourself the XML code, make sure it's plain text and not Rich text.
During Run Now....make sure your variables are replaced with some actual SP group name. I've used the name of my members' group.
Below is the result XML....
+3
I just gave it a whirl and when I execute the Run Now I get an error in the results - "The remote server returned an error: (500) Internal Server Error
Here is my setup -
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.