I can't find any information on what security group a user needs to be in to 'approve' a workflow approval request.
Does anyone know? Is it a SharePoint Approvers group that they need to be a part of?
They'll need to have the SharePoint Permissions Level "Contribute".
I've also included a Security Settings table from the Nintex Workflow Help File Excerpts (look here for user guide content), which explains the different levels!
According to how a user is required to interact with Nintex Workflow there are different security considerations to be made. The table below outlines the minimum permissions required to perform the actions described. In general, the runtime permissions can be inherited from the site or the parent site but must be the effective permissions for the given user at the list level.
|Nintex Role||Required "SharePoint Permission Level"||Note|
|Approver/Reviewer||Contribute (at the item level at least)||This role includes all users who will be able to perform their assigned human task as part of the workflow from the SharePoint site. Users may be assigned tasks even without these permissions.|
|Lazy Approver||None||This role includes all users who will be able to use LazyApproval to respond to their assigned task. The user however will need at least "Read" permissions if they wish to visit the site.|
|Workflow Designer||Design||This role includes all users who are responsible for creating and maintaining workflows. With these permissions the user can use the Nintex Workflow designer as well as the related tools and pages. In order to be able to publish a workflow, the user will need to be configured as a Workflow Designer.|
|Site Administrator||Full Control (on the site)||This role is responsible for activating and configuring the site level Nintex Workflow settings from the "Site Settings" page.|
|Server Administrator||Full Control (on the central administration site)||This role is responsible for the installation and the server level configuration of Nintex Workflow.|
|Workflow user||Contribute||Can start workflows, add schedules, view history and progress reports.|
I've written a blog post on this in the past.
The big permission that caught me out was you can't just give item level permissions to the task or item the workflow is running on. You still need Read permissions on the underlying site (my client needed us to remove this for a pretty specific reason).
One of my work colleague came to me with a similar issue, he had changed the Work Flow tasks list settings and modified the Item-level Permissions (Under advanced settings).
This need to be set so that users can "Read all Items" and also "Create and edit all items" otherwise they will receive that error message.
Thanks, I will be reading it very soon! Got to go catch up with my support tickets and then back to Nintex.
Thank you for your quick reply,
I have just confirmed this as well. When the ApproveReject.aspx page loads it does some site level checks on lists. It is a hard requirement to have at least read permissions at the site level.
I believe an additional user role that comes up a few times in Nintex Workflow I design is the ability to only "read" workflow tasks but not action them nor delegate.
For instance imagine that a workflow request a report to be written and user attach a file to it: both text report and attachments are stored into the workflow task but some view-only users like auditors cannot open the tasks and if we give higher level they will be able to do more such as edit.
I mention this issue and my findings to give such access in the comments of Kevin's blog here Permissions for Nintex Workflow interactions | Kevin Annfield's Blog with one problem: users can also create pages/sites/library which is not wanted.
Any simple "Nintex workflow reader" role recommendations would be appreciated please.
I have a view that groups the task by assigned to so that corporate mgrs. can see what’s in the pipe. I would like these folks to be able to simply view the individual item but not be able to have all of the other permissions/capabilities that Contribute provides. I changed the view so that the link doesn’t go to the edit item but rather the view item page but my users are still getting this error “You are not authorized to respond to this task” despite being at the view item page. This really needs to be fixed!