I love(d) Flexitask, Assign To-Do task actions until .... today. Reason? It is not secure enough is some cases.
A business case requires tasks assigned individually to several users. Of course we want to be sure that only the assigned user may change his task (and only his task), and should not be able to:
- delete his task (or else Nintex WF will hang)
- delete tasks in the same tasklist of other users (or else Nintex WF will hang)
- change tasks of another user stored in the same tasklist.
Logic? This is what I expect.
The problem is that
- Flexi Task, Assign ToDo task etc are not managing permissions of the task item itself.
- An approver of a task needs at least Contribute rights to the task list (else he/she can't open the task and respond to it --> see other threads)
This means that an approver with contribute rights on the task list can:
- delete any item in the task list (solution could be: custom permission level 'contribute without delete')
- may edit a "Assign ToDo task" of somebody else
- Is NOT able to edit a "Flexi Task" when using the default EDIT form of a flexi task (which is OK, because it contains Nintex logic), BUT what about edit the tasks in Datasheet view, or via REST web service??
"Hey, just use item level security when the flexi task or ToDo task is created!" --> "not possible dude, because the FlexiTask & Assign ToDo Task actions inside your WF will wait till the tasks are completed --> so Set Item Permissions is not possible to use."
Indirectly, you can set item level permissions on individual tasks created by flexi task or ToDo actions --> create a new WF "Set Permissions" on the task list itself and run them when new task is created in the task list.
Good workaround? Maybe. I don't like to split WF logic in two individual/independent components.
Another alternative is: Don't use Flexitask/Assign ToDo Task, but create an UDA which:
- creates needed tasks in task list (create new item action) eg in a task list you have define as input parameter (which could be different task list assigned to the WF )
- set item level permissions according your own business logic
- send email message (if required)
- Use a loop to monitor the status of the actions you have created earlier
- Send reminder or complete tasks after certain period during this loop.
- Exit UDA with results or statuses according your business logic
Is my way of thinking correct? What is your experience of using SP, Nintex WF in an environment when tracing and security is important?
Thanks for the feedback!