AnsweredAssumed Answered

What is the Office 365 Actions security context?

Question asked by surenderg on Jul 16, 2016

Let's assume if the office 365 action (update permission) is in the AppStep and configured using service@myComany.com username and its password.
What are the effective permissions while this action is running?
I can think of three types permissions context is involved here
1. The person who triggered the workflow (item creator)

2. workflow app permissions (beacuse this is in AppStep)

3. service@myComany.com (which is used in action configuration) permissions

 

We have requirement of setting-up unique item level permissions.
I am facing the following issue:

1. When the item is created: In the workflow, breaking the item permission inheritance and giving the FullControl permission to WorkflowServiceAccount group .
      (The update permission action is configured with service@myComany.com user name.
       service@myComany.com is a member of WorkflowServiceAccount  group)

2. On next step in the workflow, while giving FullControl permissions to item creator, getting the following error:
    "Item does not exist ..."

    (The update permission action is configured with service@myComany.com user name)


Why is it giving this error even though service@myComany.com & Workflow App are having FullControl permission on this list item.

 

Note:

1. "Run Workflows using App Permissions" feature is made active. Workflow app is configured with FullControl permission.

2. The user, service@myComany.com, is given FullControl permission.

 

 

Found few workaround but not satisfied.
Workaround 1:

1. Give the service@myComany.com, site collection administrator access.
  But as per security best practices, I think it is not advisable to give this permission because this role is having access to everything like recycle bin, Audit settings,..

 

Workaround 2:

1. While breaking the inheritance at item level, give permission to service@myComany.com & Item creator at a time.

2. On next step, Give the FullControl permissions to WorkflowServiceAccount  group.
3. On next step, Remove the service@myComany.com user permission as it is not required because this is user is a member of WorkflowServiceAccount  group.

(We want to use the WorkflowServiceAccount  group so that we can have flexibility of changing the username easily).
But this workaround is having 2 extra steps.

 

Please reply if we are having a better approach...

Outcomes