AnsweredAssumed Answered

O365 Update Item Permissions

Question asked by acipolla on Jan 3, 2017
Latest reply on Feb 6, 2017 by tposzytek

Our O365-based travel request workflow contains permissions we can't quite nail down.  Initially built by a vendor, we were not provided technical documentation so we're troubleshooting in-house.  

 

Permissions we need:

  • Anyone can initiate a request for themselves or another traveler
  • Submitted requests should be visible only to request Submitter, Traveler (identified in form field) and, once it enters state machine for approval, anyone identified as an Approver
  • All items are always visible to Site Owners

 

Permissions set by vendor:

  • Before entering State Machine for approval, the workflow contains two O365 update item permissions actions
    • Grant Permissions to Site Owners disinherits parent permissions and removes all existing permissions then grants Full Control back to Owners group (screen shot at bottom of entry)
    • Grant Submitter and Traveler grants Contribute permissions to Submitter and Traveler (screen shot at bottom of entry)

 

 

 

  • SP list settings:

 

We understand that Grant Site Owners disinherits permissions affecting Grant Submitter/Traveler ability to assign permissions to this group of users.  Nintex Support says “Since you are breaking inheritance and removing existing permissions you are removing any permissions assigned to the item for the workflow initiator, which we understand, but haven’t provided direction toward a solution.

 

Here’s what does not work (test users all have Contribute permissions via SP settings):

  • Change Grant Site Owner FROM inherit = no, remove existing = yes TO inherit = yes, remove existing = no AND remove Grant Submitter/Traveler
    • Why it doesn’t work: List items/forms visible/accessible to all users; items submitted by Site Owners visible/accessible to all users

 

  • Remove Grant Site Owner (don’t break permissions at all) AND set Submitter/Traveler inherit = yes, remove existing = no
    • Why it doesn’t work: List items/forms visible/accessible to all users; items submitted by Site Owners visible/accessible to all users

 

  • Remove Grant Site Owner (don’t break permissions at all) AND set Submitter/Traveler inherit = no, remove existing = no
    • Why it doesn’t work: List items/forms visible/accessible to all users; items submitted by Site Owners visible/accessible to all users

        

  • Change SP list permissions for Read access and Create and Edit access FROM ‘all items’ TO ‘items that were created by the user’ then build on that with a workflow permission granting individual user access
    • Why it doesn’t work: while this does limit a Submitter’s view to items they’ve submitted, the addition of a workflow action to extend permissions to other users (Traveler, Approvers) does not function – Traveler/Approver cannot view list items/forms

 

In addition, we’ve tried publishing the workflow as the service account (Site Collection Admin permissions) and placed Grant Site Owner and Grant Submitter/Traveler actions within an App Step, neither of which appeared to have any effect on results.

 

We need to understand which action(s) will 1) prevent everyone from having access to all travel requests while 2) enabling Initiator/Traveler/Approvers to view items that pertain to them 3) allowing Site Owners access to all items while items submitted by Site Owners are not visible to all users.

 

Any feedback/direction would be greatly appreciated!

 

 

Screen shot of Grant Site Owners workflow permission:

 

 

Screen shot of Grant Submitter/Traveler workflow permission (and all Grant Permissions actions in State Machine):

 

 

Outcomes