Providing authenticated site Visitor w/contribute permission on list and associated workflow but they are unable to start the workflow. Getting Access denied. (Network Steve Forum)

Providing authenticated site Visitor w/contribute permission on list and associated workflow but they are unable to start the workflow. Getting Access denied.

The initial challenge was that I needed to allow users (employees on our intranet) to submit a form anonymously on a site (Office365 Enterprise version of SharePoint) they are authenticated on. They needed to fill out info, hit submit, and have that info be emailed to another individual in our company.

The solution I found and thought would work entailed:

Step 1: creating a custom list

Disinheriting permissions for list from parent
Adding Contribute permissions for the Visitors group.
Adding a single item to the list.

Step 2: creating an associated list workflow in SharePoint Designer 2013.

Chose to Manually Start workflow
Adding my form fields via the Initialization Form Parameters.
Chose Send as Email Action /formatted with fields from Initialization
Disinherited permissions from parent and then changed permissions for Visitors on the actual initialization form (WFInitForm.aspx)
Disinherited permissions from parent and then changed permissions for Visitors on the associated Task List
Disinherited permissions from parent and then changed permissions for Visitors on the associated History List
Some other miscellaneous tweaking for usability that aren't really related like hiding the custom list from the browser, changing Start to Submit on the WFInitForm, modifying where the cancel button directed user, and a couple others.

Step 3: Copied the Start workflow URL from the list item ribbon and added it to a link on the Home page of site.

Step 4: Published

During the course of troubleshooting I turned "Limited-access user permission lockdown mode" off in the parent collection features.

I'm not sure if this would affect anything but Publishing is turned On for the site collection but was left OFF for this sub-site.

Anyway, when I enter the site as a Visitor and click on the link to start the workflow I get an Access Denied message right away and am given the option of requesting permissions. If I add Contribute to the Visitors group for the site, then the workflow starts. But Visitors can't have Contribute on the entire site. They need to have Read for most things and Contribute on just a couple.

I feel like I've missed an item that I need to change the permissions on but don't know what item. Any ideas?

Edited by chris from east coast Thursday, August 20, 2015 7:05 PM corrected sentence
Moved by Dennis GuoMicrosoft contingent staff, Moderator Monday, August 24, 2015 1:23 AM admin

August 20th, 2015 7:03pm

Hi Patrick, Thanks for the response. What you suggest is actually what I did. Let me reiterate but with the language you use.

I created a custom list and granted the Visitors group unique permissions to it- "Contribute" in addition to "Read"
I created a workflow associated with that custom list and thought that the workflow would inherit the permissions from that associated list. That wasn't the case. I found that the Initialization Form associated with the workflow that's named WFInitForm.aspx hadn't inherited the custom list's permissions. So I then granted the Visitors group unique permissions for the workflow initialization form WFInitForm.aspx - "Contribute" in addition to "Read"
I also checked the Task List and History List associated with the workflow and found that they did not reflect the permissions set on the custom list so I had to grant the Visitors group unique permissions for these lists as well- "Contribute" in addition to "Read"

I can add items to the lists using the test user account that's a member of the Visitor's group. So I know that the Contribute permission level is active on the custom list.

However I'm not sure why the workflow is not reflecting the list's permission settings. I thought it might have something to do with the collection feature called "Limited-access user permission lockdown mode" and so turned this OFF....and then redid everything. Same result.

Edited by chris from east coast Monday, August 24, 2015 10:17 PM

Free Windows Admin Tool Kit Click here and download it now

August 24th, 2015 7:14pm

Hi,

If setting the workflow to be started manually, users will have to access the /_layouts/15/Workflow.aspx page which they dont have permission to access and start the workflow.

As a workaround, I suggest you set the workflow to be started when new item created, then users will not have to access the /_layouts/15/Workflow.aspx page to start the workflow.

If there might be a need to let users decide whether trigger the workflow for sending email, a suggestion is that, you can setup an extra column(such as a Yes/No column) to indicate whether to send email in the same list, composite the logic inside the workflow to execute the send email action accordingly.

Thanks

Patrick Liang

August 25th, 2015 10:39pm

This topic is archived. No further replies will be accepted.