Declarative Workflows and User Context

My name is Darren and I’m one of the workflow testers for SharePoint Designer.  One of the ways that SharePoint Designer workflows operate that seems to be a point of confusion that I keep hearing about is that certain actions don’t always work when someone expects them too.  There are a number of reasons that this can happen, but the main one I would like to blog about is user context the workflow runs under.

The basic thing to remember is that declarative workflows (the one’s created by SharePoint Designer) always run impersonating the user who started the workflow.  So if I’m a contributor and I make an edit to a list item and that triggers a workflow then that workflow runs as me and has the ability to do everything that I do.  Where this can get challenging is in cases where the workflow tries to do something I couldn’t do on my own, like make a change to a list I don’t have permissions to, since it also has the same limitations I do.  The reason we do this is to protect against things like elevating someone’s privileges to something they might take advantage of or get information they shouldn’t be able to see.

Now this seems simple at first, but it is limiting what can be done by a declarative workflow in some more complicated scenarios like triggering a workflow base on an anonymous submission to a list.  The main way the people have worked around this (either intentionally or unintentionally) is get a workflow triggered by the SharePoint System account (the account used to run the SharePoint web application) which has full access to everything.  This is accomplished by using email enabled lists, running a custom form (i.e. InfoPath) that submits data to a list, or some other custom code (or even custom workflow actions that elevate themselves for certain tasks).  This was fine until we discovered a security problem in declarative workflows that we had to fix in SP1.  One effect of this change is that the SharePoint System account is no longer allowed to trigger declarative workflows.

This change effectively broke some people’s workflows and we knew it would, but that was better than allowing the security problem to remain.  Some of these scenarios can be fixed by changing the custom code or updating the submission form.  But one that can’t is lists that have email enabled on them add the items to the list as the admin account.  With SP1 those can’t start workflows and administrators have no way of changing the account items get added as.  So as part of the SharePoint Infrastructure Public Update we allow for that scenario base on a stsadm.exe command that sets a property to allow emailed items to trigger workflows as the person who last saved the workflow to the site.  This will also be rolled up into SP2.

To sum up . . .

· Declarative workflows run as the person who triggered the workflow either manually, or by adding or editing an item.

· Individual workflow actions can be made to elevate permissions.

· The RTM version of the server allowed workflows to run as SharePoint System, but had a security vulnerability.

· In SP1 the security problem was fixed, but declarative workflows can no longer be triggered by the SharePoint System account.

· In the SharePoint Infrastructure public update box administrators can allow email enabled lists to trigger workflows as the last person to save the workflow when an item is created via email.  Run “stsadm.exe –o setproperty –propertyname declarativeworkflowautostartonemailenabled –propertyvalue yes” on the patched server to enable this.

So when building a declarative workflow take a moment to consider under what user context the workflow is running so you can better plan what the workflow is able to do.