Permissions Checklist
This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
Before beginning development of a workflow process, you must set both developer and user permissions.
For the Developer
The first set of permissions requirements for workflow are those enforced at design-time, that is, when you are using the Workflow Designer. They determine who can write and save workflow processes on a given server. These development issues are managed through the Microsoft® Exchange 2000 Server Active Directory Users and Computers and Components Services consoles.
The permissions settings include:
Workflow Event Sink Identity. By default, the Workflow Event Sink is set to run under the account of the interactive user, the user currently logged onto the Exchange Server. As long as the Administrator is logged onto the server, workflow functions appropriately. However, if a non-administrative user is logged onto the server, you might start to see NetConnect errors in the Application Log. Therefore, it is suggested that you change the Identity to a particular Administrative user.
Are you a folder owner? Only folder owners can modify application-design elements, such as schema, forms, views, and workflow, of a folder. If you are not a folder owner, it will not be possible for you to use the Workflow Designer. Folder owner permissions can be granted from Exchange 2000 System Manager or from Microsoft® Outlook®. If you create a folder, you automatically become a folder owner.
Has the server administrator granted you permissions to register workflows? Not every folder owner has permissions to write workflows. Users also must have permissions to register the CDO Workflow Event Sink. The server administrator determines who has permissions to register the event sink by managing membership in the Can Register Workflow role. Only users and groups listed in this role can register workflows on a particular server.
For procedural information, refer to Installing COM+ Applications in Exchange Management Console Help.
What kinds of activities are you going to require in your workflow script? By default, workflow processes run in Restricted mode, which means script procedures associated with workflow actions are limited to modifying properties of the document undergoing workflow, sending notification mail, and writing to the AuditTrail. The server administrator determines who has permissions to run scripts requiring Privileged**mode by managing membership in the Privileged Workflow Authors role. If your workflow processes must perform more complex script driven operations, then either you or the group in which you are registered must be a member of the Privileged Workflow Authors role.
**Note **In addition, you must set the Run as Privileged property in the process definition.
For procedural information, refer to Installing COM+ Applications in Exchange Management Console Help.
The following is an example of the Exchange 2000 Server Active Directory Users and Computers and Components Services consoles.
Component Services
For the User
The second set of permission requirements apply to the items undergoing workflow at run time. The typical requirements for any Exchange application include:
- Does the user have write permissions? Users who modify, edit, or approve items undergoing workflow must have write permissions to those items. Permissions can be assigned at the folder-level or item-level programmatically or by using Microsoft® Outlook® or Microsoft® Exchange 2000 System Manager.
- Does the user have read permissions? Users who must open the contents of items, follow a URL to an item, or view the workflow items in a window must have read permissions to the items.
See Also
Planning an Exchange Workflow Process for Exchange Server | Development Steps | Troubleshooting: Workflow Creation Issues