Monday, August 27, 2007

Permissions and workflow

In our environment we unchecked in the 'User Permissions for Web Application" the following option "Manage Web Site  -  Grants the ability to perform all administration tasks for the Web site as well as manage content. " By doing this we see the following difference in the Site Settings page :

Manage Web Site : Checked
Manage Web Site : Unchecked

So if you see the 'unchecked' sitesettings page, a site owner for example cannot manage features or delete his own site. This is in our environment is very desirable since site owners are not administrators but 'just' users. Therefore giving them the least amount of privileges is a must (so they can't destroy their own site ;)). It's like deploying workstations and giving the user not administrators permissions on their desktop.

But! When a user is trying to start a workflow the keeps getting the "Operation in progress' screen and in the eventlog of the front-end server the following error occurs:

Event code: 4011
Event message: An unhandled access exception has occurred.
Event time: 8/27/2007 8:23:07 AM
Event time (UTC): 8/27/2007 6:23:07 AM
Event ID: 14b3855a81684973a4ede892d8c82298
Event sequence: 354
Event occurrence: 2
Event detail code: 0
Application information:
    Application domain: /LM/W3SVC/1574755854/Root-3-128326491020874251
    Trust level: Full
    Application Virtual Path: /
    Application Path: d:\Inetpub\wwwroot\wss\VirtualDirectories\80\
    Machine name: <machinename>
Process information:
    Process ID: 2280
    Process name: w3wp.exe
    Account name: <accountname>
Request information:
    Request URL: <url>/_layouts/IniWrkflIP.aspx?List=5fa2c8f9-d6df-4ba5-af1c-960cab0b15d5&ID=4&TemplateID={463a6ced-0731-4180-9626-2ccce20551a7}&Source=<url>
    Request path: /_layouts/IniWrkflIP.aspx
    User host address:
    User: <accountname>
    Is authenticated: True
    Authentication Type: Basic
    Thread account name: <accountname>

So what does this say? Well, it tells you that the process hasn't got sufficient permissions to perform the action. So if we check the option "Manage Web Site" again, the error won't be raised and the workflow will work just like it should. In my opinion this is bad.. very bad.. I reckon that the process accounts (and thus the System Account) should be excluded from the Web Application permissions set. Since you assign permissions to the users of the web application instead of the system accounts.
And yes.. I have also set the service accounts having Full Control in the Policy for Web Application pages.

So if someone has the answer, let me know ;)


Technorati tags: ,


Servé Hermans said...

Hi Robin,
I must agree, this sounds bad. It is even worse when you try other features like changing the title of your team site. As you can see in your screenshots, the link is available, so I suppose you could change the title of your site. However, this is not the case. Even the system or db account is not able to change it unless the manage site permission is turned on again.
The same goes for changing permissions levels and I have a feeling that there will be others.

Robin Meuré said...

Morning Servé ;)

you are correct, hopefully MS looks into this problem and comes with a hotfix.

Only thing that bothers me is that no-one has found this 'bug' yet..

Daniel Adler said...
This comment has been removed by the author.