Grant Permission not working

Mar 30, 2010 at 8:30 AM

Dear Team,

  Thanks for the wonderful work, However we face some issues when we try to use this for Granting permission at List Item level through workflow.

It does its job (breaks the inheritance and add the permission of the user) only in one machine (the user machine who installed this feature in the server)

From all other machine and users it does not work, infact the workflow is not even starting.

Any help in this is really appreicable

Thanks

May 25, 2010 at 5:54 PM

yes, i am having a simular issue. I aded this step into my workflow and it stopped it before it really even got going. did you ever get any kind of solution???????

May 26, 2010 at 4:21 AM

yeah, i found the solution for that. Actually we did not install the feature on all our front end servers, we just installed in one server.

Hence when the load balancer sends the request to the server on which it is installed it works and when it sends to the server on which it is not installed it failed to work.

We fixed this issue by installing this feature on all front end servers.

Thanks

May 26, 2010 at 2:34 PM
Edited May 27, 2010 at 2:41 PM

Hi Mohdmohi,

It was installed on the farm servers, but for good measure I reinstalled it on them again just to make sure but I am getting Error Occurred in the workflow status. And for that matter I don't know how a step 5 adversely affects the step prior but the emails that I have configured and successfully tested now stop working.

 I still need help but thanks alot for responding.

May 27, 2010 at 4:44 AM

Hi,

You have not explained all your workflow steps, I cannot guess what is step 5 without your mentioning. Basically the workflow invokes an event listener class, hence if any error occurs due to this particular workflow, the error will be writen into the windows event viewer or SharePoint Log, kindly go through them to spot the error and troubleshoot.

Thanks

 

 

May 27, 2010 at 2:44 PM

Hi Mohdmohi,

Sorry, I didn't go into a lot of detail but it's very complicated series of 6 workflows in total doing my TOR (Time Off Requests). I will elaborate the one that goes into setting the permissions, which is the closest to a main WF (work flow).

This WF is an auto start on item creation

  1. Check to make sure that this is a new request by checking to make sure it’s not in a ‘complete’ status (I believe in error control up front). Then create variables for email message confirming the request by pulling in info from the form
  2. Send the stings in an email to the person that the created the TOR and log comment into WF history
  3. Create the item in another list for tracking but passing info from the TOR form
  4. Create variables for an email that will be sent to the 2 possible approvers. The approvers are also put into variable strings separately
  5. Sent the info about a new request via email and using the strings created in the last step. Primary approver is in the ‘To’ field and the secondary approver is in the ‘Cc’ field
  6. Ideally this step would set the item permissions to the approvers SP group that is created prior but getting pulled from a separate list of approvers. In that list every employee is listed and their approvers are listed in columns and the department name is really the SP group

This is where the issue comes in. The permissions not only don’t get set but the emails that are in the steps before don’t send out either. I moved the permissions assignment around to several different spots from 0-5 and it makes the workflow error no matter where I put it. If I take it out the WF works perfectly if I put it in me get the error. I hope this helps.

Jun 1, 2010 at 3:01 PM

 

HELP PLEASE! Still waiting for one of you guru's out there to help with this.

 

Jun 2, 2010 at 4:51 AM
Edited Jun 2, 2010 at 5:02 AM

Hi,
Sorry for delayed response becz i didnot get alert in my inbox for the message you posted on May 27, I got the alert for your post on 01st June only.

After going through all the steps you mentioned, the following mistakes i can troubleshoot in your workflow.

  1. If you have read the discussion under the spactivities Grant Permission, you must have come to know that lot of users are complaining about not able to use the workflow activity for granting the permission for more than one users and lot of people recommending the author to release another version which accomodates the same.
  2. Grant Permission workflow activity grants permission to one user only, if you try use this workflow activity to break permission for a SP group it will fail.

However not able to accomodate our requirement of breaking inheritance and granting permission at the item level for more than one users or to a sp group does not stop us from getting ahead in the project.

We did not use this workflow activity for our requriement, I wrote a custom event listener which does the job of breaking the inheritance and granting permission to multiple users or to a sharepoint group. I wrote two methods in the custom event listener one for Item Added and one for Item updated.

Hope it helps you

Thanks & regards

Jun 2, 2010 at 7:41 PM

Hi,

Yeah, I read the part about assigning the permissions to only one person and I tried that too.  I also tried just setting the permissions to a SharePoint group that is listed in an Approvers list in the same SharePoint site, by employee name. In none of the approaches that I tried could I get the Grant Permissions to work and in every case it caused the workflow, where I added it, to fail. I even tried to create a new workflow to do nothing but grant permissions but when I do that I get the error message: Failed on Start (retrying). This message never resolves. The people who I’m trying to grant permissions to are in a group with permissions already (contribute) and I’m trying to give him Manage Hierarchy, as that is the min. level that the user can get into someone else’s List item when the permissions are set to Read access: Only their own & Edit access: Only their own. I do not have the knowledge necessary to write a custom event listener so I must find a work around with the tools that are out there. Maybe it will help to describe the business rules and you can think of something I haven’t. 

  1. Users must be able to submit a request for time off based on type
  2. Users must not be able to read the details of anyone else’s request
  3. One or two designated people must be able to access the request and approve it. Approvers are different for each department
  4. User must be able to modify the request and approver must be able to change their mind
    1. Any of the requester or approver changes must take the approval status back to pending
    2. The other party must be made aware of the changes
    3. The other party must be able to make changes to their part in accordance with the other’s change
  5. Versioning must be enabled for tracking
  6. The solution must work on a company wide basis
  7. Approvers for one department must not be able to see or approve another department’s employees
  8. Only one site for all employees

i don't know if this will help but i have to try. i need a solution bad.

thanks for your time and help

Jun 3, 2010 at 2:34 PM

Again, so where are you guru's at???? Is anyone watching this store???

Jun 18, 2010 at 4:27 PM

ok i think i have it. this issue is due to the one to many relationship. when you configure the grant permissions and if the dialog box comes back that it may return one than one answer -- this will not work.

Oct 20, 2010 at 3:31 PM

mohdmohi,

Hi! You said You wrote a custom event listener, that can grant permissions for multiple users or to a sp group.

Is this event handler customizable, or You hard-coded this user or group in event handler's dll? If customizable so where do You store parameter(user or sp group), You created some column and get this value from it?

Oct 20, 2010 at 6:18 PM

Hi Mohdmoni,

I'm having similar issues with one of my implementations.  I've installed the SPDActitivies component on all front-end servers on both implementations (my employer's portal and one of our clients portal).

On ours it runs fine, on theirs it chokes. I'm using the activity in exactly the same way in both:

  • 1 Forms Library where users submit new InfoPath TOF requests.
  • 1 Task list where I manage the reminders.
  • on the Forms Library, I have 1 WF set to autostart onNew and onChange, so I can deal with the various request statuses.
  • On the Tasks list, I have 1 WF set to autostart only onNew, which takes me through 3 reminders before I cancell the request in the Forms Library by settings its status.
  • By default, both lists are set to PortalMembers with a WorkflowParticipant permission. This is a permission level that I created that derives from Contribute where I added Manage Permissions and removed Delete Items. I don't want my users to ever delete a request.

The rogue activity goes as follows:

  • If item is version 1.0
    {
    Grant WorkflowParticipant permission to FormsLib to Created by
    Delete permission assignment on FormsLib to PortalMembers.
    }

No matter where I move the step in the workflow, it chokes. Through Sharepoint logs I was able to determine that the Grant permission is choking in the DP.Sharepoint.Workflow.Common.RemoveListItemPermissionEntry method (I downloaded the source to understand what's going on).

From your comment I'm not using multiple users per activity, however, I am removing an SP group from the item. Furthermore, my error is within the Grant Permission activity as per the log entry included below. I know the message says "Object reference not set to an instance of an object" but how can Created By be empty???

mohdmohi wrote:
  1. If you have read the discussion under the spactivities Grant Permission, you must have come to know that lot of users are complaining about not able to use the workflow activity for granting the permission for more than one users and lot of people recommending the author to release another version which accomodates the same.
  2. Grant Permission workflow activity grants permission to one user only, if you try use this workflow activity to break permission for a SP group it will fail.
 

10/20/2010 11:07:20.04  w3wp.exe (0x1D4C)                        0x0B7C Windows SharePoint Services    Workflow Infrastructure        98d4 Unexpected System.Workflow.Runtime.Hosting.PersistenceException: Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.     at DP.Sharepoint.Workflow.Common.RemoveListItemPermissionEntry(SPListItem item, String principalName, Boolean breakRoleInheritance)     at DP.Sharepoint.Workflow.PermissionsService.<>c__DisplayClass1.<ProcessGrantRequest>b__0()     at Microsoft.SharePoint.SPSecurity.CodeToRunElevatedWrapper(Object state)     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)... 

10/20/2010 11:07:20.04* w3wp.exe (0x1D4C)                        0x0B7C Windows SharePoint Services    Workflow Infrastructure        98d4 Unexpected ...     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at DP.Sharepoint.Workflow.PermissionsService.ProcessGrantRequest(PermissionRequest pr)     at DP.Sharepoint.Workflow.PermissionsService.Commit(Transaction transaction, ICollection items)     at System.Workflow.Runtime.WorkBatch.PendingWorkCollection.Commit(Transaction transaction)     at System.Workflow.Runtime.WorkBatch.Commit(Transaction transaction)     at System.Workflow.Runtime.VolatileResourceManager.Commit()     at System.Workflow.Runtime.WorkflowExecutor.DoResourceManagerCommit()     at System.Workflow.Runtime.Hosting.WorkflowCommitWorkBatchService.CommitWorkBatch(CommitWorkBatchCallback commitWorkBatchCallback)     at System.Workflow.Runtime.Hosting.DefaultWorkflowCommitWorkBatchSer... 

10/20/2010 11:07:20.04* w3wp.exe (0x1D4C)                        0x0B7C Windows SharePoint Services    Workflow Infrastructure        98d4 Unexpected ...vice.CommitWorkBatch(CommitWorkBatchCallback commitWorkBatchCallback)     at System.Workflow.Runtime.WorkflowExecutor.CommitTransaction(Activity activityContext)     at System.Workflow.Runtime.WorkflowExecutor.Persist(Activity dynamicActivity, Boolean unlock, Boolean needsCompensation)     --- End of inner exception stack trace ---     at System.Workflow.Runtime.WorkflowExecutor.Persist(Activity dynamicActivity, Boolean unlock, Boolean needsCompensation)     at System.Workflow.Runtime.WorkflowExecutor.System.Workflow.ComponentModel.IWorkflowCoreRuntime.PersistInstanceState(Activity activity)     at System.Workflow.ComponentModel.Activity.MarkClosed()     at System.Workflow.ComponentModel.Activity.ReleaseLockOnStatusChange(IActivityEventListener`1 eventListener)     at System.Workflow.Compo... 

10/20/2010 11:07:20.04* w3wp.exe (0x1D4C)                        0x0B7C Windows SharePoint Services    Workflow Infrastructure        98d4 Unexpected ...nentModel.FaultAndCancellationHandlingFilter.SafeReleaseLockOnStatusChange(ActivityExecutionContext context)     at System.Workflow.ComponentModel.FaultAndCancellationHandlingFilter.OnEvent(Object sender, ActivityExecutionStatusChangedEventArgs e)     at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)     at System.Workflow.Runtime.Scheduler.Run() 

 

Oct 20, 2010 at 7:41 PM

Hi all,

I resolve my problem and wanted to post in case someone else has the same issue.

  1. I found that I can include more than one Grant Permissions actions in the same branch of a step.
  2. I can apply permissions to SP groups.
  3. I changed my trust level from WSS_Minimal to WSS_Medium and this seems to have done the trick.

Hope this helps someone.

 

 

Oct 21, 2010 at 5:13 AM

Hi Rockie,

  Yes the event listener i wrote is dynamic, meaning it can give permission to users and sp groups on the fly.

Our requirement was to grant permission to different class of users (Assignees, Contributors, Managers, Focal point etc) to have different permission sets.

In the List their are people or group type list column for each of the users category. I have created different permission set as per the requirement.

When an item is added or edited the custom event listener is invoked and it breaks the inheritance and removes all users and  grants permission to only those users who are added in the column with the respective permission set.

If any of you need more help please contact me.

Thanks

 

 

Oct 21, 2010 at 8:08 AM

Hi!

mohdmohi, thank You very much for Your detailed answer!

Best regards,

       Gennady                             

From: mohdmohi [mailto:notifications@codeplex.com]
Sent: Thursday, October 21, 2010 7:14 AM
To: rockietm@gmail.com
Subject: Re: Grant Permission not working [SPDActivities:207744]

From: mohdmohi

Hi Rockie,

Yes the event listener i wrote is dynamic, meaning it can give permission to users and sp groups on the fly.

Our requirement was to grant permission to different class of users (Assignees, Contributors, Managers, Focal point etc) to have different permission sets.

In the List their are people or group type list column for each of the users category. I have created different permission set as per the requirement.

When an item is added or edited the custom event listener is invoked and it breaks the inheritance and removes all users and grants permission to only those users who are added in the column with the respective permission set.

If any of you need more help please contact me.

Thanks

Read the full discussion online.

To add a post to this discussion, reply to this email (SPDActivities@discussions.codeplex.com)

To start a new discussion for this project, email SPDActivities@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

Nov 4, 2010 at 5:03 PM
Edited Nov 5, 2010 at 10:47 AM
highlandgirl5 wrote:

Hi all,

I resolve my problem and wanted to post in case someone else has the same issue.

  1. I found that I can include more than one Grant Permissions actions in the same branch of a step.
  2. I can apply permissions to SP groups.
  3. I changed my trust level from WSS_Minimal to WSS_Medium and this seems to have done the trick.

Hope this helps someone.

Where did You change trust level from WSS_Minimal to WSS_Medium? In my web.config file I see three strings:

 <securityPolicy>
<trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
<trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_custom_wss_minimaltrust_5440eb91-ca9e-43ca-83bf-128f6024e64f.config" />
</securityPolicy>

What should I change to change trust level?

upd:

Ok, as  I understand, that trust level could be changed in this string:

<trust level="WSS_Medium" originUrl="" />

But I'm still having 'Failed on start(Retrying)' error on FBA users. Using  Windows Authentification all goes OK and workflow status is "Completed". But when I log as FBA user, I get 'Failed on start(Retrying)'

My workflow(event 'on created'):

Delete permission in SharedDocuments for DOCS_Members

where DOCS_Members is a SP group. In group settings in  "Who can view the membership of the group?" - there is set "Everyone" radiobutton. Trust level in web.config is set to "WSS_Medium". Why I get  'Failed on start(Retrying)' error on FBA users?