I have made a SharePoint 2013 workflow for a list in which users have read permission only. I want to give the user rights to kick off the workflow through the Custom List Action. But i get this error everytime:
"Unfortunately, this site has not been shared with you."
How can i solve this? I have already created the workflow using the following msdn article(creating a workflow with elevated permissions): https://msdn.microsoft.com/en-us/library/jj822159.aspx.
But this does not seem to help in my case.
Had to Update-Wrong Links
If the user only has read permissions, they will be unable to add items to the list. You weren't very clear on how this workflow kicks off or what it does but my guess would be to provide either a custom permission which allows a user to add items but not edit/delete. See here for instructions on how to do this.
or
You could enable anonymous users on the list and allow anonymous users to add items. See here for instructions on how to do this.
Your security concerns are going to determine your approach but for what I have read I think either would suffice.
**** You must have Admin rights to perform this ****
In SharePoint Workflow 2013, you can use the APP step that will allow the workflow to be authorized with its identity as a Full Control and ignore the current user permissions.
This is will ensure that the workflow will be executed successfully in case the current user has no permissions.
Note: The APP Step will be disabled if you didn't elevate the workflow permission.
For more details check Workflow was Suspended with Unauthorized HTTP / Elevate Workflow permissions in SharePoint 2013
Related
I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
Is it possible, in SharePoint 2010 Foundation to find out when a user was added to a particular user group? I have full admin privileges as a site owner. I can find this information out through Audit Log reports but unfortunately I did not turn these on from day one so am looking for another method. I assume that SharePoint must be storing this information somewhere.
You can achieve this using Powershell, use the repadmin command. Like below
repadmin /showobjmeta dc1 'CN=Domain Admins,CN=Users,DC=rivendell,DC=com'
For more detail check this post
I have a scenario where I want a user when viewing a list item to be presented with a custom action to create a site. This is pretty similar to the scenario provided in the MOSS 2007 SharePoint Guidance. What makes it different is that I want the site created with the url and name taken from the list item, and then a web propertybag value set. The only user task after the site is created is for the site collection administrator to add some specific user rights to it.
I can do everything apart from prompting the user to set the site rights via the object model so should I use a workflow or just code it straight?
The benefits of a workflow would be the ability to track the task and whether it has been completed or needs escalation etc.
The answer to this question is going to be found from your own staff on how they want to manage the tasks. An email notification may suite them better. Check with them on whether the benefits of a workflow are going to be worth the development cost.
I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.