Friday, March 18, 2011

SharePoint approval workflow Task permissions

If you are using Sharepoint 2007 Out of the Box approval workflow to approve documents, i.e, using the “Update approval status” option to approve/reject the documents at the end of the workflow. By design there seems to be flaw in the system, which may seem be an obvious miss on the part of SP. That is- Any one with contributor access to the site/list automatically can edit the approval tasks,even though the tasks are assigned to approvers. AND, by approving the tasks, the the contributor can, via the workflow, automatically approve the document,even though they don’t have “Approve” permission, by passing the security model.

I did some research online and didn’t find a lot of useful information. After some experiement I found a way to lock this down.

Here are the steps:
  1. Create a SharePoint group, put your approves users in that group. Even if it is one person.
  2.  In workflow settings, Set the approvers to your approvers group.
  3.  In workflow settings, Uncheck “Allow change to participant list once workflow started”. Uncheck “Reassign task to another person” Uncheck “Request a change before completing the task”.
  4. Check “Assign single task to each group entered”.
  5.  Click Ok to save.

Now. When users/contributors try to approve/reject a task not assigned to him/her.
He/she will get an error message like below

” Task updated rejected, the user who attempted to complete the task is not a member of the group which the task is assigned”.
There may be other combination for this to work too. So that is what I did and worked. Another way is to to set permission on the task list based on “assign to”. Which seems to requires coding or installing third party activities. Hope this helps.

No comments:

Post a Comment