Monday, November 26, 2007

Voyages with BlackPearl - 2. SharePoint permissions

I have a K2 BlackPearl workflow that is integrated to an InfoPath form. The workflow creates a number of InfoPath client events each with a different view.
Users will initiate the workflow from SharePoint, clicking on a link on the home page which opens the initial view of the form. As the workflow advances to the next InfoPath client event it adds a copy of the InfoPath form to the form library that I specified when I attached the form to the workflow.
So I was wondering what are the minimum permissions I need to give users to this site in order for them to create workflows but not edit anything else?
I created a SharePoint group called 'WorkflowUsers' and added my users (or AD groups if you're smart) as members. I gave the group WorkflowUsers 'Read' permission to the site. The lists, libraries and other SharePoint objects inherit this permission. But Read permission is not enough to initiate workflows in this situation. WorkflowUsers also have to have Contribute permissions on the K2 BlackPearl Data Connection library and on the Form library where the workflow stores the forms. This is achieved by navigating to each, change the settings and using the Edit Permissions option to break the inheritance form the site. You can then change permission to Contribute for the WorkflowUser group.
I give the K2 Service account full permission to the site, which is probably more than is necessary but then it's just a service account.

No comments: