Security issues in assigning workflow items

25 11 2010

Recently I’ve been having some issues regarding security rights in workflow in Dynamics AX 2009. We keep on receiving the following error: Stopped (error): Work item could not be created. Insufficient rights for user [USERID].

After some investigation I found the code being executed that checks security when assigning workitems at SysWorkflowEventDispatcher::completeWorkItem() line 63. There are three checks done. But the two that I was interested in were the checks for 1. Menu Item access to the Workflow Document Menu Item specified on the approval/task AOT element and 2. Document access to the record in question.

I checked and confirmed that the user in question had sufficient rights for the Menu Item and Table, yet the workitem still refused to process, however once I gave the user full rights for the security keys to which the table and menu item belonged the workitem was able to assign correctly. E.g. The user had permissions to read and write to the PurchaseReqTable, but didn’t have full rights to the Security Key VendTables, once full rights were given on the security key all worked fine.

This is just my observation of the security and how it practically works out (see link to official documentation below), unfortunately this is not desirable behavior in workflow, as it reduces the security control available to administrators. I was able to overcome the menuitem issue by creating my own menuitem and assigning it a unique security key. However for the PurchReqTable I decided to leave the security as is because of other implications of changing it. If however you have your own custom table that you are working off, you would be able to assign a unique security key to it.

Happy Daxing.

Microsoft documentation on security in workflow : http://msdn.microsoft.com/en-us/library/cc641033.aspx

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: