When coming to Visual Studio workflows, something which surprises many SharePoint developers is that tasks assigned in the workflow can actually be actioned by any SharePoint user with basic permissions. In the worst scenario, ‘basic permissions’ means any user with contribute permissions to the SharePoint web which contains the workflow tasks list, and clearly this could be a whole lot of users who have nothing to do with your workflows. In the best case, you might have tied down permissions so that only users involved in workflows can use the list. Even so, this still means that any actor in the workflow can respond to any task, not just tasks which have actually been assigned to them. To my mind, this is bad – all it takes is a confused user to accidentally respond to someone else’s task and your workflow is in a whole world of chaos.
So what can we do about this?
Well, there doesn’t seem to be much written about this, but fortunately the best solution (AFAIK) is also the simplest one. Before we dive in, I notice other people needing to solve this problem have taken the approach that since a workflow task is just a list item, we can execute some code to set permissions on the list item using the API. A logical tactic, but happily there is special provision for doing this in the workflow framework – we still need to write a little code, but it’s much simpler than that approach. The key is the ‘SpecialPermissions’ property of the CreateTask activity:
Pitfall – confusingly, clicking the ellipses button (…) for the property presents a generic VS collection editor (shown below), which as far as I can tell just flat cannot be used with this property – all the controls are disabled!
I’m assuming this is a bug in the Visual Studio 2005 Extensions for Workflow Foundation, so we’ll ignore that! However, clicking the tiny blue ‘bind property’ button presents the more familiar ‘bind the property to an instance variable’ dialog – assuming you haven’t already created a variable to store the permissions for this CreateTask, we should select ‘Bind to a new member’, and create either a field or property to store the permissions:
This creates a collection object, specifically a HybridDictionary, to which we can add items for each permission we need for this task. And we only need a handful of code lines to do it! Since we’re likely to use it for many (i.e. all) tasks in our workflow, let’s have a separate method we can call each time:
private void setTaskPermissions(HybridDictionary boundDictionary, string sTaskOwner)
boundDictionary.Add(“NT AUTHORITY\\authenticated users”, SPRoleType.Reader);
So, we pass in the collection specific to each task, and also the string username for the task owner. We then add an entry for the task owner to the dictionary with the ‘contributor’ permission, and one for all other users with just read permissions. Note we also clear out the dictionary before adding in case this task has already been issued (i.e. something got rejected in the workflow and we came back to this task a second time) – this avoids any errors due to the key already existing in the dictionary.
The calling code then, looks like this:
This would be added to the code for each CreateTask activity in your workflow. The first parameter is the variable we bound earlier to the SpecialPermissions property (of the particular task we are dealing with), and taskProps is the SPWorkflowTaskProperties object which holds data for the task.
And that’s it – much less code than you’d need to modify permissions for the list item with general API usage. The effect of this is that the task owner is the only standard user (administrators with full control excepted) who can respond to the task, but all others can read it. Needless to say, you could customize the code to your specific permission requirements if they are different to mine.
The user experience
One final thing worth pointing out is that the user experience might not be quite as slick as you’d like. Since we’ve restricted permissions on the item, any user who clicks on the task but doesn’t have permissions will see the standard access denied message:
Personally I think an improvement would be to show a more friendly message, but this would require substantially more effort and complexity. My view is that for a few lines of code, this approach is a great trade off between effort required and benefit of protecting the integrity of the workflow – I’m definitely not a fan of sleepless nights wondering just what would happen in the workflow if users unintentionally responded to tasks which didn’t belong to them, so it works for me. As always, if you’ve implemented a different way of dealing with this problem or have other comments, it would be great to hear.