SharePoint Tip #32. Do you know “which identity is used when you deploy WorkFlow from Visual Studio and SharePoint Designer”?

SharePoint provides you two approaches to design and deploy WorkFlows – via SharePoint Designer(SPD) and using Visual Studio. But you should be aware that deployment of WorkFlows has some differences in the security model that might cause you permissions issues.

SharePoint has its own security model to resolve the user”s windows identity for all activities. It uses either IIS application pool user or the WSS Timer user for scheduled stimulations. Such behavior is the same for both Visual Studio and SharePoint Designer workflows, when actual windows identity doesn”t matter.

There are two differences in the resolving SPUser name, when you deploy WF from Visual Studio and SharePoint Designer:
  1. Visual Studio developed Workflows are deployed at the server level, run under the System Account. They do not require any
    permissions by the user/initiator of the workflow.Also these workflows
    are strong named and placed in the GAC. The actual SPUser user name come from SPWorkflowActivationProperties, which is System Account.
  2. SharePoint Designer developed workflows (or usually called ‘Declarative’ workflows) have only the permissions that the initiator has. Any actions that the workflow needs to perform will inherit the permissions of the initiator and NOT the System account. The SPUser get from the WorkflowContext.Site object, that impersonated to the workflow”s author, the
    user who started the workflow.

Sources: 1, 2

 

Have anything to add?! Send your tips to be published via this form.

2 Comments »

  1. ALan Said,

    July 10, 2009@ 1:50 pm      Reply

    Hi

    OK well i am having the reverse of this problem I can not stop “System Account” showing in the sharepoint history.

    Any ideas

  2. Sabata Mereeotlhe Said,

    October 6, 2009@ 11:14 am      Reply

    I have a similar situation
    I need the logged in user to be the user performing the actions and I simply cannot undelegate the System Account, simply because I am checking out a document and as some of us might know when a document gets checked out it is dumped in that users ..My DocumentsSharePoint Drafts but now because the Visual Studio Workflow runs with System Account permissions, the .docx document upon checkout goes missing, if someone can locate it for me I would appreciate it, else is there a way to change delegation just-in-time to check with the currently logged user


RSS feed for comments on this post · TrackBack URI

Leave a Comment