Access control in workflow tasks

Similar Messages

• Access control in workflow

  Do we need to change any access control information in the workflow builder while making a copy of the existing seeded oracle workflow?
  Thanks
  KK

  Possibly :)
  To copy a process from one item type to another, then your access level only needs to match that of the target item type. If you are copying within the same item type, then you may need to change your access level so that you can paste the new version into the item type.
  Either way, once you have copied the process, then you will probably need to change your access level so that you can modify the process.
  HTH,
  Matt
  Edited by: rukbat on Jul 4, 2011 1:26 PM

• Programmatically Accessing the Human Workflow Tasks' Payloads

  Hi Everybody,
  I hope I'm not over the line here but I would like to ask for help.
  I am using the Human Workflow Tasks Services (*web services*), specially the Task Query Service and the Task Service, to retrieve the tasks' list of a user and change the outcomes.
  The problem is that when I am trying the getPayload() method , it always return null .
  Any solution please?
  Regards

  Hello
  First, Thank you for the 2 links.
  I tried this exemple but It didn't work for me.
  I used the java code bellow :
  +try {+
  IWorkflowServiceClient wfSvcClient = null;
  ITaskQueryService taskQuerySvc = null;
  IWorkflowContext wfCtx = null;
  +// 1. this step is optional since configuration can be set in wf_client_config.xml file+
  Map<CONNECTION_PROPERTY, String> properties = new HashMap<CONNECTION_PROPERTY, String>();
  +if (WorkflowServiceClientFactory.REMOTE_CLIENT.equals(clientType)) {+
  properties.put(CONNECTION_PROPERTY.EJB_INITIAL_CONTEXT_FACTORY,
  +"weblogic.jndi.WLInitialContextFactory");+
  properties.put(CONNECTION_PROPERTY.EJB_PROVIDER_URL,
  +"t3://192.9.200.77:7001");+
  properties.put(CONNECTION_PROPERTY.EJB_SECURITY_CREDENTIALS,
  +"weblogic");+
  properties.put(CONNECTION_PROPERTY.EJB_SECURITY_PRINCIPAL, "weblogic");
  +} else if (WorkflowServiceClientFactory.SOAP_CLIENT.equals(clientType)) {+
  properties.put(CONNECTION_PROPERTY.SOAP_END_POINT_ROOT,
  +"http://192.9.200.77:7001");+
  properties.put(CONNECTION_PROPERTY.SOAP_IDENTITY_PROPAGATION,"non-saml"); // optional
  +}+
  +// 2. gets IWorkflowServiceClient for specified client type+
  wfSvcClient = WorkflowServiceClientFactory.getWorkflowServiceClient(clientType, properties, null);
  +.............+
  When I run it using the REMOTE or SOAP mode , I have the same result: An exception occurs with the execution of the .getWorkflowServiceClient() method .
  Exception in thread "main" java.lang.NoClassDefFoundError: oracle/jrf/PortabilityLayerException
  +     at oracle.bpel.services.workflow.client.WorkflowServiceClientFactory.getWorkflowServiceClient(WorkflowServiceClientFactory.java:358)+
  +     at idee.soa.HWTask.getTaskdetails(HWTask.java:55)+
  +     at idee.soa.MainTest.main(MainTest.java:11)+
  Caused by: java.lang.ClassNotFoundException: oracle.jrf.PortabilityLayerException
  +     at java.net.URLClassLoader$1.run(URLClassLoader.java:202)+
  +     at java.security.AccessController.doPrivileged(Native Method)+
  +     at java.net.URLClassLoader.findClass(URLClassLoader.java:190)+
  +     at java.lang.ClassLoader.loadClass(ClassLoader.java:307)+
  +     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)+
  +     at java.lang.ClassLoader.loadClass(ClassLoader.java:248)+
  +     ... 3 more+
  Please, I need your help :(
  Regards

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• Access Control functionality in Oracle workflow

  Hi everyone,
  I am doing research into access control models and workflow systems (separation of duty policies in particular). As far as I could tell, Oracle Workflow does not provide much in terms of securing access to data in a workflow process (except from the normal login authentication of course).
  One usually assigns a task's performer to a CONSTANT role from your database roles so that only certain users will have access to that task. This is not always enough though, especially when the role-hierarchy is not properly contructed and maintained. So, I've been working on a few scripts to dynamically prevent users from receiving tasks on their worklists based on their previous participation in the process (e.g. to prevent a manager from approving his own leave application).
  I was just wondering if anyone else have been working on access control in Oracle Workflow. Is there any built-in functionality that I missed that controls task-user assignment?
  Thanks,
  Carmen

  Thank you very much Sirish for your help.
  We are facing huge performance issues while Risk Analysis with Oracle Application servers through Greenlight Adaptor - its taking around 10 hours for 3000 users. Can you please point out what can be the possibilities and how can we trace out exact root cause and then solve it.
  This is happening on GRC AC 5.2 SP10 and GRC logs doesn't say much , it just gives output taken 12 secs for one user Risk Analysis.
  Here is our understanding on how GRC does Risk Analysis and our observations on our systems -->
  1. GRC asks for 1 user details at a time from Oracle Application Server - please confirm does GRC do Risk Analysis for one user at a time or a bunch of users?
  2. Oralce App server get details of that user and sends back results to GRC.
  3. Now there is a wait time for around 3 secs before Oracle Server gets request for the second user. 3 sec for one user means 2.5 hours of wait time for 3000 users. We are not able to understand why Oracle Server needs to wait for next user request from GRC?
  Would highly appreciate if you can share your experience on GRC Risk Analysis with Oracle (Greenlight Adaptor) and with SAP systems.
  Best Regards
  Davinderpal Singh

• Access permission to the Project server workflow tasks in project server 2013.

  Hi All,
  I am creating an OOB Project server workflow, where it contains few phases and each phases have some stages, there are few approval levels of the workflow. 
  Scenario - 1st stage - when project is submitted, a task is assigned to resource, when the resource click on the task link provided in mail, it redirects to the project server workflow task list.
  1) When users view the task list, for all user the delete Item and approve button is enabled even we have given permission as edit,view permission in sharepoint group for that user.
  2) Task list should be viewable by specific user but in my case even after giving the permission it can be apporved by any one who is not authorised also.
  3)  then i tried below things
  1. deleted the user in pwa
  2. deleted the user in sharepoint site.
  even after doing the above, the user able to do all activity in the stie content page, have access to the sharepoint portal. how this is possible?
  When checked with not existing user permission there are few defalut permission set for that user after AD sync. because of this he as access, even if he is not in pwa or in sharepoint site. how to retrict this?
  Can anyone faced the same issue?
  How to fix this permission issue?
  Thanks in advance.
  Sunitha

  Hello Treb Gatte,
  I ma creating Data Connection from SSRS Report, and then creating Data Set for "Project
  Server Workflow Tasks".
  And then when I pull data from the database, it is returning empty. For any other sharepoint list this
  is working absolutely fine. I am facing issue only wrt "Project Server Workflow Tasks" list.
  Thanks,
  Shanky

• Nintex Workflow and Access Control

  Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
  I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
  Best Regards Olafur_s
  Icelandic DBA admin

  Hello
  Hemendra,<o:p></o:p>
  Thank you
  for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
  are running the system. <o:p></o:p>
  I am new to
  Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
  find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
  Best regards Olafur_s<o:p></o:p>
  Icelandic DBA admin

• 401 Unauthorized Error when accessing a task from REST API which contains Role or Privilege in Access Control definition

  Hi Team,
  As of IDM 7.2 SP8 patch2, when we use Enterprise role or Privilege in the access control definition of a task, accessing this task from UI5 i.e REST API is giving unauthorized error even though user is already having the required role or privilege.
  But the task is working fine if we use fixed user ID or keeping blank value in allowed users field.
  Attached the current access control definition of the task we configured & the error message info for reference
  Regards,
  Venkata Bavirisetty

  Hi Ralitsa,
  Thanks for your response and sorry for late reply.
  The XXXX in role is not used as a wild card. the name itself is in that format. I have searched the role and then selected from search list.
  Let me know if you need any clarifications?
  Refards,
  Venkata Bavirisetty

• Root cause of error " Access denied. You do not have permission to perform this action or access this resource" - workflow - SharePoint 2013

  Good evening, technet community
  I hope you are doing well.
  When configuring my SharePoint workflow, I encounter the problem below:
  Problem Description:
  Let's say my domain is: test.com, my group user is: test\group , my user is: test\user1
  Except an admin account with full control at both "Web Application" and "Site Collection", all others account all have problem when creating a list item. After creating a list item, the workflow status is "cancelled" immediately
  with the following message:
  RequestorId: 262a35e4-99f4-40f0-929b-5d04b415f147. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["10"],"SPRequestGuid":["262a35e4-99f4-40f0-929b-5d04b415f147"],"request-id":["262a35e4-99f4-40f0-929b-5d04b415f147"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Thu, 06 Nov 2014 12:14:28 GMT"],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform
  this action or access this resource."}}} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor,
  BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
  - The workflow is still fail even I assign "full control" to my users group "test\group" – at Site Collection level.
  Surprisingly, I have successfully found a solution for this error message. However, I still have some points that I do not clearly understand. Let's start with my solution first.
  Solution:
  *** i. Assign permission policy at Web Application level – Central Admin site ***
  1. Central Administration ==> Application management
  ==> Manage Web application 
  2. Go to "permission policy", then create a new permission level. This permission level contains all "edit item" permission.
  3. Select "user policy", then I assign it directly to my user account: test\user1.
  *** ii. Assign "edit item" permission at Site Collection level ***
  1. Site Setting ==> Site permission
  2. Assign "Edit" permission to my test\group.
  (Actually I removed all permissions of my user group at Site Collection level. It seem my group has inherited permission from Web Application level, is that correct? )
  *** iii. Create a new list item and workflow runs ……. ***
  ==> My question is:
  1. Why I cannot assign permission to my users group - "test\group" -
   at "Web Application" level? Instead I have to assign permission policy for each users, one by one?
  2. Could you please let me know how to collect full detail error message of workflow status?
  Thank you very much! Have a nice weekend.

  Thank you for your very detail response.
  Point 1: Yes my 2 service: user profile & profile sync service are running. I performed "full synchronization" as well. Actually i've tried 3 another action plans before coming up with the solution i posted:
  *** Actions completed ***
  1. Activate the feature: workflow can use app permissions.
  Site actions > Site Settings > Site features >activate the feature below:
   Workflows can use app permissions
  2.
  Refresh trusted security token services metadata feed
  Get-SPTimerJob
  "RefreshMetadataFeed"
  | Start-SPTimerJob
  - then restart the machine.
  3. Start full user profile synchronization.
  Point 2:
  - Yes my user had Edit permission at workflow task list + list affected by workflow.
  I have just remove all permissions of my user at "Site Collection" level. However, when i show my user permissions at my workflow task list and my users still have "Edit" Permission ( assigned at Web Application level. These permissions
  still exist even after my workflow task list stop inheriting permission).
  ==> the problems probably belongs to "permission" at "Site Collection level". It seems "permission level at my Site Collection does not work". All users accounts are also suffer from the same issues except farm admin account
  ( which has full control at Web Application level).
  I would appreciate if your guys can guide me how to make "permission" at my "Site Collection level" work again?
  Thank you very much.

• Current logged-in user in workflow-task

  Hi,
  I'm working on an approval task where I've got some problems in determining the items an aprovee may approve.
  The structure is as followed:
  A user requests something that his manager and the manager's manager have to approve sequentially. The manager and the manager's manager should only be able to approve requests of users that have a direct connection to them (regarding business units).
  What I am now searching for is a variable oder method to determine the current logged-in user (MSKEY or Unique ID) in the worklow system so that I can create a filter for approvees (SQL statement) to filter out all not direct linked users.
  I hope somebody can help me.
  Regards,
  Andreas Dietrich

  Andreas,
  Good question.  You need to have some sort of "Managed by" Attribute.  This attribute does exist in most LDAP directories and HCM packages, however there is NO guarantee that these attribues are populated.  The other possible thing to do is setup a relationship as follows:
  All members of the Sales Team are in the SALES
  The Sales Manager can be identified with a role of SALES MGR
  The Sales VP can be identified with the role SALES VP
  In the workflow, use an approval task and write a query that would reflect the fact that the SALES MGR can approve requests from SALES
  Use the Access control tab and set it up a filter sot that SALES MGR can execute on behlaf of SALES and so on.
  Hope this helps,
  Matt

• SharePoint Provider Hosted App (401) Unauthorized Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable

  Hello,
  I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment.  I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
  way.  I've followed these instructions (among many other resources found along this journey) :
  http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
  http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
  http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
  Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error.  I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output.  Please explain how to fix if you're able.
  Please Note:  I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
  Also Note:  I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
  Here's my ULS output:
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    Non-OAuth request.
  IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    Site=/    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.84    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Deployment    acjjg    Medium    The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
  = 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.84    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsrv    Medium    redirectLaunUrl after getting it from query
  string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens}    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    General    aib0n    High    trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
  Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsrw    Medium    redirectLaunUrl after getting token replacement:
  https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsry    Medium    m_oauthAppId after NormalizeAppIdentifier()
  i:0i.t|ms.sp.ext|[email protected]8df36d5d.  Now getting app principal info.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr0    Medium    decided that we need to do a POST to the
  app.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr1    Medium    m_redirectMessage: EndpointAuthorityMatches  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr2    Medium    realm matched attempting to get app token
  using GetAccessToken()    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    advzm    High    Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
  exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)    
  at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
  userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr3    High    App token requested from appredirect.aspx
  for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it.  This may be a case when we do not need a token or when the app principal was not properly set up.  LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
  Exception Message:The Azure Access Control service is unavailable.  Stacktrace:    at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)    
  at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
  userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest(). 
  Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    General    ajlz0    High    Getting Error Message for Exception Microsoft.SharePoint.SPException:
  The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
  serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
  applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
  String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    aib0p    Medium    Doing appredirect from appredirect.aspx:
  in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Monitoring    b4ly    Medium    Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
  Execution Time=26.5933938531294    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  Your help is very much appreciated.
  With Respect,
  Larry

  Yes, actually - I was able to resolve it.
  However I don't know how, unfortunately.  I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
  I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing.  It was a daunting task, but I finished it successfully.
  If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
  NOTE:  I'm not all impressed with the way this forum works.  This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions.  Completely lame.  Boooooo Microsoft.

• SharePoint 2013 workflow task gets canceled

  Just wanted to share my solution to a problem that I was having when creating a SharePoint 2013 Workflow that includes creating a task and assigning it to a group of people. After publishing the workflow and initiating it you get:
  Retrying last request. Next attempt scheduled in less than one minute.
  Microsoft.SharePoint.Client.ResourceNotFoundException: Cannot find resource for the request sp.utilities.utility.ExpandGroupsToPrincipals
  An unhandled exception occurred during the execution of the workflow instance.
    Exception details: System.ApplicationException: HTTP 404 {"error":{"code":"-1, Microsoft.SharePoint.Client.ResourceNotFoundException",
    "message":{"lang":"en-US","value":"Cannot find resource for the request sp.utilities.utility.ExpandGroupsToPrincipals."},
    "innererror":{"message":"Cannot find resource for the request sp.utilities.utility.ExpandGroupsToPrincipals.",
    "type":"Microsoft.SharePoint.Client.ResourceNotFoundException","stacktrace":" at
    Microsoft.SharePoint.Client.Rest.RestRequestProcessor.GetObjectFromPathRoot(Boolean mainRequestPath, EdmParserNode node, Boolean resourceEndpoint, MethodInformation& methodInfo)\u000d\u000a at
    Microsoft.SharePoint.Client.Rest.RestRequestProcessor.GetObjectFromPath(Boolean mainRequestPath, String path, String pathForErrorMessage)\u000d\u000a at
    Microsoft.SharePoint.Client.Rest.RestRequestProcessor.Process()\u000d\u000a at
    Microsoft.SharePoint.Client.Rest.RestRequestProcessor.ProcessRequest()\u000d\u000a at
    Microsoft.SharePoint.Client.Rest.RestService.ProcessQuery(Stream inputStream, IList`1 pendingDisposableContainer)"}}
    } {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["46"]
    ,"SPRequestGuid":["624f66f8-a70c-81db-bf0d-c042443f5435"],"request-id":["624f66f8-a70c-81db-bf0d-c042443f5435"],
    "X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4569"],"X-Content-Type-Options":["nosniff"],
    "X-MS-InvokeApp":["1; RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 06 Apr 2015 22:17:23 GMT"],
    "Server":["Microsoft-IIS\/8.0"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at
    Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at
     System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at
     System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
  I was not able to find any answer anywhere, so my solution was:
  1. Simply upgrade SharePoint Server 2013 to the latest version which in turn updates Microsoft.Activities.Proxy.dll
  2. Clear the SharePoint Designer cache
    Workflow Error - Sharepoint Designer cannot display the item
    http://community.office365.com/en-us/f/154/t/74327.aspx
  I hope this is helpful to somebody
  Thanks

  Hi Amit,
  According to your description, my understanding is that you want to approve workflow task using web service in SharePoint 2013.
  For troubleshooting this issue, please provide the more detailed code.
  Here are some similar posts, please check if they are useful:
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/b999a417-dce3-4590-9173-89aea91f23a3/complete-workflow-after-approving-all-tasks?forum=sharepointdevelopment
  http://www.sharepointblog.in/2013/07/programmatically-approvereject-task-in.html
  http://aarebrot.net/blog/2011/10/how-sloppiness-and-spworkflowtask-altertask-could-inadvertantly-lock-your-workflow-task/
  I hope this helps.
  Thanks,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• Is Compliance Calibrator the same as GRC Access Control?

  I have been asked to look at<b> Compliance Calibrator </b>and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "<b>SAP GRC Access Control</b>" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
  "SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts  automatically."
  None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called <b>Access Enforcer</b> but have no info on this... can anyone enlighten me?

  SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.

• Access denied when deploying task details to non-soa server

  Jdev 11g.
  I am deploying task details to non-soa server following this guideline:
  http://aseng-wiki.us.oracle.com/asengwiki/display/ATG/Deploying+Human+Task+Detail+Page+on+Remote+NonSOA+Server+In+Drop+7
  The error is:
  Access to internal workflow context is denied.
  Requested access to internal workflow context is not allowed according to security policy.
  Ensure that correct security policy is used. If the error persists, contact Oracle Support Services.
       at oracle.bpel.services.workflow.verification.impl.VerificationService.createTaskDisplayInternalWorkflowContext(VerificationService.java:995)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread$1.run(TaskFlowDeployerThread.java:318)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.getInternalWorkflowContext(TaskFlowDeployerThread.java:311)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.registerTaskFlowWithTask(TaskFlowDeployerThread.java:232)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.run(TaskFlowDeployerThread.java:113)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: java.security.AccessControlException: access denied (oracle.security.jps.JpsPermission VerificationService.createInternalWorkflowContext)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:339)
       at oracle.security.jps.util.JpsAuth$Diagnostic.checkPermission(JpsAuth.java:266)
       at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$6.checkPermission(JpsAuth.java:363)
       at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:399)
       at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:422)
       at oracle.bpel.services.workflow.verification.impl.VerificationService.createTaskDisplayInternalWorkflowContext(VerificationService.java:988)
       ... 6 more
  May 28, 2009 2:37:18 PM oracle.bpel.services.common.ServicesLogger __log
  SEVERE: <oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.run> java.lang.Exception: ORABPEL-30515
  Access to internal workflow context is denied.
  Requested access to internal workflow context is not allowed according to security policy.
  Ensure that correct security policy is used. If the error persists, contact Oracle Support Services.
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.registerTaskFlowWithTask(TaskFlowDeployerThread.java:285)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.run(TaskFlowDeployerThread.java:113)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: ORABPEL-30515
  Access to internal workflow context is denied.
  Requested access to internal workflow context is not allowed according to security policy.
  Ensure that correct security policy is used. If the error persists, contact Oracle Support Services.
       at oracle.bpel.services.workflow.verification.impl.VerificationService.createTaskDisplayInternalWorkflowContext(VerificationService.java:995)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread$1.run(TaskFlowDeployerThread.java:318)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.getInternalWorkflowContext(TaskFlowDeployerThread.java:311)
       at oracle.bpel.services.workflow.client.worklist.servlet.TaskFlowDeployerThread.registerTaskFlowWithTask(TaskFlowDeployerThread.java:232)
       ... 2 more
  Caused by: java.security.AccessControlException: access denied (oracle.security.jps.JpsPermission VerificationService.createInternalWorkflowContext)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:339)
       at oracle.security.jps.util.JpsAuth$Diagnostic.checkPermission(JpsAuth.java:266)
       at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$6.checkPermission(JpsAuth.java:363)
       at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:399)
       at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:422)
       at oracle.bpel.services.workflow.verification.impl.VerificationService.createTaskDisplayInternalWorkflowContext(VerificationService.java:988)
       ... 6 more
  Any idea?

  I encountered the same error.
  Did somebody know how to solve the issue?
  Where our Gurus?

• MSS Approval Report Links to Busines Workflow Task in UWL

  Hello All,
  I have a scenario below that I'm hoping you can help.
  I copied the standard business workflow task "TS31000007: CATS Approval by Supervisor" to create our own task (general task) and link the 'CatManagerApprove' application and 'sap.com/msscatapproval' package to this task in the Workflow Visualization Configuration.
  We then assigned this new task to the time data entry profile for the portal.  Once, employee released the working time, the task is created and send to the Universal Worklist. 
  The manager can then access the UWL and open this approve time workflow task. This task is open to the MSS Approval Report (similar to what appear under the MSS > Tasks > Approve Time by Manager).
  However, I have copied the Approve Time by Manager to our own and changed some of the  order of the column and header text and assigned to the MSS role. 
  I would like to have this CATS approval task open to the same approval report view/layout as in the MSS Approval Report.
  I've tried to change the layout (column order) through portal contents of the standard MSS Approval Report because I thought it was reading from there, but it's not.
  Does anyone know how this can be done or where to point to the MSS Approval Report on the portal.
  Any help would be appreciated!
  Tam

  Hi Karri,
  We were able to use the launch iview task to launch our specific iview but I cannot seem to get it to recognize the workitem. In other words, when I click on the task in the UWL, my approve working time iview appears but it does not have the data that is from the workflow task item. Attached is the XML code that I used:
  <ItemType name="uwl.task.webflow.TS93000001.SAP_ECC_Financials" connector="WebFlowConnector" defaultView="DefaultView" defaultAction="launchIView" executionMode="default">
        <ItemTypeCriteria systemId="SAP_ECC_Financials" externalType="TS93000001" connector="WebFlowConnector"/>
        <Actions>
          <Action name="launchIView" groupAction="" handler="IViewLauncher" returnToDetailViewAllowed="yes" launchInNewWindow="yes" launchNewWindowFeatures="resizable=yes,scrollbars=yes,status=yes,toolbar=no,menubar=no,location=no,directories=no">
            <Properties>
              <Property name="newWindowFeatures" value="resizable=yes,scrollbars=yes,status=yes,toolbar=no,menubar=no,location=no,directories=no"/>
              <Property name="page" value="pcd:portal_content/net.saccounty.SacCounty/net.saccounty.approve_ts_data"/>
              <Property name="openInNewWindow" value="yes"/>
              <Property name="display_order_priority" value="5"/>
              <Property name="workitemId" value="${item.externalId}"/>
            </Properties>
            <Descriptions default=""/>
          </Action>
        </Actions>
      </ItemType>
  I thought the line <Property name="workitemId" value="${item.externalId}"/> would pick up the work item ID, but it is not working. Any suggestions?
  TS93000001 is our task. approve_ts_data is our iview. It opens in a new window correctly and goes to the correct iview, just is not the actual task data.
  Thank you,
  Mark.