Platform: SharePoint 2013 on-premises; SharePoint Designer 2013
I recently discovered the power of SharePoint REST APIs and the ability to use them in workflows. It really opens up the possibilities! I can now “extend” the capabilities of a workflow simply by using the “Call HTTP Web Service” step. Many blog articles by many great contributors show step-by-step experience in using this technique, so I won’t go on about it here. Instead, I want to discuss a strange behavior I encountered while creating and testing a workflow.
I designed the workflow to:
- Launch when a new item gets created in a list (the list resides in a subsite with unique permissions. For example: https://mysite/mysubsite)
- Create a permission group using information from the list item (i.e. a form)
- Create a site using information from the list item
- Assign site permissions (you guessed it!) using information from the list item
- Change the permissions of certain libraries in the newly created site
In order to accomplish #2 and #3 above, the worflow must perform the “calls to HTTP web service” steps with elevated permissions, i.e. as an “App Step.” I followed Microsoft’s documentation: Create a workflow with elevated permissions to enable the App Step feature in my workflow.
I tested my workflow and got an “Unauthorized” error for both Steps 2 and 3. No matter what I or my SharePoint Server Admin tried, we could not get it working.
We discovered an article by Fabian Williams: Gotcha on SharePoint Designer Workflows in App Step, where he describes an issue with a subsite making a call to the parent site. However, in my case, I didn’t make a call to the parent site. I just wanted to create a new subsite from my subsite, e.g. https://mysite/mysubsite/new-site.
Well, it seems that creating a subsite always goes through the parent site collection. Makes sense, I suppose, since creating a site adds it to the site collection no matter at what level the site resides. Same thing goes for creating permission groups. Unfortunately, neither Microsoft’s documentation for its REST APIs nor its “Workflow with elevated permissions” makes any mention of this fact.
Therefore, by repeating the procedure to grant workflows elevated permissions, but substituting this code in the Microsoft documentation for Step 7: Paste the following Permissions Request XML to grant full control permission, it solves the “Unauthorized” issue. Note the slight change in the “Scope”. We’ve removed “/web” from the URI.
<AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /> </AppPermissionRequests>
What I learned
If my workflow intends to:
- Create a permission group
- Create a site
- Perform operations on managed metadata
I must grant the workflow permission to the Site Collection, not just the Web.
Hope that helps!