RE: Custom Workflow Activity
As others have mentioned - passing the current user token into the SPSite constructor while Elevating is probably not the best idea. IMHO - If you are going pass a user token to the SPSite constructor it should be: SPContext.Current.Site.SystemAccount.UserToken Which is what we usually do this instead of Elevating - as the RunWithElevatedPrivileges is an expensive COM call, that can leak memory (at least in 2007). In our team the rule is you only use RunWithElevatedPrivileges if you are trying to make off-box connections, or messing with Farm Properties etc. The other obvious thing to consider with custom workflow activities is that from a security point of view they should ideally be registered in the web.config: WorkflowService Assembly=Your.Assembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=1234567890123456 Class=Your.Assembly.ActivityService / Also consider adding your assembly (and any extra assemblies it loads) to the configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes section. There are also extra considerations with workflow activities when you have a App Server in the farm that does NOT run the WFE role. Good Luck, James. James Boman ■ Telephone: +61 (08) 7200 1100 ■ Mobile: +61 (0) 417 857 298 ■ Web: http://www.ipmo.com.au || http://www.projectserver.com.au From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ishai Sagi Sent: Saturday, 17 December 2011 9:09 AM To: ozMOSS Subject: RE: Custom Workflow Activity That code doesn't really elevate privilages - either the token or the RunWithElevatedPrivileges is redundant. I think the problem will be in the CreateTerm function. If you share that with us we may see the cause of the issue. [Description: Description: Description: C:\Users\Brian\Pictures\EXD Logos\Extelligent logo no text.jpg]Ishai Sagi | Solutions Architect 0488 789 786 | is...@exd.com.aumailto:is...@exd.com.au | www.sharepoint-tips.comhttp://www.sharepoint-tips.com/ | @ishaisagihttp://twitter.com/ishaisagi From: ozmoss-boun...@ozmoss.commailto:ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com]mailto:[mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ajay Sent: Friday, 16 December 2011 5:49 PM To: ozMOSS Subject: Fwd: Custom Workflow Activity I have discovered it's permission issue when workflow starts automatically. I have elevated priveleges and also opened the site using token of admin account stil no luck. See my code below SPUser user = web.AllUsers[mydomain\\sharePoint_admin]; SPUserToken token = user.UserToken; SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(siteCollection.ID, token)) { CreateTerm(site, title); } }); -- Forwarded message -- From: Ajay akhanna...@gmail.commailto:akhanna...@gmail.com Date: Fri, Dec 16, 2011 at 7:11 PM Subject: Custom Workflow Activity To: ozMOSS ozmoss@ozmoss.commailto:ozmoss@ozmoss.com Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to add the site name to the Term Store. The workflow is configured to start on Item Added. On Automatic start, problem is the workflow just creates the sub-site, does not create the term store entry and shows status as Cancelled. When I manually start this workflow, than everything is fine, it creates site, adds term store entry and shows Status as Completed. I ran a debugger stepped through the code all works fine. What can be the reason for this.. is it permissions / identity issue when it runs manually opposed to automatic workflow start. Cheers, A inline: image001.jpginline: image003.jpg___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
Re: Custom Workflow Activity
Thanks All, It has worked by :-- Using ElevatedPriveleges and Adding the Pool account for this web application as Term Store Administrator. I hope this is acceptable, I have not added Pool Acc from the Central Admin, but from Site Settings of the web application Cheers, A On Mon, Dec 19, 2011 at 1:36 PM, James Boman james.bo...@ipmo.com.auwrote: As others have mentioned – passing the current user token into the SPSite constructor while Elevating is probably not the best idea. IMHO - If you are going pass a user token to the SPSite constructor it should be: ** ** SPContext.Current.Site.SystemAccount.UserToken ** ** Which is what we usually do this *instead of Elevating* – as the “RunWithElevatedPrivileges” is an expensive COM call, that can leak memory (at least in 2007). In our team the rule is you only use “RunWithElevatedPrivileges” if you are trying to make off-box connections, or messing with Farm Properties etc. ** ** The other obvious thing to consider with custom workflow activities is that from a security point of view they should ideally be registered in the web.config: ** ** WorkflowService Assembly=Your.Assembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=1234567890123456 Class=Your.Assembly.ActivityService / ** ** Also consider adding your assembly (and any extra assemblies it loads) to the * configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes * section. ** ** There are also extra considerations with workflow activities when you have a App Server in the farm that does NOT run the WFE role. ** ** Good Luck, James. ** ** -- James Boman ■ Telephone: +61 (08) 7200 1100 ■ Mobile: +61 (0) 417 857 298 ■ Web: http://www.ipmo.com.au || http://www.projectserver.com.au ** ** *From:* ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] *On Behalf Of *Ishai Sagi *Sent:* Saturday, 17 December 2011 9:09 AM *To:* ozMOSS *Subject:* RE: Custom Workflow Activity ** ** That code doesn’t really elevate privilages – either the token or the “RunWithElevatedPrivileges” is redundant. I think the problem will be in the “CreateTerm” function. If you share that with us we may see the cause of the issue. ** ** ** ** **[image: Description: Description: Description: C:\Users\Brian\Pictures\EXD Logos\Extelligent logo no text.jpg]***Ishai Sagi* | Solutions Architect 0488 789 786 | is...@exd.com.au | www.sharepoint-tips.com | @ishaisagihttp://twitter.com/ishaisagi ** ** *From:* ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] *On Behalf Of *Ajay *Sent:* Friday, 16 December 2011 5:49 PM *To:* ozMOSS *Subject:* Fwd: Custom Workflow Activity ** ** I have discovered it's permission issue when workflow starts automatically. I have elevated priveleges and also opened the site using token of admin account stil no luck. See my code below SPUser user = web.AllUsers[mydomain\\sharePoint_admin]; SPUserToken token = user.UserToken; SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(siteCollection.ID, token)) { CreateTerm(site, title); } }); ** ** -- Forwarded message -- From: *Ajay* akhanna...@gmail.com Date: Fri, Dec 16, 2011 at 7:11 PM Subject: Custom Workflow Activity To: ozMOSS ozmoss@ozmoss.com Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to add the site name to the Term Store. The workflow is configured to start on Item Added. On Automatic start, problem is the workflow just creates the sub-site, does not create the term store entry and shows status as Cancelled. When I manually start this workflow, than everything is fine, it creates site, adds term store entry and shows Status as Completed. I ran a debugger stepped through the code all works fine. What can be the reason for this.. is it permissions / identity issue when it runs manually opposed to automatic workflow start. Cheers, A ** ** ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss image003.jpg___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
Re: Custom Workflow Activity
That is how it's supposed to work. Thanks, Ishai Sagi Extelligent Design www.extelligentdesign.comhttp://www.extelligentdesign.com Sent from my phone +61 488 789 786 On 19/12/2011, at 14:41, Ajay akhanna...@gmail.commailto:akhanna...@gmail.com wrote: Thanks All, It has worked by :-- Using ElevatedPriveleges and Adding the Pool account for this web application as Term Store Administrator. I hope this is acceptable, I have not added Pool Acc from the Central Admin, but from Site Settings of the web application Cheers, A On Mon, Dec 19, 2011 at 1:36 PM, James Boman james.bo...@ipmo.com.aumailto:james.bo...@ipmo.com.au wrote: As others have mentioned – passing the current user token into the SPSite constructor while Elevating is probably not the best idea. IMHO - If you are going pass a user token to the SPSite constructor it should be: SPContext.Current.Site.SystemAccount.UserToken Which is what we usually do this instead of Elevating – as the “RunWithElevatedPrivileges” is an expensive COM call, that can leak memory (at least in 2007). In our team the rule is you only use “RunWithElevatedPrivileges” if you are trying to make off-box connections, or messing with Farm Properties etc. The other obvious thing to consider with custom workflow activities is that from a security point of view they should ideally be registered in the web.config: WorkflowService Assembly=Your.Assembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=1234567890123456 Class=Your.Assembly.ActivityService / Also consider adding your assembly (and any extra assemblies it loads) to the configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes section. There are also extra considerations with workflow activities when you have a App Server in the farm that does NOT run the WFE role. Good Luck, James. James Boman ■ Telephone: +61 (08) 7200 1100tel:%2B61%20%2808%29%207200%201100 ■ Mobile: +61 (0) 417 857 298tel:%2B61%20%280%29%20417%20857%20298 ■ Web: http://www.ipmo.com.auhttp://www.ipmo.com.au/ || http://www.projectserver.com.auhttp://www.projectserver.com.au/ From: ozmoss-boun...@ozmoss.commailto:ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.commailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ishai Sagi Sent: Saturday, 17 December 2011 9:09 AM To: ozMOSS Subject: RE: Custom Workflow Activity That code doesn’t really elevate privilages – either the token or the “RunWithElevatedPrivileges” is redundant. I think the problem will be in the “CreateTerm” function. If you share that with us we may see the cause of the issue. image003.jpgIshai Sagi | Solutions Architect 0488 789 786 | is...@exd.com.aumailto:is...@exd.com.au | www.sharepoint-tips.comhttp://www.sharepoint-tips.com/ | @ishaisagihttp://twitter.com/ishaisagi From: ozmoss-boun...@ozmoss.commailto:ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com]mailto:[mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ajay Sent: Friday, 16 December 2011 5:49 PM To: ozMOSS Subject: Fwd: Custom Workflow Activity I have discovered it's permission issue when workflow starts automatically. I have elevated priveleges and also opened the site using token of admin account stil no luck. See my code below SPUser user = web.AllUsers[mydomain\\sharePoint_admin]; SPUserToken token = user.UserToken; SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(siteCollection.ID, token)) { CreateTerm(site, title); } }); -- Forwarded message -- From: Ajay akhanna...@gmail.commailto:akhanna...@gmail.com Date: Fri, Dec 16, 2011 at 7:11 PM Subject: Custom Workflow Activity To: ozMOSS ozmoss@ozmoss.commailto:ozmoss@ozmoss.com Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to add the site name to the Term Store. The workflow is configured to start on Item Added. On Automatic start, problem is the workflow just creates the sub-site, does not create the term store entry and shows status as Cancelled. When I manually start this workflow, than everything is fine, it creates site, adds term store entry and shows Status as Completed. I ran a debugger stepped through the code all works fine. What can be the reason for this.. is it permissions / identity issue when it runs manually opposed to automatic workflow start. Cheers, A ___ ozmoss mailing list ozmoss@ozmoss.commailto:ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss ___ ozmoss mailing list ozmoss@ozmoss.commailto:ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss inline: image003.jpg___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: Custom Workflow Activity
That code doesn't really elevate privilages - either the token or the RunWithElevatedPrivileges is redundant. I think the problem will be in the CreateTerm function. If you share that with us we may see the cause of the issue. [Description: Description: Description: C:\Users\Brian\Pictures\EXD Logos\Extelligent logo no text.jpg]Ishai Sagi | Solutions Architect 0488 789 786 | is...@exd.com.aumailto:is...@exd.com.au | www.sharepoint-tips.comhttp://www.sharepoint-tips.com/ | @ishaisagihttp://twitter.com/ishaisagi From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ajay Sent: Friday, 16 December 2011 5:49 PM To: ozMOSS Subject: Fwd: Custom Workflow Activity I have discovered it's permission issue when workflow starts automatically. I have elevated priveleges and also opened the site using token of admin account stil no luck. See my code below SPUser user = web.AllUsers[mydomain\\sharePoint_admin]; SPUserToken token = user.UserToken; SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(siteCollection.ID, token)) { CreateTerm(site, title); } }); -- Forwarded message -- From: Ajay akhanna...@gmail.commailto:akhanna...@gmail.com Date: Fri, Dec 16, 2011 at 7:11 PM Subject: Custom Workflow Activity To: ozMOSS ozmoss@ozmoss.commailto:ozmoss@ozmoss.com Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to add the site name to the Term Store. The workflow is configured to start on Item Added. On Automatic start, problem is the workflow just creates the sub-site, does not create the term store entry and shows status as Cancelled. When I manually start this workflow, than everything is fine, it creates site, adds term store entry and shows Status as Completed. I ran a debugger stepped through the code all works fine. What can be the reason for this.. is it permissions / identity issue when it runs manually opposed to automatic workflow start. Cheers, A inline: image001.jpginline: image002.jpg___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
Re: Custom Workflow Activity
Thanks Ishai, I will just give you my thoughts on this. 1.) It's custom activity to run inside SPD workflow 2.) I have tried using Elevated privleges and Impersonation but no luck, and even tried to use them both. I also added this activity in Impersonation step in SPD but it makes no difference. 3.) If I go to workflow and start it manually, then it does not give any permission error. 4.) Only when I workflow starts automatically it does not do anything. 5.) You are right problem is in CreateTerm method, I attached a debugger, and get permission error on termSet.CreateTerm(projectName, 1033); Error message is you do not have enough permissions to do this task. Code Below protected override ActivityExecutionStatus Execute(ActivityExecutionContext executionContext) { SPSite contextSite = __Context.Site; string url = contextSite.Url; SPWeb contextWeb = __Context.Web; SPList contextList = contextWeb.Lists[new Guid(__ListId)]; SPListItem contextItem = contextList.GetItemById(__ListItem); SPFieldUserValue userValue = new SPFieldUserValue(contextWeb, contextItem[Created By].ToString()); ; string title = contextItem[Title].ToString(); using (SPSite siteCollection = new SPSite(url)) { using (SPWeb web = siteCollection.OpenWeb()) { SPUserToken userToken = web.AllUsers[Domain\\Admin_Account].UserToken; using (SPSite newSite = new SPSite(contextWebUrl,userToken)) { using (SPWeb myWeb = newSite.OpenWeb()) { CreateTerm(siteCollection, title); } } } } return ActivityExecutionStatus.Closed; } protected static void CreateTerm(SPSite siteCollectionObject, string projectName) { TaxonomySession session = new TaxonomySession(siteCollectionObject); foreach (TermStore termStore in session.TermStores) { foreach (Group group in termStore.Groups) { if (group.Name == Test group) { foreach (TermSet termSet in group.TermSets) { if (termSet.Name == Projects) { bool doesThisTermExist = false; TermCollection terms = termSet.GetAllTerms(); foreach (Term term in terms) { if (term.Name == projectName) { doesThisTermExist = true; } } if (!doesThisTermExist) { termSet.CreateTerm(projectName, 1033); termStore.CommitAll(); } } } } } } } On Sat, Dec 17, 2011 at 11:38 AM, Ishai Sagi is...@exd.com.au wrote: That code doesn’t really elevate privilages – either the token or the “RunWithElevatedPrivileges” is redundant. I think the problem will be in the “CreateTerm” function. If you share that with us we may see the cause of the issue. ** ** ** ** **[image: Description: Description: Description: C:\Users\Brian\Pictures\EXD Logos\Extelligent logo no text.jpg]***Ishai Sagi* | Solutions Architect 0488 789 786 | is...@exd.com.au | www.sharepoint-tips.com | @ishaisagihttp://twitter.com/ishaisagi ** ** *From:* ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] *On Behalf Of *Ajay *Sent:* Friday, 16 December 2011 5:49 PM *To:* ozMOSS *Subject:* Fwd: Custom Workflow Activity ** ** I have discovered it's permission issue when workflow starts automatically. I have elevated priveleges and also opened the site using token of admin account stil no luck. See my code below SPUser user = web.AllUsers[mydomain\\sharePoint_admin]; SPUserToken token = user.UserToken; SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(siteCollection.ID, token)) { CreateTerm(site, title); } }); ** ** -- Forwarded message -- From: *Ajay* akhanna...@gmail.com Date: Fri, Dec 16, 2011 at 7:11 PM Subject: Custom Workflow Activity To: ozMOSS ozmoss@ozmoss.com Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to
RE: Custom Workflow Activity
Does the owstimer account have full access to the term store? Regards Paul Turner Practice Lead - SharePoint SMS Management Technology M 0412 748 168 paul.tur...@smsmt.commailto:paul.tur...@smsmt.com www.smsmt.comhttp://www.smsmt.com/ About SMS: Level 29, Westpac House, 91 King William Street, Adelaide SA 5095 SMS Management Technology (SMS) [ASX:SMX] is Australia's largest publicly listed Management Services company. We solve complex problems and transform business through Consulting, Technology and Systems Integration P please consider the environment before printing this email [cid:image001.png@01CCBC16.AB2E9180] From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Ajay Sent: Friday, 16 December 2011 4:41 PM To: ozMOSS Subject: Custom Workflow Activity Hi Guys, I have created a custom WF activity hooked up in SharePoint designer. It creates a sub-site and some user groups. So far so good, then the requirement came to add the site name to the Term Store. The workflow is configured to start on Item Added. On Automatic start, problem is the workflow just creates the sub-site, does not create the term store entry and shows status as Cancelled. When I manually start this workflow, than everything is fine, it creates site, adds term store entry and shows Status as Completed. I ran a debugger stepped through the code all works fine. What can be the reason for this.. is it permissions / identity issue when it runs manually opposed to automatic workflow start. Cheers, A NOTICE - This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this communication please delete and destroy all copies and telephone SMS Management Technology on 1300 842 767 immediately. Any views expressed in this Communication are those of the individual sender, except where the sender specifically states them to be the views of SMS Management Technology. Except as required by law, SMS Management Technology does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free from errors, virus, interception or interference. inline: image001.png___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss