Tip #32. Identity to depoy WorkFlow from Visual Studio and SharePoint Designer

Rate this item
(0 votes)

SharePoint provides you two approaches to design and deploy WorkFlows - via SharePoint Designer(SPD) and using Visual Studio. But you should be aware that deployment of WorkFlows has some differences in the security model that might cause you permissions issues.

SharePoint has its own security model to resolve the user's windows identity for all activities. It uses either IIS application pool user or the WSS Timer user for scheduled tasks. Such behavior is the same for both Visual Studio and SharePoint Designer workflows, when actual windows identity doesn't matter.

There are two differences in the resolving SPUser name, when you deploy WF from Visual Studio and SharePoint Designer:
  1. Visual Studio developed Workflows are deployed at the server level, run under the System Account. They do not require any permissions by the user/initiator of the workflow.Also these workflows are strong named and placed in the GAC. The actual SPUser user name come from SPWorkflowActivationProperties, which is System Account.
  2. SharePoint Designer developed workflows (or usually called ‘Declarative’ workflows) have only the permissions that the initiator has. Any actions that the workflow needs to perform will inherit the permissions of the initiator and NOT the System account. The SPUser get from the WorkflowContext.Site object, that impersonated to the workflow's author, the user who started the workflow.

Sources: 1, 2

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.