Tip #81: Workflows accessing BCS will always run as service account, even under impersonation step

Rate this item
(0 votes)
Workflow in SharePoint 2010 will always run as a service account (typically the IIS Application Pool account) and is only supported when using Secure Store Service (SSS) or RevertToSelf (which is turned off by default due to security implications).
This limitation is designed to protect SharePoint 2010 from malicious models/developers. Because access to the backend will always be initiated as one account, you will lose track of who is making the changes. To work around this, you can have the workflow pass the SPUser name to a column on the external list or to a custom activity that uses the BDC APIs, but this would be more for informational purposes and shouldn’t be used as an iron-clad security feature.


Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.