Friday, July 25, 2014

Cross site collection data access via HTTP web service for a SharePoint 2013 designer workflow. Resolving Unauthorized exception

Recently I created a SharePoint 2013 approval workflow where I had to take approvers from a list located at a different SharePoint site collection.

In this example I have two site collections named Config and Project where I have created the workflow in the Project site collection using SharePoint Designer. In the Config site collection I have a list called Approvers where I store relevant information regarding approvers.

Following diagram shows the scenario I described.

image
To get relevant information from Config site collection, I will use SharePoint api web services. For an example I could use following service to return all items in that list.
http://sp13/Sites/config/_api/web/lists/getbytitle('Approvers')/items
Calling a HTTP web service through a SharePoint 2013 Designer based workflow is straight forward. I have explained that in this blog post.

Although I have followed the steps correctly, I was getting an “Unauthorized” exception all the time. I’ve given necessary permissions to the list and web application but still I was getting the same error.

Later I figured out that we need to provide permissions to the workflow explicitly if we need to access resources beyond the current site. Following are the steps I followed to configure permissions to the workflow

1. Activate “Workflows can use app permissions” site feature in the site where I create the workflow (http://sp13/Sites/project )
image
2. Navigate to Site Settings –> Site app permissions where you can see an item called workflow
image
3. Copy the client section of the App Identifier as shown below
image
4.Navigate to <site url>/_layouts/15/appinv.aspx to configure permissions. Then add the client section of the App Identifier in the App Id section and click Lookup to populate content.
image
5. Then we need to specify App’s Permission Request XML
<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
Since we are accessing beyond the current site collection, we will use “http://sharepoint/content/tenant” as the scope. More information on app permission and available scopes can be found on this article.

6. Finally we will trust the workflow
image
This will allow our workflow to access resources beyond the current site collection.

6 comments:

Andrew said...

Hi Dinusha

thanks for sharing your knowledge. I have been battling permissions issues like this for several days. I tried to follow your steps on SP2013 on-premise and got an error about not being a tenant admin. Does this fix apply to on-premise 2013SP1 or is it for sharepoint online?

Dinusha Kumarasiri said...

Hi Andrew

I did this demo in on-premise environment.
It would be better if you can post the exact error message. Meantime you can try putting "" for the authorization property in the HTTPSend activity

Unknown said...

Thanks Dinusha. This saved me a lot.

Unknown said...

I know this is late, but this is a good easy to read instruction. I followed it and it worked for me in SharePoint Online. Many Thanks

Chanaka Gamage said...

I have followed mentioned steps.
The issue is when i'm accessing "http://....../sites/NAB/_api/site/ServerRelativeUrl/" i'm getting results.
But when accessing HTTPS "https://...../sites/NAB/_api/site/ServerRelativeUrl/" getting the Unauthorized error.

Maicon Martins Felicio said...

This solved my problem! Thank so much!