The EnsureUser SharePoint API call was used in previous versions of K2 to resolve nested Active Directory Group membership within a SharePoint Group. This was because SharePoint only responds with and verifies direct user membership and not indirect membership.  This EnsureUser API call however caused Active Directory Groups to be added to the SharePoint site collection (People and Groups).  No permissions were given to these Active Directory Groups on the site but for some customers it became difficult to filter through actual and intended permission sets versus added items in order to resolve user membership. 

In K2 4.6.3, the EnsureUser API call was removed in order to resolve the problem described above.

However, this functionality has caused the following issue:

  1. User membership to SharePoint Groups behave erratically – certain scenarios correctly reflected a user’s membership of the given SharePoint group whereas other scenarios would remove the user’s membership to the same group. As an example, Process Admin/Start rights are granted to a SharePoint Group but does not allow the users in the group to manage/start process instances.

As a result, the EnsureUser SharePoint API call was re-added in K2 4.6.4. A new solution will be investigated for the original issue experienced which will be included in a future release.

Please note:  In K2 4.6.4 this will result in many Active Directory Groups being added to the SharePoint site (People and Groups) again.