Process Rights assigned to Everyone Group / Authenticated Users (Considerations)
kbt142109
PRODUCTIssue
This is an informational document about how Assigning Workflow / Process rights to Everyone Object in SharePoint or AD objects like Authenticated users, does not work.
Symptoms
In some cases, you would want to assign process rights by one of the following methods:
1. Via the SharePoint Group containing the Everyone SharePoint object:
2. Via Active Directory Authenticated users directly or from within a SharePoint Group:
In both cases it will fail by starting a workflow which will result in an access denied error.
In SharePoint and Active Directory, these 2 groups are not real groups for which you can add members, these are AD objects representing all users or authenticated users.
The following scenario explains what happens in K2 when checking for Start Rights on a workflow:
When a user attempts to start a K2 workflow, K2 needs to verify if this user can start the workflow. Workflow rights can be assigned explicitly or via SharePoint / Active Directory groups or nested groups (SP Group containing AD Group), etc.
If the user is not explicitly given the rights in K2 Management > Process rights, K2 will need to resolve the Groups that was granted rights to see if the user has rights via group memberships. This is all cached in the K2 Identity cache.
When looking at the specific scenario, one can see the SharePoint Group had members in the form of the Everyone “Group” or “NT AUTHORITYauthenticated users.”
The groups needed to have the user as a member to have the appropriate start rights. However, there are no memberships found in these groups. Both groups are Objects and not real AD groups that contains members and therefore the user will get an access denied.
The Everyone group in SharePoint is not the same as Everyone in K2. The claim for this Everyone looks like this “c:0(.s|true” vs a real AD group “c:0+.w|s-1-5-21-36625783-2328013894-3095172900-513”
FQN - K2:DOMAINEveryone
The Everyone K2 concept is a built in K2 Role. This is only available to K2 and is not the same Everyone as the one searched for in SharePoint / Active Directory.
K2 Everyone is not bound to a Label, ie K2, SQL, SP. It is stored with no label in K2 Cache and K2 code knows how to handle the build in Everyone K2 Object.
FQN – Everyone
Troubleshooting Steps
To grant these rights there are two options:
- Assign the K2 Everyone role from within K2 Management. You will not be able to search and use the K2 Everyone Group from SharePoint!
- Instead of adding one of these two "objects" discussed above, rather use real AD Groups that contain members such as Domain Users.