Issue

In this scenario you have a form configured to run a SmartObject method for checking if a user is in a Sharepoint group. This SmartObject is the "Group" SmartObject under Sharepoint 2013 > Management in K2 Designer. This method now shows an error on the form:

Image


"Access denied. You do not have permission to perform this action or access this resource."

Service: [SharePoint Service instance name]

Service Guid: [GUID for SharePoint service instance]

Severity: Before a Cumulative Update was applied this method ran without error.

Example of Rule that displays the error:

Image

Symptoms

- You have a similar configuration on another environment that does not have the latest K2 Cumulative Update applied. The same error is not seen here with that user.

- You have the same user execute the same method on that SmartObject via the SmartObject Tester Tool and they get the same error

- A user within the group executes the same SmartObject and the error does not appear for them

- A site collection admin or a user with full control on the site also does not get the error

- The same method can be executed by that user that sees the error on an OOTB Sharepoint group such as site owners, members, visitors, etc. This will properly return True or False as expected.

Resolution

This change in behavior is due to the fact that K2 will now respect the Group setting on SharePoint groups for "Who can view the membership of the group?"  This setting is located at Site Settings > People and Groups > [Group Name] > Settings > Group Settings

Image

If the latest Cumulative Update is applied we will now check if the user executing the Group SmartObject does have permission to view membership of the specified Group ID. This mimics the same behavior that the user would see if they attempt to view the group via the SharePoint UI. Previously K2 ignored this permission setting on K2 4.7 RTM.

The error that appears in SharePoint UI if only members of the group can see membership:

Image

Custom groups will by default have it set so that only Group Members can see membership. The OOTB site groups will by default have it set to "Everyone" can view membership of the group. If you want this method to not error when executing the method, your group will need to have selected the radio button for "Everyone" being able to view membership, or relevant users that will execute the method on those groups need to be members of the group. The correct configuration here will depend on business needs for your organization and specific design requirements.