SharePoint Tip #32. Do you know “which identity is used when you deploy WorkFlow from Visual Studio and SharePoint Designer”?
SharePoint provides you two approaches to design and deploy WorkFlows - via SharePoint Designer(SPD) and using Visual Studio. But you should be aware that deployment of WorkFlows has some differences in the security model that might cause you permissions issues.
SharePoint has its own security model to resolve the user's windows identity for all activities. It uses either IIS application pool user or the WSS Timer user for scheduled stimulations. Such behavior is the same for both Visual Studio and SharePoint Designer workflows, when actual windows identity doesn't matter.
There are two differences in the resolving SPUser name, when you deploy WF from Visual Studio and SharePoint Designer:
- Visual Studio developed Workflows are deployed at the server level, run under the System Account. They do not require any
permissions by the user/initiator of the workflow.Also these workflows
are strong named and placed in the GAC. The actual SPUser user name come from SPWorkflowActivationProperties, which is System Account.
- SharePoint Designer developed workflows (or usually called ‘Declarative’ workflows) have only the permissions that the initiator has. Any actions that the workflow needs to perform will inherit the permissions of the initiator and NOT the System account. The SPUser get from the WorkflowContext.Site object, that impersonated to the workflow's author, the
user who started the workflow.
Sources: 1, 2
Have anything to add?! Send your tips to be published via this form.