Investment requests – Executing Flow actions with service account permissions – Part 2/6

On 2018-09-18, I gave a presentation about the business solution “Investment requests” I created with: SharePoint Online (Modern team site), PnP PowerShell, Flow and PowerApps. The 45 minutes were over before I knew it. Several topics were not, or in lesser detail, presented. I therefor decided to start a blog post series specially for this.

The blog post series has the following topics:

  1. Introduction
  2. Executing Flow actions with service account permissions
  3. Email
  4. Permissions
  5. PowerApps
  6. And something more

Introduction

An essential part of the solution is the ability to execute Flow actions with another account (a service account) than the account used by the person starting the Flow. This allows someone to make changes to SharePoint objects where they normally do not have access to. The service account must have the elevated permission. As a solution designer you of course have to make sure this does not result in security issues.

For this solution I used one service account (workflow@…), also called the workflow account. The name of the account is important because it will be shown at the columns “Created By” and “Modified By” at several places. Using a long name will make those columns unnecessary wide. Using a strange name will make people wonder who made the change.

Below is a summary of the actions which need to be executed with elevated privileges:

  1. Copying a file and metadata to the document library “Requests” by the person starting the approval process (starting the approval request Flow).
  2. Creating a task for a requester by the person starting the approval process.
  3. Updating metadata of files in the preparation document libraries by an approver.
  4. Updating metadata of files in the document library “Requests” by an approver.
  5. Creating a task for a requester by a requester.

Below are the configuration steps executed to create a Flow with actions run with a service account:

  1. Go to a document library.
  2. Add a Flow via the option “Complete a custom action for the selected item”. One must scroll down with the “Show more” link to see that option.
  3. Create the Flow. In this solution I used actions of the connectors “SharePoint” and “Office 365 Outlook”.
  4. A Flow of this type has a “MANAGE RUN-ONLY USERS” section in the configuration page. A screenshot is given below. Choose “Add another user”.
  1. A panel with 2 tabs is shown. Go to the tab “SharePoint”.
  2. Here you can configure who can run the Flow and which account to use for the connections. I this specific case, I added the preparation document library “Projects” and the workflow account to use for both connections. A screenshot is given below.

Important to know

  • Someone must have “Edit” permissions on the preparation document library to start the Flow. “Contribute” permissions is not sufficient.
  • It is possible to add multiple connections of the same type (like “SharePoint”). These connections can be individually configured. This solution has only one connection per type (“SharePoint” and “Office 365 Outlook”).

Leave a Reply

Your email address will not be published. Required fields are marked *