Need help with Set Content Approval Status in a SharePoint 2013 workflow

Question

I've have read couple dozens questions that seemed to be similar to this one on this forum and others, and haven't found one that seems to be my particular issue.

I have a list of items that any user can submit, and a limited number of people can approve.

I have a workflow that runs when a new item is created: it emails the team to let them know that a new item is submitted; then starts a task for the specific person selected at item creation. All of this works fine.

Once that task is complete (Variable:Outcome is either Approved or Rejected) I have a pair of if-statements to set the content status to either Approved or Rejected - and this is where it breaks down. The workflow hangs with the following error when trying to set content approval status:

Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP Forbidden to https://qbp.sharepoint.com/sites/brands/Wiki/_api/web/lists(guid'14422e56-5df5-40bc-a8a3-2818e1d32b72')/Items(97) Correlation Id: 32256e4c-8ea3-df58-bc4e-fbc3745b2973 Instance Id: 4ae749ab-d7c4-4646-b081-0a5f681550bb

Access denied. You do not have permission to perform this action or access this resource.

But I'm the one running the workflow, on an item I created, and I'm the site collection admin. Even giving myself explicit Full Control permissions in that particular list doesn't make a difference.

Any advice / suggestions are appreciated!

Thanks

Answer 1

For SP2013 Workflows, you'll need to enable the Workflow Can Use App Permissions feature and provide permissions to the workflow for the site.

There are a few steps for this, but a nice guide can be found here: http://www.stuartroberts.net/index.php/2014/11/20/workflow-app-permissions/

Here's a quick summary:

1. Activate the Workflow Can Use App Permissions feature
2. Copy the GUID from the App Identifier for the Workflow App in the Site App Permissions page
3. Navigate to the "hidden" App Permissions page (/_layouts/15/appinv.aspx)
4. Paste that GUID as the App Id and click Lookup

5. Provide an XML snippet outlining the permissions to grant. Note that the URLs are not the actual URLs of your site, but are used as placeholders to grant scope. This should work:

   <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests>

6. Trust the Workflow

7. Place the specific action(s) in a Run as App container

Normally, the workflow would run with the permissions of the user that launched it. However, I've found that when updating the _ModerationStatus field from SP2013, it doesn't matter if you're a farm admin, you'll need the workflow app permissions.