Behavior of workflow with combination of Security Policy

Problem Summary:

If a workflow has been created for any document/table and security policy has been created for same table, error appears while workflow framework tries to create work item.

Error Message:

Stopped (error): X++ Exception: Work item could not be created. Insufficient rights for user testuser1.

at SysWorkflowWorkItem-create

SysWorkflowWorkItem-createWorkItems

SysWorkflow-save

SysWorkflowQueue-resume

X++ Exception: The workflow system could not access the business document data. Report this issue to your system administrator.

at SysWorkflowDocument-assertAsUser

SysWorkflowDocument-assert

SysWorkflowDocument-assertPermission

SysWorkflowWorkItem-create

SysWorkflowWorkItem-createWorkItems

SysWorkflow-save

SysWorkflowQueue-resume

Observation/ Testing:

• Initially I thought it is a normal issue of security and what I did, I took all menu item related to workflow approval and dragged those menu item into a privilege. I assigned that newly created privilege to MyRole. Assigned MyRole to TestUser.

• I was surprised to observe the results because the error was still there.

• Then I assigned almost all roles except system admin to Test User; surprisingly this time also got failed with same error.

• I assigned SystemAdmin role to TestUser and it worked.

• I removed the SystemAdmin role and debugged the code.

  Results of Debugging:

  • The system/code fails at SysWorkflowDocument (class) >> assertAsUser (method)

  • It failed at following line of code

  • rec = queryRun.get(workflowPermission.parmWorkflowContext().parmTableId());

  • //rec represents common table buffer i.e. record of Workflow Document/Table is returned.

  • If I go with SysAdmin Role the rec gives me a record with a valid RecId

• If I go without SysAdmin Role the line of code is executed two times, one time it gives valid record and one time it gives record with 0 recId i.e. invalid record                                    

  Conclusion of Observation/Summary:

  The security policy has been enabled for smmOpportunityTable. I am 100% sure that TestUser has access to records of smmOpportunityTable, depite security policy is enabled. But when workflow is submitted and it is supposed that TestUser is approver; workflow fails to create workitem.