In Workflow 10.4.1, Enhanced Security Options were added to the Workflow Server (KB:1014050). We have enabled this on our environment but have discovered that when enabled, running a workflow service task from a Forms business process will not run and create an errors.
This is due to the fact that Workflow Enhanced security enables the following option:
- Only show workflows to their creators by default: For newly created workflows, Workflow will automatically turn on the Only allow specified users to access the workflow option that is available when viewing Workflow Options in the Workflow Definitions node in the Workflow Administration Console.
So when a Forms business process attempts to run a workflow with this option enabled the following error is logged:
The call to Laserfiche Workflow API was not successful. (Access Denied. NT AUTHORITY\NETWORK SERVICE does not have permission to start the business process. [0742-WF1]). [LFF5203-WFServerApiFault]
Details:
URL:
Error: WFServerApiFault
Date: 4/6/2021 7:34:13 AM (Mountain Standard Time)
HTTP Status Code: 500
Business Process ID: 56
Instance ID: 12788
Business Process Name: FACS Provider Outward Facing Form
Stack Trace:
Caught exception: Laserfiche.Forms.CommonUtils.Exceptions.LFFormsException
Message: The call to Laserfiche Workflow API was not successful. (Access Denied. NT AUTHORITY\NETWORK SERVICE does not have permission to start the business process. [0742-WF1]). [LFF5203-WFServerApiFault]
at Laserfiche.Forms.Routing.LFWorkflowService.Execute(Int32 instanceId, IRoutingContext routingContext, RoutingInstanceStatus OriginalStatus)
at Laserfiche.Forms.Routing.ServiceTask.Execute(Int32 instanceId, IRoutingContext routingContext)
So we had to deselect the Only allow specified users to access the workflow option that is available when viewing Workflow Options in the Workflow Definitions node in the Workflow Administration Console in order for Forms to be able to run the workflow.
I searched all through Laserfiche Answers, Laserfiche Administration Guide, and the Laserfiche Knowledge Base but could not find a best practice from Laserfiche on how to get this Enhanced Security on a workflow to work when Forms attempts to run the workflow.
The only thing I found that discussed this was this Laserfiche Answers post where a user said they added NT AUTHORITY\SYSTEM as an Administrator in the Workflow Administration Console under Security – Permissions and Rights.
I’m not sure how secure this setup is and if it is a Laserfiche best practice for setting up Workflow Enhanced Security Options and enabling a Forms business process to run a Workflow Service Task.
The service account running our Laserfiche Server, Workflow, & Forms is a domain based account.
Our Laserfiche Versions:
Forms Professional – 10.4.5.282
Workflow – 10.4.3.139
LF Server – 10.4.3 build 115
My VAR opened a case with support but was referred to the following links which don't answer my question and support suggested asking here for an answer.