Insufficient permissions to start worflows for non-admin users

cancel
Showing results for 
Search instead for 
Did you mean: 
sirchnait
Active Member

Insufficient permissions to start worflows for non-admin users

Jump to solution

I get an "Access denied. You do not have the appropriate permissions to perform this operation"-error (source: alfresco.log) when trying to start one of the default workflows that come with Alfresco 5.2. However, I can start the same workflow on the same document when I'm logged in as admin. I suppose it has something to do with Workflow JavaScript API. Maybe the authentication runas is set to admin in some script.

Any ideas on where I should start searching would be greatly appreciated......

1 Solution

Accepted Solutions
sirchnait
Active Member

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

It turns out my assumption was right. The exception was thrown because of lacking permissions for the worflow notification Email Template within the Alfresco Data Dictionary. I added the group and tested again - bingo!

View solution in original post

5 Replies
kalpesh_c2
Senior Member

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

Hi Chris,

It is difficult to say about your actual problem, it may possible that user who is performing actions may not have appropriate permission on the document so you need to give permissions on document Setting user permissions | Alfresco Documentation  , please share your alfresco error logs.

Thanks,

Kalpesh

jpotts
Professional

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

Also, which workflow? What document are you running the workflow on? Can the user who is getting the error successfully navigate to the document(s) that are included in the workflow?

Example: If admin starts a workflow on documents only she can see, then starts a review/approve workflow with those documents, and assigns the workflow to Test User, if Test User cannot also see those documents you might see a problem like this.

sirchnait
Active Member

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

I've tried two of the out-of-the-box workflows: "Review and Approve (one or more reviewers)" and "Review And Approve (single reviewer)". Document types were *.zip, *.doc and *.xlxs and the user who's gettin the error can access these docs since he has uploaded them and has the coordinator role for all documents in that folder.

sirchnait
Active Member

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

Hi Kalphesh, thanks for the feedback. I've just found out that the exception is thrown as soon as I select the 'start workflow' entry from a document's context menu start workflow

I thought the exception will only occur in the following window where the actual workflow is configured, but no, it's one step earlier. Here's what the alfresco.log says:

2017-12-14 21:35:10,008 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-nio-8080-exec-8] Exception from executeScript: 11140013 Zugriff verweigert. Sie verfügen nicht über die Berechtigungen, um diesen Vorgang durchzuführen.
org.alfresco.repo.security.permissions.AccessDeniedException: 11140013 Zugriff verweigert. Sie verfügen nicht über die Berechtigungen, um diesen Vorgang durchzuführen.
    at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:86)
    at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
    at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:76)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy22.getProperty(Unknown Source)
    at org.alfresco.repo.web.scripts.content.ContentStreamer.streamContent(ContentStreamer.java:230)
    at org.alfresco.repo.web.scripts.content.StreamContent.streamContent(StreamContent.java:271)
    at org.alfresco.repo.web.scripts.content.ContentGet.streamContentLocal(ContentGet.java:167)
    at org.alfresco.repo.web.scripts.content.ContentGet.execute(ContentGet.java:145)
    at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:512)
    at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
    at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)
    at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)
    at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428)
    at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)
    at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
    at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
    at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:174)
    at sun.reflect.GeneratedMethodAccessor547.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy233.doFilter(Unknown Source)
    at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:121)
    at sun.reflect.GeneratedMethodAccessor547.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy233.doFilter(Unknown Source)
    at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.alfresco.web.app.servlet.WebscriptCookieAuthenticationFilter.doFilter(WebscriptCookieAuthenticationFilter.java:84)
    at sun.reflect.GeneratedMethodAccessor547.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:132)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy233.doFilter(Unknown Source)
    at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
    at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1580)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1537)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
    at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
    at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
    at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
    ... 81 more


It's worth noting that

  • I get similar errors trying to initiate rules for a any directories, e.g. 'send mail whenever a new document is uploaded in directory xyz'.
  • workflows are accepted when the email notification checkbox in the worflow configuration window is unchecked

These facts point in a different direction than I thought in the beginning. Maybe there's a problem with the user's permission to send emails?

sirchnait
Active Member

Re: Insufficient permissions to start worflows for non-admin users

Jump to solution

It turns out my assumption was right. The exception was thrown because of lacking permissions for the worflow notification Email Template within the Alfresco Data Dictionary. I added the group and tested again - bingo!