Quick Tip on Enumerating Group Permissions
A workflow I designed for a client was doing something very simple – enumerating the members of a publishing approval group and displaying the user names on the workflow initiation form (which happened to be an ASPX page) – when all of a sudden content authors could no longer initiate the workflow. Each attempt was greeted by an ‘Access Denied’ error. Only the root system admin could launch the workflow, which is really strange as users need only the ‘Edit Items’ right to launch workflows.
Stymied, I tried elevating permissions for the authors group one by one but nothing worked. Even granting them full rights had no effect. Frustrated, I went back through the code line-by-line to make sure everything was kosher – no rogue methods being called outside of RunWithElevatedPrivelges blocks, etc. – when it suddenly dawned on me. Not only does the initiating group need the ‘Enumerate Permissions’ right (unless you’re using impersonation) but the group whose members you are trying to enumerate must have the ‘Who can view the membership of the group’ option set to ‘Everyone’ (the default is ‘Group Members’). This simple setting was overriding all the permission masks I was assigning to my authoring group. At some point I must have accidentaly reset it to the default. Once I ticked the correction option everything started working again.
Sometimes it’s the little things that can just ruin an otherwise pleasant afternoon…