Unanswered

Flow approval security from approver not submitter

(0) Share

Report

Posted on by IvanCole1

I have a flow approval that is sent to the users manager in Office 365 requesting an update to the credit limit for a customer record in D365. The Submitter does not have security permissions to edit the customer master but the Approver has full permissions for create, edit, update and delete for the customer master.

The flow works correctly when the Flow is run by the manager. But when the flow is submitted by the user the update to D365 fails because flow is using the security context of the submitter and not the actual approver who is clicking approve for the email that is forwarded by Flow or when updated in the Flow web site.

How can we get Flow to use the context of the Approval user rather than the submitter of the request. It does not make sense to use the submitter's security context when the approver is doing the approval/reject process.

Thank you.

Ivan

Categories:

Using flows

I have the same question (0)

All responses (3)

Answers (0)

ScottShearer 25,270 Most Valuable Professional on at

Like (0)

Report

Are the Approver and the individual submitting the request running different Flows and is the data stored in a SharePoint list?

The reason I ask is that the Flow runs in the security context of the connections used in the Flow without regard to who started the Flow assuming that the Flow is attached to a SharePoint list. There is no need to share the Flow - just run a single Flow on a SharePoint trigger and it should work assuming hat the connections used have appropriate SharePoint permissions.

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

This is currently one single flow. This is not connected to SharePoint. The PowerApp connects to Dynamics 365 for Finance and Operations and allows the user to search for a customer and request a credit limit increase. When the button is pushed the app generates an approval record in CDS and then triggers the flow . The flow sends the approval email. When the approver hits submit to approve the Flow connects to D365 and updates the credit limit.

In my scanario the requestor does not have permissions to edit the customer master, but the approver does. This is a typical scenario for using the Approvals workflow. However the flaw is that the Flow always uses the context of the requestor and not the approval user.

One of the team members from the flow team suggested we cannot do this in a single flow and most likely have to split it. It just seemed wrong to me that the context of the approval user is not used for the Actions.

Thanks

Ivan

Was this reply helpful? Yes No
v-xida-msft on at

Like (0)

Report

Hi @IvanCole1,

Do you want to get the context of the Approval user (Approver) rather than the submitter of the request from the Approval action within your flow?

I assume that you use the "Start an approval" action to send your approval email, I agree with @ScottShearer's thought almost, the Security context of the Approval action is based on connections. The connection of the Approval action ("Start an approval" action) is based on the current login account of Micrsoft Flow.

In other words, if user A runs this flow within his Microsoft Flow, the requester (submitter) of the Approval request is User A, if user B runs this flow within his Microsoft Flow, the requester (submitter) of this Approval request is User B.

If you want to get the context of the Approval user (Approver) rather than the submitter of the request from the Approval action within your flow, I afraid that there is no way to achieve your needs in Microsoft Flow currently.

If you would like this feature to be added in Microsoft Flow, please submit an idea to Flow Ideas Forum:

https://powerusers.microsoft.com/t5/Flow-Ideas/idb-p/FlowIdeas

Best regards,

Kris

Was this reply helpful? Yes No