Permissions needed for common tasks

Microsoft Azure Active Directory is now Microsoft Entra ID

The table contains common tasks, permissions required to use them, and examples of error messages you'll see if you do not have the correct permissions.

Task Permission Error message if I do not have rights
Access Management as an Administrator

To access the Management site you need server Admin rights. With Admin rights, you see all nodes within Management.

Contact your Nintex K2 Administrator to give you Admin rights.

To set this in Management, go to the Workflow Server node, then select the Server Rights node and assign Admin rights to the user.

For information, see Server Rights.

"You don't have sufficient permissions to access Management".
Access Management as a user

To access Management you need Process Admin rights. Process Admin gives you a restricted view of management for the processes that you are an admin for. Once you deploy a workflow you become the process admin of the workflow which will give you access to management.

For information, see Process Details > Rights .

"You don't have sufficient permissions to access Management".
Access Workspace

By default, all users see their Workspace and custom Workspaces.

For information, see Workspace.

No error message.
Access the Designer

To access the Designer you need Designer View rights. To set this in Management, go to the Designer node and assign View rights to the user.

For information, see Designer.

"Uh oh… You are missing the required design right to be able to view this page".
Access Workflow Designer

To access Workflow Designer you need the Designer rights. To set this in Management, go to the Designer node, and then assign View rights to the user, group or role.

For information, see the Designer and KB002722 - the Designer Rights Changes in Behavior.

"Uh oh… You are missing the required design right to be able to view this page"
Create, Edit and Save a Workflow

To create, edit, or save a workflow, you need the Designer rights. To set this in Management, go to the Designer node, and then assign View rights to the user.

For information, see the Designer.

"Uh oh… You are missing the required design right to be able to view this page"
Deploy a Workflow

To deploy a workflow, you need Export rights. To set this in Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For information, see Server Rights.

No error message. You cannot access the Workflow Designer without Export rights.
Install an App from App Catalog

To install an app from the App Catalog, you need Export rights. To set this in Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For information, see Server Rights.

You also need to be a member of the Package and Deployment role. To set this in Management, go to the Users node, and then Roles, and select Package and Deployment. Click Edit and add a user to the role

30013 [username] is not a member of the Package and Deployment role and/or does not have Export rights on the Workflow server.
App Administration access

To access the App Administration page you need to be added to the Administrators list by your system administrator. From the App page, select the Admin option in the Build section. Then select the Security area and add the user name to the Administrators List.

For information, see Administer Apps.

"You are not authorized to access this page"
Run Reports

To run reports from Management or Workspace, you need View or View Participate rights. To set this in Management, go to the Workflow Server node, and then Workflows and then find and select the workflow. Click Rights and then assign View or View Participate rights to the user.

For information on how to run reports, see Management - Reports and from Workspace, see Workspace - Reports.

 

 
Package and Deployment

To package and deploy solutions you need Export rights. To set this in Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For information, see Package and Deploy Considerations.

"30008 '[Domain]\[username]' does not have export rights"
Package and Deployment

To package and deploy solutions you need to be a member of the Package and Deployment role. To set this in Management, go to the Users node, and then Roles, and select Package and Deployment. Click Edit and add a user to the role.

For information, see Authorization Framework Overview.

For more information on Package and Deployment permissions, see the Package and Deploy Considerations topic.

"30011 [username] is not a member of the Package and Deployment role and cannot create or deploy packages"
Package and Deployment

To package and deploy Solutions you need View right to all objects. The Package and Deployment role grants its members global view rights, however, membership in this role does not override any Deny rights. If you have View rights denied to any item in the category system, you are prompted to update permissions to View the item or items.

To set this in Management, go to Categories and select the object. In the Security section, add the user and set View rights to Allow. This ensures that when dependencies are checked, Package and Deployment knows whether items exist (and need to be updated) or do not exist (need to be created).

For information, see the Objects section in the Authorization Framework Overview topic.

"Insufficient rights detected. Unable to Continue"
Grant rights

To grant rights you need to be a member of the Security Administrators role. To set this in Management, go to the Users node, and then Roles, and select Security Administrators. Click Edit and add a user to the role. If you are a member of the security administrator role you can grant rights to any object in the system and you have security rights to individual objects. This means you can edit security for those objects. When you create an object in the system you are automatically granted security rights to that object so that you can administrate it without needing a security admin to help you.

For information, see the Roles section in the Authorization Framework Overview topic.

Users that are not members of the Security Administrators Role will not see the Security view in Management. The Security view only loads once they become members of the role.
Modify and Delete Roles

To modify and delete custom roles you need Modify and Delete rights. To set this in Management, go to the Users node, and then Roles, and select the role. Click the Security button and add a user to the role.

Security Administrators have Security rights by default for all legacy and new custom roles (except system roles). Users that create their own roles are automatically granted Security rights on those roles.

For information, see the Roles section in the Authorization Framework Overview topic.

No error message shows. If you do not have security rights to a role, the Security button is disabled.

If you decide to deny Modify and Delete rights to someone's role the following messages show:

  • User was not granted permissions to modify the role. "[domain]\[username] cannot perform Modify on custom role."
  • User was not granted permission to delete the role. "[domain]\[username] cannot perform Delete on custom role."
Browse to and use Forms, Views and SmartObjects using the Category Tree in the Designer or Management

To browse to objects using the category tree in the Designer or Management, you need View rights. To set this in Management, go to the Categories node and select the object. In the Security section add the user and set the View rights to Allow.

For information, see the Objects section in the Authorization Framework Overview topic.

No error message shows. The node does not appear in the Category Tree if you don't have View Rights
Open and run forms at Runtime

To open and run forms, you need Execute rights. To set this right, launch the Management Site, go to the Categories node and select the form. In the Security, section add the user or group and set the Execute rights to Allow.

To see the Detailed Error Message Details, you must edit the <add name="ExtendedExceptionDetail" value="false"/> to true in the K2 SmartForms Runtime Web.config file. The Web.config is found in the following location: [Drive]:\Program Files (x86)\K2\K2 smartforms Runtime.

For information, see the Objects section of in the Authorization Framework Overview topic.

"Form [name] could not be found. Ensure that the Form exists, that it is checked in and that you are authorized to run the Form."
Interact with views, and run forms that contain those views at Runtime

To open and run views (and forms that contain that view), you need Execute rights. To set this right, launch the Management Site, go to the Categories node and select the view. In the Security, section add the user or group and set the Execute rights to Allow.

To see the Detailed Error Message Details, you must edit the <add name="ExtendedExceptionDetail" value="false"/> to true in the K2 SmartForms Runtime Web.config file. The Web.config is found in the following path: [Drive]:\Program Files (x86)\K2\K2 smartforms Runtime.

For information, see the Objects section in the Authorization Framework Overview topic.

  • "Form [name] could not be found. Ensure that the form exists, that it is checked in and that you are authorized to run the form and its views."
  • "View [name] could not be found. Ensure that the view exists, that it is checked in and that you are authorized to run the view."
Add, register and deploy the K2 for SharePoint App

To add, register, and deploy the K2 for SharePoint App you need the following permissions:

  • Global Admin (also known as the Tenant Admin)
  • Site Collection Admin for the App Catalog site
  • SharePoint Online Administrator or Site Collection Administrator for each site collection where the app is deployed to

 

No error message shows. You will not see any Administration Links for the K2 for SharePoint App on the App Catalog level.
Add a web part in SharePoint

To add a web part in SharePoint you need the following permissions:

  • App Catalog: Read

  • SharePoint site: Edit Permission level and Add and Customize Pages

If you don't have permission, the Edit Permission level and the Add and Customize Pages shows with the following:

Create and deploy applications with the K2 for SharePoint App

To create and deploy applications you need to configure the following:

Permissions: Assign the Designer Edit rights in Management site > Designer.

SharePoint Permissions:

  • App Catalog: Read
  • SharePoint site: Edit
"Uh oh... You are missing the required rights to be able to access this page. Error Details [User FQN] does not have Design Site permissions."
Permissions for using applications created with the K2 for SharePoint App. To Start and View a Workflow

To Start and View a workflow you need to configure the following:

In Management, go to the Workflow Server node, and then Workflow, and select the workflow. Select Rights and assign Start and View rights to the user.

In SharePoint:

  • App Catalog: Read

  • SharePoint site: Read
  • Group: Read
  • SharePoint lists and libraries: Read and Edit permissions for users as required by the functions performed by the application on the SharePoint Lists and Libraries

 
Sharing Applications with external users

To share applications with external users you need to configure the following SharePoint permissions:

  • Permission based on Site Collection Group membership
  • Global Admin required to enable sharing on the App Catalog
 
Permissions to administer K2 for SharePoint App

To administer K2 for SharePoint app you need to configure the following:

Permissions: Admin

SharePoint Permissions: Global Admin

No error message shows.

You will only see the following on Site Collection level:

Read data from Azure Active Directory

The read data from Azure Active Directory, the Global Tenant administrator needs to grant Read permission when configuring the app.

 
Write data to Azure Active Directory

To write data to Azure Active Directory, the Global Tenant administrator needs to grant Write permission to the product for Azure Active Directory Management app.

For information, see KB002052 - How to Reconsent to the K2 for Office 365 app for Minimum Azure Active Directory Permissions