Anonymous Views and Forms
You can set specific views and forms so that they don't require an identity when opened, which means they are anonymous. For example, you may wish to expose a view or form to people who do not have user accounts in your organization. When you enable anonymous access on a view or form, you allow these external users access to the view or form without having to login. To enable anonymous access:
- Use the Anonymous Access setting to make specific views and forms anonymous. Doing this executes the form using the Application Pool account on a site that normally requires authentication. The setting is more secure and removes the need for you to configure a second runtime site for anonymous access.
- Create a separate SmartForms runtime site and configure the site to run anonymously. The Anonymous Access view or form setting is not required for this scenario. See the K2 Configuration and Installation Guide for more information.
- Create a view or form.
- Edit the view or form.
- In the Properties section under Advanced, check Anonymous Access.
- Get the runtime URL for the anonymous view or form. (You can use the view or form Properties page to get the URL. You may need to replace the server address part of the URL with the server address of the runtime site)
- Open the URL anonymously, for example using an Incognito or InPrivate instance of your browser. The view or form opens without requiring credentials.
Keep in mind the following considerations when you using anonymous views or forms with K2 Cloud:
- Once you configured the Anonymous Access property on a view or form, an OAuth token must be cached with the K2 Cloud Application Pool account in order for the form to have user context in SharePoint. To create the cached token, you must open the anonymously-enabled view or form for the first time as a user with sufficient minimum rights to perform the SharePoint site, list or library actions. When you do this using the account, K2 Cloud checks the anonymous setting and, if on, uses the token of the currently logged-in user to access SharePoint resources. This token is then associated (cached) with the K2 Cloud Application Pool account. Then, whenever the anonymous view or form is opened, K2 Cloud uses the cached OAuth token to access SharePoint. In other words, K2 Cloud uses the OAuth token of the first user that opens the anonymous form for all subsequent times the form is opened, regardless of what user is signed in.
Do not use an Administrator account or other account with privileged access to generate the anonymous access token. Instead, use a SharePoint user that has minimum rights to run the form successfully (the minimum rights depend on the solution and what you've designed it to do). It is recommended that you define a specific account to use for all anonymous access, and then give this account the necessary rights in SharePoint for all anonymous views and forms. Whenever you need to enable a view or form for anonymous access and generate the OAuth token, open it for the first time using this account so that all anonymous views and forms use the same token. If needed you can disable access to a SharePoint resource for that account, or give it greater access, which applies to all of your anonymous views and forms.
- All other views and forms that run anonymously are accessed with the token created in the beginning by the first user that opens the view or form.
- You can delete the cached token for the Application Pool account by going to the K2 Management site.
- The cached token is not specific to a view or form, it is shared amongst all anonymous-enabled views and forms that use the same account token.
- You must also configure anonymous access on a subview or subform that opens from a view or form. Subviews or subforms do not inherit the Anonymous Access property setting.
- User context information, such as Name, Display Name, Email, and Manager, is not populated on an anonymous view or form since there is no user context.
- The view and form run in the context of the user account of the Application Pool associated with the SmartForms runtime site. Therefore, any integration requiring credentials (for example SmartObject interaction using the Impersonation authentication mode or starting a workflow) executes under the context of the Application Pool.
- If you make a view or form anonymous and check it in, they are run under the Application Pool account. If the view or form is then checked-out, edited, and saved using the same account, then all users running the view or form see the new edited changes (even if the view or form is not checked in again). This is due to the changes that were made using the Application Pool user account which is the user under which the view or form runs for all users.