Workflow security considerations

According to how a user is required to interact with Nintex Workflow there are different security considerations.

Minimum permissions

According to how a user is required to interact with Nintex Workflow there are different security considerations to be made. The table below outlines the minimum permissions required to perform the actions described. In general, the runtime permissions can be inherited from the site or the parent site, but must be the effective permissions for the given user at the list level.

Nintex role

Required SharePoint Permission Level

Note

Approver/Reviewer Contribute (at the item level at least) This role includes all users who will be able to perform their assigned human task as part of the workflow from the SharePoint site. Users may be assigned tasks even without these permissions.
Lazy Approver None This role includes all users who will be able to use Lazy Approval to respond to their assigned task. The user however will need at least "Read" permissions if they wish to visit the site.
Workflow Designer Design This role includes all users who are responsible for creating and maintaining workflows. With these permissions the user can use the Nintex Workflow designer as well as the related tools and pages. In order to be able to publish a workflow, the user will need to be configured as a Workflow Designer.
Site Administrator Full Control (on the site) This role is responsible for activating and configuring the site level Nintex Workflow settings from the "Site Settings" page.
Server/Farm Administrator Full Control (on the central administration site and across site collections)
Nintex Workflow Enterprise Edition is required.
This role is responsible for the installation and the server level configuration of Nintex Workflow.

Site Collection Administrator Full Control (on the site collection)
Nintex Workflow Enterprise Edition is required.
This role is responsible for managing workflows that exist within the site collection and from each site and list.
​Workflow user ​Contribute ​Can start workflows, add schedules, view history and progress reports.

Allowed workflow designers

There is a known permissions issue with SharePoint workflows created using either Nintex Workflow or SharePoint Designer (SPD).

A Workflows list is used to hold all defined workflows for a team site. Upon creating your first workflow in SPD or activating the Nintex Workflow, this list is given unique permissions, which copies the current permissions assigned within the site.  As a result, the only people who will be able to modify permissions on this list are site owners or those who were given explicit 'Full Control' access before the list was created.

Nintex have exposed the list through the user interface to work around the permission quirk described. To add/remove users as designers, the user assigning the permissions must be a site owner or have Full Control access to the Workflows list. 

To add a user or group to the Workflow designers group

  1. Navigate to the site.
  2. On the top right, click Settings, and then click Site Settings.
  3. On the Site Settings page, under Nintex Workflow, click Allowed workflow designers.

From the permissions page the members can be maintained by adding them in the standard SharePoint manner. Ensure that users who require full access to the designer have "Full Control" set for their permissions.

Workflow action security

Permissions for each workflow action can be configured in the Action settings page.

TLS 1.2 requirement for Start workflows with Nintex Workflow Cloud action

For the farm administrator:

  • Transport Layer Security (TLS) protocol 1.0 and 1.1, which is supported by default in Nintex Workflow for SharePoint 2016 (and 2013), is no longer compatible with the Start workflows with Nintex Workflow Cloud action.
  • TLS1.2 is now required to start workflows with this action. You can opt in for TLS 1.2 even if your application framework doesn't support it.

To use TLS 1.2, follow these steps (all servers)

  1. Create a text file with a .reg extension and the following contents:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

    "SchUseStrongCrypto"=dword:00000001

  2. Double-click the .reg file install, then restart the SharePoint Timer Service and IIS.

Related information

Manage workflow actions (farm level)