According to how a user is required to interact with Nintex Workflow there are different security considerations to be made.
Minimum Permissions
According to how a user is required to interact with Nintex Workflow there are different security considerations to be made. The table below outlines the minimum permissions required to perform the actions described. In general, the runtime permissions can be inherited from the site or the parent site but must be the effective permissions for the given user at the list level.
Nintex Role |
Required "SharePoint Permission Level" |
Note |
Approver/Reviewer |
Contribute (at the item level at least) |
This role includes all users who will be able to perform their assigned human task as part of the workflow from the SharePoint site. Users may be assigned tasks even without these permissions. |
Lazy Approver |
None |
This role includes all users who will be able to use LazyApproval to respond to their assigned task. The user however will need at least "Read" permissions if they wish to visit the site. |
Workflow Designer |
Design |
This role includes all users who are responsible for creating and maintaining workflows. With these permissions the user can use the Nintex Workflow designer as well as the related tools and pages. In order to be able to publish a workflow, the user will need to be configured as a Workflow Designer. |
Site Administrator |
Full Control (on the site) |
This role is responsible for activating and configuring the site level Nintex Workflow settings from the "Site Settings" page. |
Server/Farm Administrator |
Full Control (on the central administration site and across site collections) Nintex Workflow Enterprise Edition is required.
|
This role is responsible for the installation and the server level configuration of Nintex Workflow.
|
Site Collection Administrator |
Full Control (on the site collection) Nintex Workflow Enterprise Edition is required.
|
This role is responsible for managing workflows that exist within the site collection and from each site and list. |
Workflow user |
Contribute |
Can start workflows, add schedules, view history and progress reports. |
Allowed Workflow Designers
There is a known permissions quirk with SharePoint 2013 workflows created using either Nintex Workflow or SharePoint Designer (SPD).
A Workflows list is used to hold all defined workflows for a team site. Upon creating your first workflow in SPD or activating the "Nintex Workflow 2013" feature, this list is given unique permissions, which copies the current permissions assigned within the site. As a result, the only people who will be able to modify permissions on this list are site owners or those who were given explicit 'Full Control' access before the list was created.
Nintex have exposed the list through the user interface to work around the permission quirk described. To add/remove users as designers, the user assigning the permissions must be a site owner or have Full Control access to the Workflows list.
To add a user or group to the Workflow designers group:
Navigate to the site.
On the top right, click
(Settings) and then click
Site Settings.
On the Site Settings page, under Nintex Workflow, click Allowed workflow designers.
From the permissions page the members can be maintained by adding them in the standard SharePoint manner. Ensure that users who require full access to the designer have "Full Control" set for their permissions.
Workflow Action Security
Permissions for each workflow action can be configured in the Manage workflow actions page.
TLS 1.2 requirement for Start workflows with action
For the farm administrator:
- Transport Layer Security (TLS) protocol 1.0 and 1.1, which is supported by default in Nintex for SharePoint 2013, is no longer compatible with the Start workflow in Nintex Workflow Cloud.
- TLS1.2 is now required to start workflows with this action. You can opt in for TLS 1.2 even if your application framework doesn't support it.
To use TLS 1.2, follow these steps (all servers):
Create a text file with a .reg extension and the following contents:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
Double-click the .reg file install, then restart the SharePoint Timer Service and IIS.
Security Settings