Open Forum

Expand all | Collapse all

Workflow Security in GP 2016 R2

  • 1.  Workflow Security in GP 2016 R2

    GPUG ALL STAR
    Posted 2 days ago
    Dear Collaborators,

    We implemented a PO Approval workflow in GP 2016 R2 a while ago and it's been working adequately. The PO trickles down through the workflow until the proper approver is encountered (based on the Buyer and the amount) and an email is dispatched. The approver clicks "Approve" on the email, then clicks "Submit" on the web form, and Bob's your uncle, Fanny's your aunt.

    Yesterday, however, the owner of the company did not click the "Approve" link on his email. He simply forwarded the approval email to our Office Manager with the word, "Approved" in the body of the forwarded email. He didn't click "Approve" because the body of the email made it look like he needed to go into GP to examine the details of the PO. Each of these emails contains a grid with the line items from the PO for the Approver to look at; but he thought that he actually had to go into GP. Hence the one-word email.

    The Office Manager forwarded the forwarded email to me, asking if I could approve it. Normally, our CFO is the one who handles escalated POs, but he's on vacation in the Galápagos Islands, I think.

    So I looked at the PO in GP (I'm the Admin) and saw the banner indicating that the Owner still had the PO ball in his court. There wasn't any way for me to approve the PO that way.

    I went back to the email from the Office Manager. Since it was a forward of a forwarded email, I could see the "Approve" and "Reject" links. So I just clicked on "Approve". Up came the web form and I clicked "Submit". GP now showed that the PO had been Approved.

    My limit for approving POs is $1,000. This PO was for a year's worth of raw material. The total? $2.2 million.

    I had to go lie down for a while after that.

    My question: how was I even allowed to do that? Are those approval emails constructed with a pre-qualified link or something? I imagine that the Office Manager could have approved that PO as well.

    Isn't this, like, a big hole in workflow security?

    Sincerely,

    ------------------------------
    "Sparkly" Steve Erbach - Green Bay, WI
    Co-Chair, GPUG WI (Green Bay) Chapter
    Blog: https://www.gpug.com/blogs/steve-erbach
    Twitter: twitter.com/serbach

    ───────────────
    Excel Webinar List as of June 10, 2020
    ------------------------------
    Academy - Online Interactive Learning from Experts


  • 2.  RE: Workflow Security in GP 2016 R2

    TOP CONTRIBUTOR
    Posted yesterday
    Mr. Steven, You are poking around in this stuff too much. Consider that when the CEO forwarded the email that he was "delegating" approval to the person he forwarded it to.
    Call it a feature! Take a look at the hyper link in the forwarded email if you still have it. Does not matter who clicks it as the connection credentials are in the hyperlink.

    ------------------------------
    Thaddeus Suter
    Retus, Inc
    HELOTES TX
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 3.  RE: Workflow Security in GP 2016 R2

    GPUG ALL STAR
    Posted yesterday
    @Thaddeus Suter,

    That was the theory I came up with, but I couldn't be sure. Since I was logged into my own Office 365 account, I was simply surprised that I encountered no difficulty with the approval... so authentication is likely baked into the web page link.

    Derek Albaugh from Microsoft has laid out a wonderfully detailed "inside baseball" look at the Workflow capability.

    I think all that's required is that we do a bit of training for the company Owner... or maybe make the text of the Approval email more clear. I'd rather that he did't forward emails like this!

    Sincerely,​

    ------------------------------
    "Sparkly" Steve Erbach - Green Bay, WI
    Co-Chair, GPUG WI (Green Bay) Chapter
    Blog: https://www.gpug.com/blogs/steve-erbach
    Twitter: twitter.com/serbach

    ───────────────
    Excel Webinar List as of June 10, 2020
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 4.  RE: Workflow Security in GP 2016 R2

    GOLD CONTRIBUTOR
    Posted yesterday
    Hello Steve,

    In the new Workflow functionality, unlike the prior Workflow on SharePoint or even Requisition Management in Business Portal, there isn't any 'approval limit' that we can assign to approvers that would limit them from being able to approve a PO worth $1000 versus approving a PO worth $2.2 million, using your example.

    The new Workflow only looks at the workflow steps setup for the active, in this example, PO Approval workflow type and what approval conditions are configured for each step along with the specified approver.

    As for your being able to approve the PO workflow, we'd have to take a look at how the PO Approval workflow is configured for this customer to best explain why something is happening, but one thing I would mention is that, if the Windows account you were logged onto the machine as, is setup as a workflow manager for the PO Approval workflow type, you would have permissions to approve/final approve and reject the PO workflow in place of any approver, so I would verify that, as it could explain why you were able to approve the workflow when you didn't think you should be able to.

    If approvers are taking action on workflows through email, such as Approve or Reject, it's simply linking to a Web Services native endpoint URL, i.e. http://servername:port#/Dynamics/GPService/........... and bringing up a browser window similar to what is seen within the Dynamics GP application when approving or rejecting a workflow, where there is document number at the top of the page and then a comment field, then the Approve or Reject button, depending on which link was used.

    Even taking action through email notifications sent to approvers, you still must be logged on as the Windows account that is specified as the approver that the workflow is pending from, otherwise you won't be able to successfully take action on the workflow, whether in Dynamics GP or via the email notifications.

    Let us know if you have any questions, or if you would like an engineer to take a look at the PO Approval workflow more closely, I would recommend a support case, so we can see what is happening, that you don't feel should, and explain why it is.

    As far as I'm aware as of now, we haven't seen any documented issues where any user can take action on a workflow even though they shouldn't be able to, i.e. specified as a approver for that workflow or setup as a workflow manager for that workflow type.

    Thank you,



    ------------------------------
    Derek Albaugh
    Sr. Support Engineer
    Microsoft
    Moorhead MN
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 5.  RE: Workflow Security in GP 2016 R2

    GPUG ALL STAR
    Posted yesterday
    @Derek Albaugh,

    >> if the Windows account you were logged onto the machine as, is setup as a workflow manager for the PO Approval workflow type, you would have permissions to approve/final approve and reject the PO workflow in place of any approver <<

    Outstanding! Thank you for the "inside baseball" look at Workflow approvals.​​ I believe that that explains what happened.

    I will just have some stern words with the company Owner about not forwarding approval emails! (That should go over well, don't you think?)

    Sincerely,

    ------------------------------
    "Sparkly" Steve Erbach - Green Bay, WI
    Co-Chair, GPUG WI (Green Bay) Chapter
    Blog: https://www.gpug.com/blogs/steve-erbach
    Twitter: twitter.com/serbach

    ───────────────
    Excel Webinar List as of June 10, 2020
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 6.  RE: Workflow Security in GP 2016 R2

    GOLD CONTRIBUTOR
    Posted yesterday
    We see that a lot actually, with users being Workflow Managers as well, thus have permissions to not only take action on any workflows assigned to any approver, which is its reason for being, as there's times when approvers are on vacation and forget to setup delegation or a person leaves/removed from a company and workflows are still assigned to that user's account, which may have been deleted out of Active Directory already.

    Glad the information helped. Have a great day.

    ------------------------------
    Derek Albaugh
    Sr. Support Engineer
    Microsoft
    Moorhead MN
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 7.  RE: Workflow Security in GP 2016 R2

    Posted yesterday
    Hello Steve,

    When you set up your workflows, you have a category of users called Managers.  Managers can approve items when the actual approvers are unavailable.  That is my understanding of how it works, and that has always worked for me as the administrator and a manager of our workflows.  The key to control is to select your managers carefully.

    Regards,
    Carl Hardin

    ------------------------------
    Carl Hardin
    Financial Systems Administrator
    Detroit Wayne Mental Health Authority
    Detroit MI
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 8.  RE: Workflow Security in GP 2016 R2

    GPUG ALL STAR
    Posted yesterday
    @Carl Hardin,

    Yes, and I'm one of the Managers. I guess I freaked out for no reason!

    ​>>  The key to control is to select your managers carefully. <<

    No foxes in the henhouse, right?

    Regards,

    ------------------------------
    "Sparkly" Steve Erbach - Green Bay, WI
    Co-Chair, GPUG WI (Green Bay) Chapter
    Blog: https://www.gpug.com/blogs/steve-erbach
    Twitter: twitter.com/serbach

    ───────────────
    Excel Webinar List as of June 10, 2020
    ------------------------------

    Academy - Online Interactive Learning from Experts


If you've found this thread useful, dive deeper into User Group community content by role