I have addressed this question several times in the past couple of weeks on the MSDN forums, so I thought it would be good to get a post started that I could refer people to. In this post I just want to provide a quick summary of what an impersonation workflow does for you. Let’s get started by reviewing some of the basics.
Workflows can be started 3 different ways –
- When a New Item is Created
- When an Item is Modified
When the workflow starts it will run under the identity of the user who kicked off the workflow. Why is this important? Because this means that the workflow is limited to only the actions that the current user can complete. Below are some scenarios where this might cause some issues for you:
- You have a collection of documents that are active; once a certain stage is reached they need to be moved to a library where they can only be read. This means in order to run the workflow the user must have permission to write to that library, which defeats the purpose of a ready only archive.
- You have content that needs to be submitted by employees, but only read and acted on by managers. In order to put the content in the location restricted to managers the user running the workflow must be able to access that area.
In SharePoint 2007, this limitation greatly reduced the effectiveness of workflows that you could build out of the box using SharePoint Designer. In SharePoint 2010, they provided a way for us to easily work through these scenarios. This new feature is called an Impersonation Step. Whenever you use one of these steps within a workflow, the workflow will run under the context of the user who authored the workflow.
Whenever you first create a workflow in SPD, a Step is generated for you:
Notice however, that in the ribbon there is an option to create an Impersonation Step. If you place your cursor below the current step the option will become available and you can insert the step into your workflow:
Now, take a look at the various actions available for use within each of the steps. You should notice that the impersonation step has some additional commands that aren’t available within the Step. These are mostly focused around setting and removing permissions.
- Impersonation Step:
As you can see there are some additional actions available, but also remember that you can use this step to help complete your custom scenarios. So for instance in our scenarios above you could have an employee kick off a workflow that moves content to another list in the site where they don’t have access. As long as the author of the workflow has access and the workflow action is within an impersonation step, then the workflow will run without errors.
Hope this helps explain how the impersonation step can be used within your workflows. If you have any questions, post them to the comments!