👋 Use this site to provide feedback and ideas for all Nintex Products. See our post on Nintex Community "Welcome to Nintex Ideas" for more details on Nintex Ideas, how an idea is handled by our product teams and more!
SharePoint Admin Connection - Security Loophole in Nintex Workflow Cloud
I have a scenario to be accomplished using NWC workflows as below.
1. Steve – site collection admin in Site 1
2. Bob - site collection admin in Site 2
3. Steve would like to create a workflow in Site 1 which should use SharePoint Admin connection
4. Bob would like to create a workflow in Site 2 which should use SharePoint Admin connection
5. Steve and Bob should not be able to accidentally delete or modify items from each others site.
How can the above scenario handled using NWC? One SP Admin connection or Two SP Admin connections?
The connection, when created requires a Azure Global Administrator to setup the connection - This means as far as I understand the connection will be running under Azure Global Admins credentials.. which is a HUGE risk, especially when you want to provide this connection to an end user - Opportunity to accidentally deleting or changing other site. Or intentionally accessing data which they shouldn't be able to...
I am looking for a safe and contained solution here, please.
PS: This was raised with Nintex support with ticket #00448886 and was mentioned, this functionality is by design and raising it here based on their suggestion.
Sep 7, 2022
The global administrator request in this case is called consent(https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow), ( https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow ) this provides permission to use the app that allows NWC to connect with SharePoint and not the permissions used by the connection to perform the operation.
The connection uses the permission of the user who created that connection and they will not have any access they did not have in SharePoint. So in your case you would need to have 2 connections with the required access level(https://help.nintex.com/en-US/nwc/Content/Designer/Connectors/SharePointOnlineConnector.htm). ( https://help.nintex.com/en-US/nwc/Content/Designer/Connectors/SharePointOnlineConnector.htm ) These could be created by the end user using their permissions or potentially using service accounts if you would prefer.
I would also recommend restricting access to use the connection in workflows to stop unauthorised users using that connection(https://help.nintex.com/en-US/nwc/Content/Dashboard/Connections.htm). ( https://help.nintex.com/en-US/nwc/Content/Dashboard/Connections.htm )
Please let us know if you have any further questions,