Skip to Main Content
Status Already Exists
Categories Connectors
Created by Guest
Created on Mar 16, 2022

SharePoint Admin Connection - Security Loophole in Nintex Workflow Cloud

Hello,

I have a scenario to be accomplished using NWC workflows as below.

1. Steve – site collection admin in Site 1
2. Bob - site collection admin in Site 2
3. Steve would like to create a workflow in Site 1 which should use SharePoint Admin connection
4. Bob would like to create a workflow in Site 2 which should use SharePoint Admin connection
5. Steve and Bob should not be able to accidentally delete or modify items from each others site.

How can the above scenario handled using NWC? One SP Admin connection or Two SP Admin connections?

The connection, when created requires a Azure Global Administrator to setup the connection - This means as far as I understand the connection will be running under Azure Global Admins credentials.. which is a HUGE risk, especially when you want to provide this connection to an end user - Opportunity to accidentally deleting or changing other site. Or intentionally accessing data which they shouldn't be able to...

I am looking for a safe and contained solution here, please.

PS: This was raised with Nintex support with ticket #00448886 and was mentioned, this functionality is by design and raising it here based on their suggestion.
  • ADMIN RESPONSE
    Sep 7, 2022
    The global administrator request in this case is called consent(https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow), ( https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow ) this provides permission to use the app that allows NWC to connect with SharePoint and not the permissions used by the connection to perform the operation.

    The connection uses the permission of the user who created that connection and they will not have any access they did not have in SharePoint. So in your case you would need to have 2 connections with the required access level(https://help.nintex.com/en-US/nwc/Content/Designer/Connectors/SharePointOnlineConnector.htm). ( https://help.nintex.com/en-US/nwc/Content/Designer/Connectors/SharePointOnlineConnector.htm ) These could be created by the end user using their permissions or potentially using service accounts if you would prefer.

    I would also recommend restricting access to use the connection in workflows to stop unauthorised users using that connection(https://help.nintex.com/en-US/nwc/Content/Dashboard/Connections.htm). ( https://help.nintex.com/en-US/nwc/Content/Dashboard/Connections.htm )

    Please let us know if you have any further questions,

    Cheers,

    Leigh
  • Attach files
  • Guest
    Reply
    |
    Sep 7, 2022
    Hi Leigh,

    Thanks for your comments. Its quite helpful. My humble opinion is: When we try to create the connection for the first time - It should let users know that there will be a one time Azure Global Admin Consent required and following users wouldn't need to get this consent.

    Thanks,
    Santhosh