Security and Workflows in Dynamics 365

Isaac Stephens, 09 October 2019

In Dynamics 365 Workflows are assigned to a User, by default this will be the user who made the Workflow. This means that they run under the context of that User; having their security roles and field security profiles. If a System Admin creates a Workflow that uses a field with field security the Workflow will always work for any user. This is because even for a User without the correct field security profile, the Workflow will be running under the context of the System Admin who created it. Below you can see the workflow running correctly when the Owner has the correct roles.

Recently a User who made a workflow had their System Admin role removed, and at first nothing was amiss. However, eventually it was noted that a workflow was no longer working correctly, it would Run but would always come out as ‘False’ for the first condition. The Workflow in question had one If condition checking 3 fields and the record being used during execution had the correct values to result in true, but for some reason it was failing. But why?
The below image shows after the User lost System Admin.

The reason for this not working was made more difficult since Dynamics 365 would not throw errors for this issue, it would simply return false for the first condition even though it should be true. This can be very confusing as even if you are a System Admin or someone with all the required permissions, it will still fail without error. The reason for this, as mentioned earlier, is Workflows will run under the context of the Owner and in this case the Owner did not have the correct privileges.

The solution to this issue is to give the current Owner the required permissions or simply assign the Workflow to another User who has the correct field security profile, as shown below.

But the real lesson from this issue is to be more careful when removing security roles or field security profiles from users. If a Workflow needs to use a field that has field security on it, ensure that when reassigning or changing a Users’ field security that you also ensure any Workflows assigned to them will not be affected. Having a service user or permanent System Admin always be the owner of Workflows can be an easy way to avoid this happening in the first place.