I use the "send to approval" function for new or edited pages in SharePoint online. A user who creates new pages or edit pages has no permission to approve a page. The 3-steps-workflow (draft, assigned, approved) is enabled in sharepoint.
If a user sends a page to approval a flow worklow starts. After start a approval there is a condition. If the result is "approve" the next step "set content approve status" fails. There comes an error message: "access denied". But the same step of "set content approve status" that sets the status to "submit" works well.
I dont want to give every user the permission to approve - then the workflow will work. Because I dont want that every user can see pages in draft status.
Is there a solution?
The content approval settings are holdovers form the days of SharePoint publishing, but if you are approving pages then they should still be used. Unfortunately, to set content approval status does require that the user doing the approving has Approver permissions. There is no way to get around that. That's why you get access denied when setting it to Approve and don't when setting it to Submit. To Submit a page doesn't require approver permission. To approve it does. If you want to hide draft pages then you'll have to either restrict your group of approvers or live with everyone seeing the drafts. That's just he way its designed to work.
But the person who receives the email with the approval has approval permission. Only the person who send this page to approval has no approval rights. That is the point I do not understand. It is like Sharepoint requires that the person who only click on "send to approval" must have approval permission too. And I don't think that this is right.
The problem is that the person who sends the approval is the one supplying the context for the change. So they will need approver permissions. As I said, this was designed to be used with the older workflow, which ran as the system account, not Flow which runs as the user who creates the flow or the one who starts the flow manually. That's why the permission model doesn't match.
The normal work around is to use an automated trigger like When a File is created or modified. That way the flow runs using the permissions of the flow maker, so that person is the only one who needs approver permission. It sounds like you are having the person who edits the page start the approval manually. The only other option is to give all the people with edit permission to pages the approver permission as well.
Yes, the person who edits the page runs the flow manually by clicking on the button "send to approval" (see screenshot).
I have tested the trigger "when a file is created or modified" but the problem is here, that the flow runs if the page is saved due automatically save or save by the user as a draft. And it is possible that the user works on several days at this page and the flow should only run if the user want to start it otherwise the page is not completed and the flow runs.
I have given all user approver permission. But the bad thing is that they can see now all pages in draft status. Is there maybe a setting that they only can see there own pages in draft?
There is a setting like that for List Items, but not for Files (Pages).
You could still use the automated trigger, but add a metadata field to the Pages that specifies whether it has been submitted for approval or not. Then filter the trigger for that condition so it only fires when the page has been marked as submitted for approval.
Okay, but does the user have to edit the metadata field manually? Or is this updated automatically if the page is submitted for approval? How can I create such a metadata field?
And the screenshot shows the properties of "when a file is created or modified". Is that the right place to filter the trigger?
Yes, they need to update the content approval column using the Update Content Approval action. And you have identified the right location for adding a trigger filter.
Okay, do you mean with "Update Content Approval" the button I marked in the screenshot below? Could you please help me to create the right trigger filter?
No, I mean the Power Automate Set Content Approval status action built in to the SharePoint connector. Sorry, I didn't remember the exact name of the action.
I don't understand you completely. To solve my problem I have to:
- use a automated flow (if a file is created or modified)
- filter this trigger
- use the action "set content approval status"
I am not able to filter the trigger. I have tested this filter but I doesn't work. If I create a test flow that sends an email after a new file has been created and filter this trigger nothing happens. If I delete the filter, the email is send to me.
And I use in my flow the action "set content approval status". But do I understand you correctly, in my flow it doen't work (or needs the permission of the user who starts the flow) because it is a "iimmediately flow"? With a automated flow it would work?
Sorry, this is getting confused with multiple question answer pairs.
Your original question was whether everyone who runs the flow needs to have the approver action. The answer is that the user who provides the context for the connection in the flow will need that permission if you use the Set Content Approval Status. Which is what you want to do.
Since you are having users start the flow manually they provide the context and will need the permission mentioned above.
If you use an automated trigger then the flow will run in the context of the person who makes the flow and only that person will need the Approver action. The trigger query is only needed if you switch to an automated trigger. Using it will insure that the file is only submitted when the user sets the metadata to submit it, not every time an edit is made. I don't see anything wrong with your query below, but I would need to see your specific flow details to figure out what might be wrong. JSON is always pretty touchy.
So you can solve your problem two ways:
1) Keep the flow as manually kicked off on the selected file and give all user's who can submit a file approver status.
2) Modify the flow to use an automated trigger so it won't run in the context of the user. This will require other changes to insure that the flow doesn't run every time an edit is made and to direct the emails to the right people.
Here are the trigger details:
I think that I have choosen the wrong column. "Inhaltsgenehmigungsstatus" is not correct I think. I tried "ModerationStatus" but it doesn't work too. The problem is that the column is not shown in the library settings.
Do you need more information?
This is actually a massive flaw in the way Approvals work. Once the Submitter sends for approval, there should be two contexts created, One for the originator and a new one for the person who has been asked to approve. Surely this can be done?
As I mentioned earlier it depends on how you design the flow. If the item is submitted for approval manually then it will run in the context of the user who submits it and that person will need the approver authority. If the flow makes some change to the item, like updating metadata, that triggers an automated flow then the flow will run in the context of the original maker and that person will need the approval authority. But there is no way to have two security contexts in a single flow. That would require security impersonation which Power Automate does not support.
I have the same problem too. If we make everyone an approver, then it is also giving them an option to approve the document themselves. It nullifies the whole point of the Approval process. Could you let me know if there is any way a second flow can be triggered from the approval module by the approver so that a new instance is initiated by the approver?