The workflow could not update the item in the external data source. Make sure the user has permissions to access the external data source and update items.

If you have just created an External List and tried to update an item through a SPD Workflow action, you may have received the error below in the History List when the workflow action executes:

The workflow could not update the item in the external data source. Make sure the user has permissions to access the external data source and update items.

In your process of narrowing down this issue, you may go straight to the External list and try to create and item directly. To your surprise, the action completes without error. …

There is a very good chance that this error is related to the security configuration and connection properties for the External Content Type. In the example below, the External Content Type interacts with a WCF service. Let’s look into why this error has surfaced and how to go about resolving it.

By default, you will get the following connection properties when creating a link to external content (WCF Service).

clip_image002

If you configure your web service to use integration authentication (Negotiate\Kerberos) or anonymous access, this should generally be sufficient for interacting with the external list through the interface. However, when you try to write back to the external list through a workflow, you will get the error message above. This is because workflows will always run as the service account (generally the IIS application pool account) when accessing content via Business Connectivity Services. Due to this, workflows that interact with External Content (via BCS) only support using the Secure Store Service or RevertToSelf (not enabled by default due to the security implications) to help protect the external system. This is by design. For a more detailed explanation about this, please check out Using SharePoint workflows with Business Connectivity Services (BCS) by JD Klaka.

The error message above is actually thrown by Business Connectivity Services and not your external content source. If you look at the logs from your external content source (WCF service in my case), you will notice that BCS doesn’t even attempt to connect. If you also look at the logs in the 14 hive, you will see an “Access Denied” error thrown by BCS for the service account the workflow is running as.

The way I solved this error was to configure an application in my Secure Store Service and grant the service account permissions in the External Content Type. To create an application in your Secure Store Service, you will need to have access to central administration and the right permissions to manage the Service. Here are the steps I went through to create application in the Secure Store Service. For more information, refer to MSDN – Configure the Secure Store Service.

1. On the Manage Services page in Central Admin, select the Secure Store Service then click the “Manage” button on the ribbon.
clip_image003

2. Click the “New” on the ribbon to create a new application
clip_image004

3. Enter and ID for the Application and Display name. Make sure you choose “Group” for the Target Application Type. Click “Next”.
clip_image006

4. Accept the default and click next on the following page.
clip_image008

5. Specify an administration account and put the service account that the workflow will run as in the members section. Click Ok.
clip_image010
Note: You may wish to create a Security Group in Active Directory that contains all the users that will be allowed access to this external content. This will make administration easier as you can also use this group to grant appropriate roles in the External Content Type’s permissions. If you try to access external content and you’re not in the Members section of the Secure Store Service Application, you will get a “Connection manager did not return valid connection” message.

Now that we have created an application in the Secure Store Service, we will need to configure the connection properties for the External Content Type.

1. Go to SharePoint Designer and connect to your site. Choose the External Content Types Site Object and open your External Content Type. Click “Edit Connection Properties” in the ribbon:
clip_image011

2. In the Endpoint Properties, change the Authentication Mode to be one of the Impersonate options (depending on your requirements). Also choose the appropriate Impersonal Level for your application. Set the Secure Store Application ID to be the ID of the Secure Store Application we created above.
clip_image012

3. In the Metadata Properties, change the Authentication Mode to be one of the Impersonate options (depending on your requirements). Set the Secure Store Application ID to be the ID of the Secure Store Application we created above.
clip_image013

4. Click OK and run your workflow again. The permissions error should have disappeared.

You may also need to ensure the service account that the workflow is running under has permission in the External Content Type. You can view the permissions in SharePoint Designer. However, if you wish to change them, you will have to do this via Central Administration. For more information about setting these permissions, see the Manage External Systems TechNet article.

About these ads
Tagged

One thought on “The workflow could not update the item in the external data source. Make sure the user has permissions to access the external data source and update items.

  1. nathan says:

    Good post. Thank you.

    I found there was one extra configuration step required to have this working.

    You need to set the permissions for the Systems Account in the Secure Store.
    1. Navigate Central Admin > Application Mgmt > Mng Service Applications
    2. Click on Business Data Connectivity Service
    3. Highlight the ECT type set and on the drop-down arrow choose “Set Permissions”
    4. Add the Sharepoint/System Account and then assign it permissions to write to the external content database.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: