Thursday, January 21, 2010

ProjectServer 2010 Workflow - Accessing PSI web services as Proxy User

Project Server Workflows need to run under the context of a user. However, they do not run under context of the user that started the project, instead, the workflows are run under the Workflow Proxy Account. This means that the user account which you specify as the workflow proxy account must have the proper rights to execute all of the commands a project server workflow will need to do. All workflow activities should be happening under the workflow proxy account. By default all PSI-calls from built-in activities are running under this proxy account. However, it is possible to perform PSI-calls from custom workflow activities under the Application Pool account.

How to Setup the Workflow Proxy Account

It is recommended that you setup a service user to serve as this function. The steps below show how to define and setup a workflow proxy account.

  1. Within Project Web Access, go to Server Settings
  2. Under “Workflow and Project Detail Pages” Click on “Project Workflow Settings”
  3. Workflow Proxy User: type in the user name of the account you wish to have all workflows run under.
  4. The minimum rights needed for the account to execute PSI-calls (regarding Project Server security) are:
    • Global permissions:
      • Log On
      • Manage Users And Groups
      • Manage Workflow
    • Category permissions:
      • Open Project
      • Save Project
      • View Enterprise Resource Data
      • Edit Project Properties
      • View Enterprise Resource Data

Note 1: By default, all Project Server Interface (PSI) calls within a workflow will be made under the context of the Workflow Proxy User Account. For these PSI calls to be successful, the Workflow Proxy User Account should have appropriate permissions in Project Server (built-in workflow activities are meant here).

Note 2: Exercise caution when changing this account. All workflows that are started after the Workflow Proxy User Account change will use the new account. All workflows already in progress will continue to use the original Workflow Proxy User Account, and if the original Workflow Proxy User Account is deleted or does not have sufficient permissions, the PSI calls made from the workflows will fail. So, it is highly recommended not to change the Workflow Proxy User Account.

Note 3: If the Workflow Proxy User Account needs to be changed and the original Workflow Proxy User Account needs to be removed, you may need to re-start all the currently running workflows after the change.

How to Use the Workflow Proxy Account

The sample of usage Proxy user is below:

1. First of all we have to create custom workflow service that should be extending workflow service base class.

[ExternalDataExchange]
interface IProxyLookupTableService
{
    void UpdateLookupTableValue(LogService logService, 
                                ProjectWorkflowContext projectWorkflowContext,
                                Guid lookupTableUid,
                                PSLookupTableValueInfo lookupTableValue,
                                bool isCreate);
}

public class ProxyLookupTableService : PSWorkflowServiceBase, IProxyLookupTableService
{
    public void UpdateLookupTableValue(LogService logService,
                                       ProjectWorkflowContext projectWorkflowContext,
                                       Guid lookupTableUid,
                                       PSLookupTableValueInfo lookupTableValue)
    {
        LookupTable _pwaLookupTable = GetPSI(projectWorkflowContext).LookupTableWebService;
        using (LookupTableDataSet dsLookupTables = _pwaLookupTable.ReadLookupTablesByUids(
            new Guid[] { lookupTableUid }, false, 0))
        {
        ……
        }
    ……

2. We have to register our ProxyLookupTableService in web.config.

<configuration>
  <SharePoint>
    <WorkflowServices>
      <WorkflowService 
        Assembly="Programs, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4b0916729dd423c6"
        Class="Programs.Services.ProxyLookupTableService" />
    </WorkflowServices>
  </SharePoint>
</configuration>

3. And now we can use our custom workflow service (ProxyLookupTableService) in any workflow events or activities.

protected override ActivityExecutionStatus Execute(ActivityExecutionContext executionContext)
{
    IProxyLookupTableService ltService = executionContext
        .GetService<IProxyLookupTableService>();

    ltService.UpdateLookupTableValue(…);
    return base.Execute(executionContext);
}

Note 1: Be sure to use your proxy service from inside the overridden Execute method. You are not allowed to store it as a field of custom activity class. So all PSI-calls should be performed from the place where you instantiate your proxy service.

Note 2: You do not need to add Web References to PSI web services. You can instantiate them with GetService() method of base PSWorkflowServiceBase class.

How to Setup the Application Pool Account

Any PSI-call which is made from the custom workflow activity (or code activity) runs under the account of the Application Pool which holds the web application with PSI web services. By default this account is Network Service. The minimum rights needed for the account are mentioned above, so you should grant appropriate permissions to this account. Here are the steps you should go through:

  1. Find out which account should receive appropriate rights in the Project Server. To do this, check IIS Manager -> Sites -> SharePoint Web Services -> the application containing PSI folder in it -> Manage Application context menu -> Advanced Settings -> Application Pool; then go to Application Pools list and find corresponding Identity for this pool. This account should receive appropriate permissions.
  2. Go to http://server_name/pwa_name/Admin/ManageUsers.aspx to create PS user for the account the SharePoint Web Services/PSI web services run as, and add appropriate permissions for this user (the easiest way is to add this account to the Administrators group).

17 comments:

  1. How to send credentials to PSI using web based application (with out impersonation)

    ReplyDelete
  2. Yash,

    this topic is about using PSI from PS workflows. Anyway, in case if you call PSI from other web application based on Windows authentication, the call will be run as current user.

    ReplyDelete
  3. You can use PJContext for capturing the logged user info.

    ReplyDelete
  4. Hi,

    Please can you tell me which PSI calls/methods can I use to update project stage?
    I am working on a custom state machine workflow and need to bind the custom stages to PS Stages and also to update appropriate PS Stage whenever I move to a custom stage.

    Thanks,
    A.

    ReplyDelete
  5. Not sure what you mean here. Maybe you should take a look on Workflow .asmx\.svc service, methods ReadWorkflowStage and UpdateWorkflowStage.

    ReplyDelete
  6. Is there a way to Skip To Stage using PSI?

    Thanks,

    V.

    ReplyDelete
  7. You should look into QueueUpdateProjectWorkflows method of Workflow PSI service.

    ReplyDelete
  8. Where from I should get an instance of ProjectWorkflowContext in Workflow? I have searched it in workflowProperties but haven't found.

    ReplyDelete
  9. how to retrieve projects in project center inside sharepoint2010 ,what can i do to do so???

    ReplyDelete
    Replies
    1. Not sure I understand your question. Could you please clarify?

      Delete
  10. I used to have account1 as a Workflow Proxy Account and I have around 400 Project instance with 3 different EPTs on my server, I changed it to account2, both accounts has all the Global Permissions and Category Permissions Checked.

    Now whenever the WF of any instance moves a step forward, I get Queue Errors:
    WorkflowCannotChangeWorkflow, ReadProjectEntities: GeneralSecurityAccessDenied.

    When I go to Settings -> Enterprise Project Types I find my 3 EPTs
    When I go to Settings -> Change or Restart Workflows I find a fourth EPT called "None" that contains all the projects that were affected by WorkflowCannotChangeWorkflow error!!

    any Help?

    ReplyDelete
  11. Thank you very much. I could not create any project based in a Template related to any Workflow: Sample Proposal, Schedule Web Analytics Alerts and Schedule Web Analytics Reports. When I enter the account of the App Pool as admin and re configure the account of Workflow Proxy User as admin everything is working now.

    ReplyDelete
  12. However, it is possible to perform PSI-calls from custom workflow activities under the Application Pool account.learn web deisgn

    ReplyDelete