Editing out of the box approval workflow to allow single user in parallel to approve item in SharePoint 2010

I was recently asked if the out of the box approval process for SharePoint 2010 allowed for individuals to approve documents when an item was sent for approval to a group of people individually which they wanted the flexibility to change each time without relying on the server team to keep adding users to an AD group.

At this point it is worth noting you can achieve what I am about to describe a lot easier if you have all users in one AD group and do not assign a single task to each user. In my case this was not achievable as the client wanted flexibility to add and remove suggested approvers adhoc (assuming they have the approval rights!).

So something always to consider when setting up approval process (or any workflows for that matter) is planning for the ‘what if’s’ and what I mean by that is if you have a rigid approval process where one person is the designated approver – what happens when they go on holiday (or leave)? So my point here is if you leave a little flexibility in your workflow it will give you the room to achieve the end result without lots of pain or reverting to non SharePoint methods of achieving your goal.

So back to the point of my post to my surprise I couldn't find a way to achieve parallel 1 user approval (when multiple people selected to approve) using the SharePoint 2010 Approval workflow.

SharePoint Designer to the rescue, and before you panic there's no code just some tweaks required.

Firstly what you need to do is open SharePoint Designer 2010 (if you don't have this you can download this for free from http://sharepoint.microsoft.com/en-us/product/related-technologies/pages/sharepoint-designer.aspx). Once opened navigate to the site you want to apply the workflow to and simply click on workflows on the left hand side as shown below.

.

Right click on ‘Approval – SharePoint 2010’ workflow and select copy and modify. Rename the new workflow to something suitable which in my case I called 'Parallel 1 User Approval Workflow’.

Leave content type as all and click ok. Click save from the menu and you will now see your workflow appear in the left hand column (under reusable workflow..

Click on the newly created workflow from the menu.

Click ‘Edit workflow’. You will be presented with Step 1 as shown below:

Click on ‘Approval Workflow Task (en-US) Copy’

I renamed the Task above to ‘Parallel Approval Workflow Task’. I appreciate the menu’s all look a bit the same but do bear with me. So the next step is to click on ‘Change the completion conditions for this task process’.

Now the next screen may look a little intimidating but it’s fairly simple to change!

The next step here is to remove a couple of lines and edit one of the conditions. Simply remove the first 2 conditions from the process by hovering over the drop down and selecting ‘Delete Condition’ as shown below.

Once you have removed the first two conditions you should have a process like below:

Notice that there is a ‘Insert a condition’ at the top. What need to do here is recreate the condition of the first If statement with a slight change, Before we do this we need to arrange the outcome conditions as shown below by moving them up and down until the are at the same level as shown below:

Click on ‘Insert a condition’  then from the menu on the ribbon select condition drop down and this is the important part select ‘If taks outcome equals value’ as shown below.

Next click on the field tab and select ‘Number of Approved’ and in the field value enter 1. So the statement should read:

If Tasks Process Results:Number of Approved equals 1.

So what I have basically changed is how many approvers it takes to meet the condition before setting the document to approved by basically setting the count to 1. Therefore as soon as one approver has approved the document this condition passes and the document gets approved! The great thing here is that all other tasks assigned to other approvers automatically cancel.

Once you have edited your workflow click save and don't forget to publish! If like me you’re running this off a VM on your laptop this may take sometime! If it fails on the first attempt try again.

You will be prompted with an error shown below regarding creating visuals just click ok.

Once you’ve published the workflow back in the browser from the list you want to apply approval, create a new workflow noticing the new workflow appears in the selection list.

 

Make sure at this stage that content approval is set to on for the list you are about to apply this workflow to. Select the new workflow saved in SharePoint Designer, select the options as shown above giving your workflow a name and click next.

The main point of this exercise is to create a parallel approval workflow so make sure this option is selected from the drop down and also add at least 2 people for the purpose of proving it works correctly.

On the second page make sure when creating the workflow on the list to check the box ‘Update the approval status….’ as shown below:

Next step is to apply the workflow to an item that is in a draft state. Click workflows from the list and select ‘Single Approver Parallel Workflow’.

 

Click start leaving the defaults.

So now back on the list (in my case a pages library) notice the workflow showing ‘In Progress’

Click on the ‘In Progress’ link and this will show you tasks assigned to Paul and John.

 

The quickest way to approve the item for test is to approve the document on behalf of the user for the purposes of this test. Click on one of the tasks assigned to the user and click approve. A popup should appear to allow you to approve the item, click ‘Approve’.

Once one of the users has approved the item you should see the workflow progress page as completed (you may need to refresh the page) and the task cancelled next to the approver who didn't get chance to approve the document - see below.

And that's it you’ve now got a parallel approval workflow where only one of the members needs to approve.

As you may know if you’ve reached my blog post there is little documentation on how the workflow works under the hood so I hope you’ve found my post useful.

SharePoint 2010 User Profile Service fails to start

So after many an hour of playing with this I wanted to share how I managed to resolve the issue of starting the User Profile service.

Couple of things to make you aware of early on:

• This is not a conclusive guide on how to setup user profile service application
• I used to the SharePoint Farm account to start the service (other accounts fail)
• The User Profile Service Application was run under an application pool account under a separate AD account
• SQL on the same server
• Windows 2008 R2 with hot fix for WCF (KB976462)
• I ran the wizard to install SharePoint 2010 (creating the user profile service application for me)

So following a series of excellent posts from Spencer Harbar on setting up and providing the correct permissions for the user profile implementation to succeed I hit an error where i couldn't start the user profile service, well I could but it wouldn't stay in a state of ‘started’ for long. Trawling the event viewer application logs 2 noticeable errors were showing each time I attempted to start the service these were:

Event ID 6306 - FIMSynchronizationService

The server encountered an unexpected error while performing an operation for the client.
"BAIL: MMS(7132): mastate.cpp(3117): 0x80230622 (A management agent with this name already exists.): MA directory cannot be created because it is already in use by an existing MA: C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\MaData\ILMMA
BAIL: MMS(7132): mastate.cpp(1637): 0x80230622 (A management agent with this name already exists.)
BAIL: MMS(7132): server.cpp(964): 0x80230622 (A management agent with this name already exists.)
Forefront Identity Manager 4.0.2450.5"

and

Event ID 3 – Forefront Identity Manager

Microsoft.ResourceManagement.ResourceManagementException: Exception from HRESULT: 0x80230622 ---> System.Runtime.InteropServices.COMException (0x80230622): Exception from HRESULT: 0x80230622
   at MIISRCW.IMMSServer.CreateMA(String pszMADataXML, String& ppszUpdatedXML)
   at Microsoft.ResourceManagement.SyncConfig.CreateMA(String maData, String& returnString)
   at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)
   --- End of inner exception stack trace ---

After hours of changing security permissions and adding users to different groups to try and resolve this I finally made a breakthrough!

To resolve this issue what I did was delete the User Profile Service Application from the Service Application page and recreated it. IMPORTANT recreating the user profile servie application  with exactly the same name will result in these errors reappearing so I advise that when recreating you give the service application a different name.

Reading between the lines it looks as if somewhere in the configuration it thinks that the user profile service application is either already started and therefore fails when attempting to start it with exactly the same name.

I really hope this helps you out as this one was really frustrating for me!

Related articles worth reading

http://technet.microsoft.com/en-us/library/ee721049.aspx

http://www.harbar.net/articles/sp2010ups.aspx

System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated – Trying to access Configure Service Account in SharePoint 2010

***UPDATE 29/06/2011 ***
I’ve just noticed that Microsoft have resolved this issue in Service Pack 1 see item 284 in the following spread sheet provided by Microsoft Download the Microsoft SharePoint 2010 and Office servers Service Pack 1 Changes.xlsx.

*** ORIGINAL POST ***
Following on from a previous blog where I was testing the access a sandboxed service account needed to run the service I created a test account to figure this out. Following on from this I wanted to tidy up my install and delete any unused accounts.
From AD I deleted the account from the service accounts OU. Now afterwards this is easy to realise but what I should have done is delete the service account from the Configure Managed Accounts section first but I didn’t on the assumption I could do this afterwards (In honesty I forgot!).
So a couple of hours passed not thinking about this I tried to access Configure Service Accounts in central admin but was prompted with a nice error as shown below.

I spent about 1/2 day trying to figure out what was causing this asking myself what had been changed since this error appeared, its also worth noting that the error didn't start appearing straight away which leads me to think its a timer job that triggered the change. On a side note I also noticed that the Forefront Identity Manager Service and the Forefront Identity Manager Synchronization Service had both stopped.
I couldn’t find anything of any significance on the web regarding the error ‘Some or all identity references could not be translated’ most of the entries out there referred to either password changing or starting again.
Checking the logs (default location C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS) and noticed 2 lines related to my Correlation ID error.
06/11/2010 10:33:45.80     w3wp.exe (0x1434)                           0x01D4    SharePoint Foundation             Runtime                           tkau    Unexpected    System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.    at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)     at System.Security.Principal.NTAccount.Translate(Type targetType)     at Microsoft.SharePoint.Utilities.SPUserUtility.AccountNameToSid(String accName)     at Microsoft.SharePoint.Utilities.SPUserUtility.IsLocalAccount(String loginName)     at Microsoft.SharePoint.ApplicationPages.FarmCredentialManagementPage.HandleLocalAccounts()     at Microsoft.SharePoint.ApplicationPages.FarmCredentialManagementPage.OnLoad(EventArgs e)     at System.Web.UI.Control.LoadRecursive()     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPo...    1e9a974d-66a0-42ca-b2ac-28b864d42f0a
06/11/2010 10:33:45.80*    w3wp.exe (0x1434)                           0x01D4    SharePoint Foundation             Runtime                           tkau    Unexpected    ...int, Boolean includeStagesAfterAsyncPoint)    1e9a974d-66a0-42ca-b2ac-28b864d42f0a
There was also a warning in event viewer logged as Event ID 1309.
As I mentioned earlier I suspected a Timer Job was running that caused the delay in me receiving this error and as part of my testing I attempted to manually run the timer job ‘Password Management’ but this logged an error in the event logs as shown:
The Execute method of job definition Microsoft.SharePoint.Administration.SPPasswordManagementJobDefinition (ID cc5a6873-5ab6-4475-b0e8-b385c3b1618c) threw an exception. More information is included below.
Some or all identity references could not be translated.
Scratching my head I thought what if it is down to an account that I deleted from AD that isn’t running any services but is part of the Managed Accounts?
I tried to delete the account from the managed accounts page but received the same error prompt.
I recreated the account in AD (obviously appreciating that it would have a new SID) and cheekily tried (running an IISRESET first) to see if this would resolve the problem (knowing that it probably wouldn't) it didn't!
So my next thought was to try assign the newly recreated account and SID with the one referenced in SharePoint and ran the command:
stsadm –o migrateuser –oldlogin domain\serviceaccount –newlogin domain\serviceaccount -ignoresidhistory
**NOTE** Making sure that the oldlogin and the newlogin were exactly the same user and domain.
After running the stsadm command and re-running ‘Password Management’ timer job, followed by a user profile import (incidentally I had to restart the user profile import service on the server) I was finally able to access the Configure Service Accounts section with no error.
I appreciate this may not happen often in the field however I’m sure when the AD guys are looking to clear up unused service accounts this may have an impact.
I have managed to recreate the error and logged with Microsoft – will keep you posted.
*** UPDATE 07/09/2010 ***
After various discussions with Microsoft support they were unable to replicate the exact error. The error found in MS test environments was a little more user friendly but still it proves there is an issue.
The error received from Microsoft when performing the action is shown below:
“An error occurred while getting information about the user user1 at server domain.com: The user name could not be found”
Ok so my thoughts were (and I shared this with Microsoft) is yes the error is a little more user friendly however you still receive an error when trying to access the managed service account page that will not allow SP admins to perform modifications to managed service accounts after an unused account is deleted.
The outcome was that as Microsoft were not able to replicate ‘the exact’ error message a formal bug is not going to be raised although the issue has been submitted to the Microsoft SharePoint product team.
I’ve since recreated this error to match the one Microsoft have experienced on their environment and I still suggest this is a bug with SharePoint 2010.
I haven't tested this with either June 2010 or August 2010 cumulative updates to see if this has been fixed under the radar – feel free to leave me a comment if you find anything further.

Creating an Enterprise Search Center on a SharePoint 2010 Team Collaboration site

Whilst recently creating a site collection with a team site template I attempted to create an Enterprise Search Center only to be presented with an unexpected error as shown below.

The reason for this is you need to activate the SharePoint Server Publishing Infrastructure feature on the site collection.

You then shouldn’t be presented with this error!

Starting The SharePoint 2010 Sandboxed Code Service

Following best practice of least privilege I was in the process of starting up all the services on my new SharePoint 2010 Farm under separate accounts.

From Central Admin->Security-> Configure Service Account I selected the Windows Service - Microsoft SharePoint Foundation Sandboxed Code option from the drop down and added my newly registered account (Lets say SP2010_Sandbox).

**Note**

You must change the service account assigned to the service before starting the Sandboxed Code Service (This makes life a lot easier!)

After configuring the service account for Sandbox I navigated to Central Admin->Application Management->Manage Services on Server and started the service. From here everything looks fine and the service indicates started.

However navigating to services mmc and looking for the service SharePoint 2010 User Code Host had stopped.

To resolve this I had to add the sandbox service account to the local admin group on the server, then stop the service from Manage Services on Server then click start and the service started fine. I'm sure somewhere there is more detail on the exact security permissions as having this service account in the local admin group is not ideal.

At the time of writing the only documentation I could find to support this http://technet.microsoft.com/en-us/library/ee513064.aspx.