Options
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 15 subscribers
  • Views 2371 views
  • Users 0 members are here
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

M-Files VBScript State Action Problem - Access Denied

KarloAdanic

Greetings,

 

We have issues with a VB Script that sends a document to another state.

 

We have a specific situation with our client. When the document meets some condition from VB Script, it is necessary to transfer it to another state.

In our case, it does not want to transfer the document if it is not a System Administrator account or there is no direct connection from the state from which it sends the document to the state where the document should be placed via VB Script.

 

The above logic is mandatory for us at the client and that part would have to work because of the Audit Trail.

You can replicate the error by creating three states in workflow - "Test1", "Test2", "Test3". Place in Test 2 the script that will switch to "Test3" and try to switch with a non-admin user. (There must not be a state transition in the workflow between Test2 and Test3).

 

The script im using at client:

Option Explicit

 

Dim Employee, iClass, DepartmentManager, iWFState, FunctionManager

iClass = PropertyValues.SearchForProperty(100).TypedValue.DisplayValue

Employee = PropertyValues.SearchForProperty(1061).TypedValue.DisplayValue

DepartmentManager = PropertyValues.SearchForProperty(1161).TypedValue.DisplayValue

FunctionManager = PropertyValues.SearchForProperty(1160).TypedValue.DisplayValue

  ' Create a typed value for the "last modified by" value.

Dim objLastModifiedByTypedValue

Set objLastModifiedByTypedValue = CreateObject("MFilesAPI.TypedValue")

objLastModifiedByTypedValue.SetValue MFDatatypeLookup, CurrentUserID

 

' Update the last modification info.

Vault.ObjectPropertyOperations.SetLastModificationInfoAdmin ObjVer, True, objLastModifiedByTypedValue, False, Nothing

 

'Conditions depending on property Class and FunctionManager = Employee

 

IF iClass = "Work Instruction" AND Employee = DepartmentManager Then

' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

 

ELSEIF iClass = "Procedure" AND Employee = FunctionManager Then

' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

 

ELSEIF iClass = "Decision" AND Employee = FunctionManager Then

                IF PropertyValues.SearchForProperty(1156).TypedValue.DisplayValue = "No" Then

                               ' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

                               PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

                               Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

END IF

END IF

 

In this case its not working for regular users:

In this case its working for regular users: 

If state transition inbetween states 2 and 3 has deny permission, then its not working for System Admins.

I just want to point out that both ways work if user has System Admin role.

It was tested on versions from 22.2 to 22.5 and every time same problem occured.

  • 0

    Hello,

    It is by design to work like this.

    You cannot make a transition to a state where there is no transition to.

    It works with Admin user, because Admin user can move an object to any state disregarding the transition logic in workflow.

    The only thing I can thing of now, but maybe someone else has a better idea, is to create a server connection in vbscript, and set the workflow using that connection as server side connection runs the code with M-Files User account, and then set with LastModifiedByAdmin the user that "did" the transition.

    Regards,

    Radu

  • 0

    Hi,

    Radu is right, but this is only one of the possible solutions, and it will not be easy in this "external link" to determine the object that needs to be moved.

    Depending on what needs to be achieved and how you want to achieve it I would use the following approaches:

    - If the transition is going to be done manually, the picture where there is a link between state 2 and 3, then I would move the checking logic to the precondition of state 3 and react with an error if that transition is not allowed.

    - If it is going to be done automatic, I would put the logic in the transition trigger.

    Of course, Radu's suggestion is perfectly valid, although a bit more complicated.

    PS

    It is good practice to use aliases instead of property IDs. This makes the code much more readable

  • 0 in reply to Radu Moca

    If its by design, i don't see the use of this script. Why would i use it if it cant be automatically triggered by the user itself?

    In this client workflow solution the whole approval is going through 2 states and if above condition gets hit it should go into the approved state and there shouldn't be any M-Files Server Audit Trail. If i use SYS ADM every SYS ADM account can approve a document for any other user, if i use state transition there is no need for this script that puts the document into the approved state, because it can be put into the approved state using manual input clicking direct on the state transition itself.
    Your reply:
    "The only thing I can thing of now, but maybe someone else has a better idea, is to create a server connection in vbscript, and set the workflow using that connection as server side connection runs the code with M-Files User account, and then set with LastModifiedByAdmin the user that "did" the transition."

    I'm not sure how to do that. How to make a server connection using vbscript? Do i need to put the vbscript into the eventhandler, state, precondition, postcondition or state transition?

    I think the only solution here is to make a VAF/COM API app using a event handler.

  • 0 in reply to manovos

    Hi, manovos,

    "by design" is the behavior of transitions that Radu described. As I have written below depending on what needs to be achieved and how, there may be different solutions. In case it needs to happen automatically, it is best to execute the logic from the script in the trigger of the transition itself. Both running the script in an event handler and a VAF/COM application are possible, but it doesn't need to be that complicated. If you are interested in how to connect in server mode see this thread

    community.m-files.com/.../how-to-access-value-s-from-a-different-vault

  • +1

    The underlying issue is that the server will look at the object's starting state (2) and the ending state (3), and check that the current user has the rights to make that transition.  If there is no valid transition from 2->3 then normal users cannot possibly have rights to do so.  Admins bypass this requirement check.

    One simple hack you can use is to add a new state (4) after 2, place your code there, and make an automatic state transition from 2 to 4.  Automatic state transitions are run by the server, so the "current user" who then moves from 4-3 should be the server, who's an admin, who can then move the object regardless of whether there's a defined transition.

    I haven't personally used this hack for a few years, but I think that I'm remembering it correctly.

    Another solution - albeit needing you to use VAF - is to add an entry to a task queue on state 2, then get a task processor to do the move to state 3.  It adds some delay to the process so it may not be desirable, but it is a good workaround in some situations.

  • 0 in reply to Radu Moca

    I would recommend against making new connections to the server from within script.  There are some scenarios where it's required, but it's also against the cloud validation guidelines so you can subsequently trip over some issues if you start using this as a workaround.

    I've suggested an alternate approach below.

  • 0 in reply to Craig Hawker

    Craig is correct as always and has described very well why this rejection occurs. The "hack" he offers is a pretty good solution in most cases. I myself use it when necessary, but in this case it will remain in history that the action was performed by the M-Files server, and this will hardly please the auditors.

  • 0 in reply to Ne0Tr0n

    If you work for a regulated industry, or one where auditing of these specific objects is important, then obviously speak to your compliance officer (or similar) to understand the implications of such changes.  It is incredibly important to ensure that scripting does not affect your ability to meet any external or internal requirements.

    But a blanket statement that automated actions cannot appear in an object's history is perhaps not accurate; there'll be a record of the fact that the object was moved from state 1->2 by user X, and there should be a documented automated process that the system will then move from 2-3 and 3-4.  As such there's still a record of who caused it to go to 4.

    Plus, even in the original set of code, the object would be altered by the script and would have lost the audit trail data anyway.

  • 0 in reply to Craig Hawker

    I totally agree with you Craig. I was particularly impressed by this part of the code, which really manipulates the user who last modified the object.

    Dim objLastModifiedByTypedValue
Set objLastModifiedByTypedValue = CreateObject("MFilesAPI.TypedValue")
objLastModifiedByTypedValue.SetValue MFDatatypeLookup, CurrentUserID

' Update the last modification info.
Vault.ObjectPropertyOperations.SetLastModificationInfoAdmin ObjVer, True, objLastModifiedByTypedValue, False, Nothing

  • 0 in reply to Ne0Tr0n

    This is documented on the Developer Portal: Audit Trail and Scripting (fixing "(M-Files Server)" in the audit logs)

    But, again, from an auditing perspective, needs to be done with care.

M-Files
M-Files Support


© 2025 M-Files, All Rights Reserved.