If you have just created an External List and tried to update an item through a SPD Workflow action, you may have received the error below in the History List when the workflow action executes:
The workflow could not update the item in the external data source. Make sure the user has permissions to access the external data source and update items.
In your process of narrowing down this issue, you may go straight to the External list and try to create and item directly. To your surprise, the action completes without error. …
There is a very good chance that this error is related to the security configuration and connection properties for the External Content Type. In the example below, the External Content Type interacts with a WCF service. Let’s look into why this error has surfaced and how to go about resolving it.
By default, you will get the following connection properties when creating a link to external content (WCF Service).
If you configure your web service to use integration authentication (Negotiate\Kerberos) or anonymous access, this should generally be sufficient for interacting with the external list through the interface. However, when you try to write back to the external list through a workflow, you will get the error message above. This is because workflows will always run as the service account (generally the IIS application pool account) when accessing content via Business Connectivity Services. Due to this, workflows that interact with External Content (via BCS) only support using the Secure Store Service or RevertToSelf (not enabled by default due to the security implications) to help protect the external system. This is by design. For a more detailed explanation about this, please check out Using SharePoint workflows with Business Connectivity Services (BCS) by JD Klaka.
The error message above is actually thrown by Business Connectivity Services and not your external content source. If you look at the logs from your external content source (WCF service in my case), you will notice that BCS doesn’t even attempt to connect. If you also look at the logs in the 14 hive, you will see an “Access Denied” error thrown by BCS for the service account the workflow is running as.
The way I solved this error was to configure an application in my Secure Store Service and grant the service account permissions in the External Content Type. To create an application in your Secure Store Service, you will need to have access to central administration and the right permissions to manage the Service. Here are the steps I went through to create application in the Secure Store Service. For more information, refer to MSDN – Configure the Secure Store Service.
1. On the Manage Services page in Central Admin, select the Secure Store Service then click the “Manage” button on the ribbon.
2. Click the “New” on the ribbon to create a new application
3. Enter and ID for the Application and Display name. Make sure you choose “Group” for the Target Application Type. Click “Next”.
4. Accept the default and click next on the following page.
5. Specify an administration account and put the service account that the workflow will run as in the members section. Click Ok.
Note: You may wish to create a Security Group in Active Directory that contains all the users that will be allowed access to this external content. This will make administration easier as you can also use this group to grant appropriate roles in the External Content Type’s permissions. If you try to access external content and you’re not in the Members section of the Secure Store Service Application, you will get a “Connection manager did not return valid connection” message.
Now that we have created an application in the Secure Store Service, we will need to configure the connection properties for the External Content Type.
1. Go to SharePoint Designer and connect to your site. Choose the External Content Types Site Object and open your External Content Type. Click “Edit Connection Properties” in the ribbon:
2. In the Endpoint Properties, change the Authentication Mode to be one of the Impersonate options (depending on your requirements). Also choose the appropriate Impersonal Level for your application. Set the Secure Store Application ID to be the ID of the Secure Store Application we created above.
3. In the Metadata Properties, change the Authentication Mode to be one of the Impersonate options (depending on your requirements). Set the Secure Store Application ID to be the ID of the Secure Store Application we created above.
4. Click OK and run your workflow again. The permissions error should have disappeared.
You may also need to ensure the service account that the workflow is running under has permission in the External Content Type. You can view the permissions in SharePoint Designer. However, if you wish to change them, you will have to do this via Central Administration. For more information about setting these permissions, see the Manage External Systems TechNet article.