search

microsoft / coe-starter-kit

Other
748 stars 220 forks source link

[CoE Starter Kit - Feature]: Orphaned Process Assignment Fails Due to Manager Not Being Part of Environment Security Group #9121

Open lukas-nC opened 6 days ago

lukas-nC commented 6 days ago

Is your feature request related to a problem? Please describe.

Hi, We have enabled the Orphaned Process feature, and a manager provided feedback that orphaned flows should be assigned to them. However, the assignment failed, and we received the following error message:

The supplied reference link -- systemusers() -- is invalid. Expecting a reference link of the form /entityset(key).

Upon investigation, we discovered that the environment where these flows reside is protected by a security group. The manager is not a member of this security group, which prevented them from being found in the SystemUser table. As a result, the assignment process could not locate the manager's SystemUserId.

Describe the solution you'd like

Image

I would like to propose a change to enhance the error notification. If the Compose action (Get new owner SystemUserId) returns empty, the error notification should clarify the issue by stating:

The flows could not be assigned because the selected owner is not a member of the corresponding environment's security group. Please Contact your Power Platform Team

This would help clarify why the assignment failed and provide guidance on how to resolve the issue, for the admins and consumer of this process

Describe alternatives you've considered

No response

Additional context?

No response

Jenefer-Monroe commented 6 days ago

These connections should actually run in the context of the flow owner, per the parent flow for the orphan processes. Image

And then per the driver escalation processes we have, that user should be system admin in all environments that the kit runs. Can you please validate you have the run-only user set?

lukas-nC commented 6 days ago

Hi @Jenefer-Monroe,

to answer your question, yes, this flow is running in context of the flow owner.

But I don't think that's the problem. Image In my case, I got an error because 1 was empty. 1 was empty because of 2, which was empty because of 3, which was empty because the manager (4) is not in the systemuser table. And his Id is not in the systemuser table because he is not a member of the environment security group of the environment where the orphaned flows reside in.

Jenefer-Monroe commented 6 days ago

Oh I see. Yep I can add something different there that validates thats the issue and updates the return string correctly. Thanks for posting.