Security Considerations for Workflows 

  • Article

The .NET Framework has a security model that treats applications differently depending on their origin. Executables and assemblies that are from a user's computer generally run with full trust; when the same executables and assemblies are run over the Internet, they generally run with partial trust. For more information about security in the .NET Framework, see the MSDN Library.

The Windows Workflow Foundation runtime and workflows require full trust. Therefore, workflows are always executed in full trust.

When you create workflows and custom activities, you should consider the following regarding security:

  • Always extensively test custom activities before you incorporate them in workflows.

  • Any exception that is not handled by the workflow should result in workflow termination.

  • Any overriding of the authorization check by a custom activity should be validated thoroughly to avoid vulnerabilities.

  • Do not allow a custom activity's constructor or InitializeComponent method to be editable when you deploy to a non-trusted user.

See Also

Concepts

Using Roles in Workflows
Security Considerations for Workflow-Enabled Applications

Footer image

Send comments about this topic to Microsoft.