Permissions required to start a SharePoint Designer workflow

I’ve read in multiple blog posts that you need Contribute permission to start a SharePoint Designer workflow on a List item. That makes sense, because the workflow also generates a workflow status field on the List. And starting the workflow on an item typically alters the value of that field, which automatically means you need permission to change that item.

What I’ve found is that Contribute permission on the List itself is not enough. There are two other permissions required:

  • Contribute permission on the hidden Workflow History list
    The actions taken by a workflow are recorded in a workflow history list. By default this is the hidden List ‘Workflow History’ (URL: {site}/Lists/Workflow%20History) which is always present.
    If the user account that started the workflow cannot write anything to this history list, then the workflow will fail rightaway.
    By default the Workflow History list inherits its permissions from the site root. What typically happens is: someone needs to start a workflow from a Document Library but has only Read permission on the site root. The Workflow History list inherits that Read permission, which is not enough for a workflow to start/run properly.
    If your users who start workflows are already regular Members of the site and therefore have Contribute permission from the root, then you will not notice this problem since you automatically have the correct permission on the Workflow History list.
  • Contribute permission on the Tasks list
    Almost the exact same logic applies to the Tasks list. If (and only if) you have a workflow that creates Tasks, then obviously the user needs Contribute permission on the Tasks list configured for that workflow as well.
  • Read permission on the site root
    Please note: I am less certain about this one, but I found that the permissions on the site root also play a role. My theory is this: you need Read permission on the site root so the user can ‘see’ the available workflows and the lists (Tasks and History) attached to those workflows. Somehow that information is stored at site level, which is why you need Read permission there.

Note that the above permission requirements also apply to workflows at site level, not just for List workflows.
Get these permissions in place, and your users should have no trouble starting SharePoint Designer workflows (either manually, or automatically OnCreate/OnChange).