Generally, any user with Design permissions to the list can create and modify actions. However, some settings are only available to users with higher permissions due to inherent security risk. These settings are Impersonation and Timer-based execution.
Impersonation allows the action to run with administrative privileges, having access to resources that might not be accessible to the executor of the action. For example, you might use Impersonation to create new items in a list to which users do not have Write access.
Timer-based excution is executed by the timer service, outside of normal user context, they are always executed according to the permissions of the timer service account, that in most cases will be set to a higher level than most users.
Therefore, the users who set up these advanced settings must themselves possess the necessary permissions to be able to delegate them to those actions.
The permissions required to configure actions with Impersonation and Timer-based execution differ from action type to action type:
- Email, Run stored procedure, Call web service
- does not require any special security privileges and available to all users
- Run PowerShell
- requires Farm Administrator privileges
- Create Site
- requires Site Collection Administrator
- Create List
- either one of the following:
- Site Collection Administrator
- Site Administrator and Site set to Current Site (Runtime value is blank)
- either one of the following:
- Manage Active Directory
- requires Farm Administrator privileges (Global Administrator in the app version)
- Manage Permissions
- when the scope site to Site:
- either Site Collection Administrator or Site Administrator and Site set to Current Site (Runtime value is blank)
- for any other scopes:
- Site Collection Administrator, Site Administrator + Site set to Current Site (Runtime value is blank)
- Manage Permissions permission to the current list and List set Current List (Runtime value is blank).
- when the scope site to Site:
- Create List Item, Update List Item, Delete List Item, Copy List Item, Print List Item, Run Workflow, Calculate Summary, Generate Tasks
- any one of the following:
- Site Collection Administrator
- Site Administrator and Site set to Current Site (Runtime value is blank)
- any one of the following:
When a user does not possess the necessary permissions, the Impersonation and Timer-based execution options are disabled. That user will require a user with the necessary permissions to help them setup thee actions.