cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
PJBruen
Resolver I
Resolver I

Opening a Sharepoint Document in Read-Only Mode

Hi, 

I have a PowerApp whereby a case is created and a document is saved to the Sharepoint Document Library and referenced by the case. Whilst the document goes through various stages of approval, it can be viewed and edited by clicking a link to it using the command Launch(First(colSelectedDocuments).'Link to item'). This all works fine!

 

However, what I would like to be able to do, is when the document has been fully approved, is there a way to change the link so that the document only opens in Read-Only mode?

 

I've since tried building this in Power Automate, but I get stuck on the first HTTP request;

https://sergeluca.wordpress.com/2018/05/03/assign-unique-permissions-to-a-document-with-the-new-send...

 

The error I get is:

The expression "lists/getByTitle(‘Documents’)/items(1)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)" is not valid.
clientRequestId: cb961482-17a5-4d40-ae78-893386123126
serviceRequestId: 820a939f-c0ee-2000-70ec-a673bfc63c7a

 

(I've tried changing the Items parameter to the ID of a document in the list...still no luck.  /items(1)/

Many thanks

Paul

1 ACCEPTED SOLUTION

Accepted Solutions
Pstork1
Most Valuable Professional
Most Valuable Professional

Use the names in the Advanced Permissions Settings.  That will be the name which the group ID can be retrieved with.  If you use another name it will keep retrying for about 10 minutes since it can't find a match. That may be why your first attempt didn't finish.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

View solution in original post

21 REPLIES 21
Pstork1
Most Valuable Professional
Most Valuable Professional

There is no way to change the formatting of the link to make it read only.  To do that you have to actually change the item level permissions on the document itself in SharePoint.  That can be done using an HTTP REST call. Or you can try these actions on sharing.

 

Manage list item and file permissions with Power Automate | Microsoft Docs



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Hi @Pstork1 , yeah, that's what the link above is trying to do (unless I've misunderstood).

I get an error with the first HTTP request....not sure what I'm doing wrong.

 

Regards.

Pstork1
Most Valuable Professional
Most Valuable Professional

Take a look at this example.  I think it does a better job of explaining which dynamic content to use in the requests.  

How to manage permissions on a SharePoint List Item using Microsoft Flow – changing Item permissions...



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

@Pstork1 

Hi,

I'm trying to follow some instructions put together by @BenFetters at:  

https://powerusers.microsoft.com/t5/Power-Automate-Community-Blog/Power-Automate-and-SharePoint-Perm...

Ben, I wonder if you are able to assist me here with a Power Automate/Sharepoint question??

What I'm trying to do is call a Power Automate flow from PowerApps that needs to set a specific document in the Document Library to Read Only. The document should still appear in the library, but ideally only editable by "Owners" and only viewable by "Members".

I've attached some screen shots of Sharepoint and the flow I have so far.

This appears to work, but obviously only changes the permissions for the one user, detailed in the "Send an HTTP request to Sharepoint 2" action.

Are you able to advise what I need to do to this flow to make it set the document to Read Only for everyone in the "Member" group? I'm a bit confused as to how to do this!

 
 

Sharepoint1.png

Sharepoint2.png

PowerAutomate1.png

PowerAutomate2.png

 

Many thanks

Paul.

Pstork1
Most Valuable Professional
Most Valuable Professional

The problem is in the last two http calls.  In one you are retrieving a principal ID by email.  But you need to get the group id not the user's ID.  That requires a different call.  Then feed that id in as the principal id.  Here is a working example.

image.png



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Thanks @Pstork1 

I did change my flow to look at the group, but it never completed and therefore I cancelled it as I wasn't sure I had it right.

Before I change it again and test it, should URI field be changed to "Member" (as per the group names on the first screenshot) or should I use the names in the Advanced Permission Settings? 

 

PJBruen_0-1606923765341.png

 

Pstork1
Most Valuable Professional
Most Valuable Professional

Use the names in the Advanced Permissions Settings.  That will be the name which the group ID can be retrieved with.  If you use another name it will keep retrying for about 10 minutes since it can't find a match. That may be why your first attempt didn't finish.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

Many thanks for your help @Pstork1 - that seems to work exactly as I need it too.

PJBruen
Resolver I
Resolver I

@Pstork1 

Hi - I've been doing some more testing on this application. The manage access process below was working absolutely fine yesterday, but today, only the side of the flow for making a file editable (1073741830) is working. There are no errors....it just doesn't change the access level to Read Only (1073741826), when following the path where the condition is set to "LOCK".

Any ideas why?

PJBruen_0-1607092423787.png

 

Cheers - Paul

Pstork1
Most Valuable Professional
Most Valuable Professional

I assume you are trying to use this like a Toggle.  The problem is that it isn't designed to work that way.  The permissions are assigned to the group by the command.  But assigning the Read Permission doesn't remove the existing Edit permission.  It works the first time through because it removes all permissions except yours when you break inheritance.  But after that each time you run the HTTP command it adds the permission level back in.  So to set ReadOnly its a Two step process.  First you have to remove the Edit permission (if it exists) and then add the Read permission.  You should be able to remove a permission level setting using the following

 

_api/web/lists/getByTitle('List%20Name')/Items('ItemID')/RoleAssignments/groups/RemoveByLoginName('GroupName')

 

 



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

Hi @Pstork1 

Ahh, I see.

I've tried the following, but unfortunately I get errors on this step. As you've kindly got me this far, would you know how I get around this? You're correct though, the Edit Mode vs. Read-Only Mode needs to work slightly like a toggle I guess. It's likely that when the file gets set to read-Only that it stays that way, but there needs to be the facility to undo it, and make the file editable again.

PJBruen_0-1607331235333.png

BODY

{
  "status"400,
  "message""This operation is not allowed on an object that inherits permissions.\r\nclientRequestId: 5bac034d-7ce6-4565-ac20-2cd5cb0fc12f\r\nserviceRequestId: 54e8949f-5059-2000-70ec-a6836e6895d0",
  "errors": [
    "-1",
    "System.InvalidOperationException"
  ]
}
HEADERS
{
  "Pragma""no-cache",
  "x-ms-request-id""54e8949f-5059-2000-70ec-a6836e6895d0",
  "Strict-Transport-Security""max-age=31536000; includeSubDomains",
  "X-Content-Type-Options""nosniff",
  "X-Frame-Options""DENY",
  "Cache-Control""no-store, no-cache",
  "Set-Cookie""ARRAffinity=9b2d45c4bd0030f30e7a2a2896b71140eb7d88b49b44e96d4fd45755b575263c;Path=/;HttpOnly;Secure;Domain=sharepointonline-ne.azconn-ne.p.azurewebsites.net,ARRAffinitySameSite=9b2d45c4bd0030f30e7a2a2896b71140eb7d88b49b44e96d4fd45755b575263c;Path=/;HttpOnly;SameSite=None;Secure;Domain=sharepointonline-ne.azconn-ne.p.azurewebsites.net",
  "Timing-Allow-Origin""*",
  "x-ms-apihub-cached-response""true",
  "Date""Mon, 07 Dec 2020 08:36:36 GMT",
  "Content-Length""491",
  "Content-Type""application/json",
  "Expires""-1"
}
 
Many thanks,
Paul.
Pstork1
Most Valuable Professional
Most Valuable Professional

The error suggests that you are trying to do those steps without breaking security inheritance first.  Any time you are going to set specific permissions you have to be sure that inheritance is turned off.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

Hi @Pstork1 

Is that not the purpose of this step though, which is running in my flow.....or am I missing something else?

PJBruen_0-1607348919942.png

Sorry to keep hassling you. This is the first time I've ever looked at this stuff, and it's a bit foreign to me, so your help is much appreciated.

 

Regards,

Paul

Pstork1
Most Valuable Professional
Most Valuable Professional

OK, I see the error.  In the first of the two statements that removes the permissions you are doing it at the list level not the item level.  Everything up through role assignments should be the same on both commands.  in your example you are trying to remove permissions from the list and set them on the item.  Both of those need to be at the item level.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

Hi @Pstork1 

So, these are the 4 HTTP Send Requests I'm making. I've made one change in red, but wasn't sure what to change in the other (sorry, so confused by this). Can you confirm please?

_api/lists/getByTitle('varLISTNAME')/items(varID)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

_api/web/SiteGroups/getbyname('varPERMISSIONGROUP')

_api/web/lists/getByTitle('varLISTNAME')/items(varID)/RoleAssignments/groups/RemoveByLoginName('varPERMISSIONGROUP')

_api/lists/getByTitle('varLISTNAME')/items(varID)/roleassignments/addroleassignment(principalid='varGroupID',roledefid=1073741826)

Pstork1
Most Valuable Professional
Most Valuable Professional

The change in red is the correct change.  Everything should work if its setup that way.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
PJBruen
Resolver I
Resolver I

Hi @Pstork1 

Sorry - I still haven't got this quite right.

PJBruen_0-1607423670973.png

This is the URI being entered here:

 _api/web/lists/getByTitle('Documents')/items(11441)/RoleAssignments/groups/RemoveByLoginName('Stress Testing Datastore Members')

 

The error coming back as Bad Gateway (although the flow was still running, but cancelled after a few mins):

PJBruen_1-1607423783508.png

 

Is "RemoveByLoginName" correct as this is the Group name as opposed to an individual?

 

Sorry again to keep hassling you.

 

Regards

Paul 

 

PJBruen
Resolver I
Resolver I

@Pstork1 

So, I tried the following:

If I create a new Sharepoint File and run the READ-ONLY process, then the flow errors with the details above.

If I create a new Sharepoint File and run the EDIT process and then the READ-ONLY process, it seems to work fine.

 

Would this be what you'd expect?

I don't fully understand this, but as long as it works I'm happy I think!

 

  

Pstork1
Most Valuable Professional
Most Valuable Professional

Yes, Remove ByLoginName is the right syntax.  But you will get a Bad Gateway error if the Group doesn't have permissions.  If this is the first time through after breaking security inheritance than the group won't have permissions and you will get an error.  But it should work if the group has read permissions because this is the second time adjusting permissions.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Helpful resources

Announcements

Exclusive LIVE Community Event: Power Apps Copilot Coffee Chat with Copilot Studio Product Team

It's time for the SECOND Power Apps Copilot Coffee Chat featuring the Copilot Studio product team, which will be held LIVE on April 3, 2024 at 9:30 AM Pacific Daylight Time (PDT).     This is an incredible opportunity to connect with members of the Copilot Studio product team and ask them anything about Copilot Studio. We'll share our special guests with you shortly--but we want to encourage to mark your calendars now because you will not want to miss the conversation.   This live event will give you the unique opportunity to learn more about Copilot Studio plans, where we’ll focus, and get insight into upcoming features. We’re looking forward to hearing from the community, so bring your questions!   TO GET ACCESS TO THIS EXCLUSIVE AMA: Kudo this post to reserve your spot! Reserve your spot now by kudoing this post.  Reservations will be prioritized on when your kudo for the post comes through, so don't wait! Click that "kudo button" today.   Invitations will be sent on April 2nd.Users posting Kudos after April 2nd at 9AM PDT may not receive an invitation but will be able to view the session online after conclusion of the event. Give your "kudo" today and mark your calendars for April 3, 2024 at 9:30 AM PDT and join us for an engaging and informative session!

Tuesday Tip: Unlocking Community Achievements and Earning Badges

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!     THIS WEEK'S TIP: Unlocking Achievements and Earning BadgesAcross the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. These badges each signify a different achievement--and all of those achievements are available to any Community member! If you're a seasoned pro or just getting started, you too can earn badges for the great work you do. Check out some details on Community badges below--and find out more in the detailed link at the end of the article!       A Diverse Range of Badges to Collect The badges you can earn in the Community cover a wide array of activities, including: Kudos Received: Acknowledges the number of times a user’s post has been appreciated with a “Kudo.”Kudos Given: Highlights the user’s generosity in recognizing others’ contributions.Topics Created: Tracks the number of discussions initiated by a user.Solutions Provided: Celebrates the instances where a user’s response is marked as the correct solution.Reply: Counts the number of times a user has engaged with community discussions.Blog Contributor: Honors those who contribute valuable content and are invited to write for the community blog.       A Community Evolving Together Badges are not only a great way to recognize outstanding contributions of our amazing Community members--they are also a way to continue fostering a collaborative and supportive environment. As you continue to share your knowledge and assist each other these badges serve as a visual representation of your valuable contributions.   Find out more about badges in these Community Support pages in each Community: All About Community Badges - Power Apps CommunityAll About Community Badges - Power Automate CommunityAll About Community Badges - Copilot Studio CommunityAll About Community Badges - Power Pages Community

Tuesday Tips: Powering Up Your Community Profile

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week's Tip: Power Up Your Profile!  🚀 It's where every Community member gets their start, and it's essential that you keep it updated! Your Community User Profile is how you're able to get messages, post solutions, ask questions--and as you rank up, it's where your badges will appear and how you'll be known when you start blogging in the Community Blog. Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile.     Password Puzzles? No Problem! Find out how to sync your Azure AD password with your community account, ensuring a seamless sign-in. No separate passwords to remember! Job Jumps & Email Swaps Changed jobs? Got a new email? Fear not! You'll find out how to link your shiny new email to your existing community account, keeping your contributions and connections intact. Username Uncertainties Unraveled Picking the perfect username is crucial--and sometimes the original choice you signed up with doesn't fit as well as you may have thought. There's a quick way to request an update here--but remember, your username is your community identity, so choose wisely. "Need Admin Approval" Warning Window? If you see this error message while using the community, don't worry. A simple process will help you get where you need to go. If you still need assistance, find out how to contact your Community Support team. Whatever you're looking for, when it comes to your profile, the Community Account Support Knowledge Base article is your treasure trove of tips as you navigate the nuances of your Community Profile. It’s the ultimate resource for keeping your digital identity in tip-top shape while engaging with the Power Platform Community. So, dive in and power up your profile today!  💪🚀   Community Account Support | Power Apps Community Account Support | Power AutomateCommunity Account Support | Copilot Studio  Community Account Support | Power Pages

Super User of the Month | Chris Piasecki

In our 2nd installment of this new ongoing feature in the Community, we're thrilled to announce that Chris Piasecki is our Super User of the Month for March 2024. If you've been in the Community for a while, we're sure you've seen a comment or marked one of Chris' helpful tips as a solution--he's been a Super User for SEVEN consecutive seasons!   Since authoring his first reply in April 2020 to his most recent achievement organizing the Canadian Power Platform Summit this month, Chris has helped countless Community members with his insights and expertise. In addition to being a Super User, Chris is also a User Group leader, Microsoft MVP, and a featured speaker at the Microsoft Power Platform Conference. His contributions to the new SUIT program, along with his joyous personality and willingness to jump in and help so many members has made Chris a fixture in the Power Platform Community.   When Chris isn't authoring solutions or organizing events, he's actively leading Piasecki Consulting, specializing in solution architecture, integration, DevOps, and more--helping clients discover how to strategize and implement Microsoft's technology platforms. We are grateful for Chris' insightful help in the Community and look forward to even more amazing milestones as he continues to assist so many with his great tips, solutions--always with a smile and a great sense of humor.You can find Chris in the Community and on LinkedIn. Thanks for being such a SUPER user, Chris! 💪 🌠  

Tuesday Tips: Community Ranks and YOU

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!This Week: Community Ranks--Moving from "Member" to "Community Champion"   Have you ever wondered how your fellow community members ascend the ranks within our community? What sets apart an Advocate from a Helper, or a Solution Sage from a Community Champion? In today’s #TuesdayTip, we’re unveiling the secrets and sharing tips to help YOU elevate your ranking—and why it matters to our vibrant communities. Community ranks serve as a window into a member’s role and activity. They celebrate your accomplishments and reveal whether someone has been actively contributing and assisting others. For instance, a Super User is someone who has been exceptionally helpful and engaged. Some ranks even come with special permissions, especially those related to community management. As you actively participate—whether by creating new topics, providing solutions, or earning kudos—your rank can climb. Each time you achieve a new rank, you’ll receive an email notification. Look out for the icon and rank name displayed next to your username—it’s a badge of honor! Fun fact: Your Community Engagement Team keeps an eye on these ranks, recognizing the most passionate and active community members. So shine brightly with valuable content, and you might just earn well-deserved recognition! Where can you see someone’s rank? When viewing a post, you’ll find a member’s rank to the left of their name.Click on a username to explore their profile, where their rank is prominently displayed. What about the ranks themselves? New members start as New Members, progressing to Regular Visitors, and then Frequent Visitors.Beyond that, we have a categorized system: Kudo Ranks: Earned through kudos (teal icons).Post Ranks: Based on your posts (purple icons).Solution Ranks: Reflecting your solutions (green icons).Combo Ranks: These orange icons combine kudos, solutions, and posts. The top ranks have unique names, making your journey even more exciting! So dive in, collect those kudos, share solutions, and let’s see how high you can rank!  🌟 🚀   Check out the Using the Community boards in each of the communities for more helpful information!  Power Apps, Power Automate, Copilot Studio & Power Pages

Find Out What Makes Super Users So Super

We know many of you visit the Power Platform Communities to ask questions and receive answers. But do you know that many of our best answers and solutions come from Community members who are super active, helping anyone who needs a little help getting unstuck with Business Applications products? We call these dedicated Community members Super Users because they are the real heroes in the Community, willing to jump in whenever they can to help! Maybe you've encountered them yourself and they've solved some of your biggest questions. Have you ever wondered, "Why?"We interviewed several of our Super Users to understand what drives them to help in the Community--and discover the difference it has made in their lives as well! Take a look in our gallery today: What Motivates a Super User? - Power Platform Community (microsoft.com)

Users online (7,207)