cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Gottijay2000
Advocate III
Advocate III

Remove Specific User Access to a SharePoint List Item

I have item level permissions set up on SharePoint List, but i would like the ability to remove specific user access to some items. i'm seeing alot of information around adding users but nothing on removing users.

Any one have an idea on how to achieve this please?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @Gottijay2000 

To modify the item permission,

1. You have to break the inheritance from the parent which can be done using the below endpoint

_api/web/lists/getByTitle(<List Title>)/items/getById(<Item id>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

2. Find the permission level ID.

_api/web/roledefinitions/getByName('contribute')

3. Get the user id

4. You have to assign the user the above roledef id

_api/web/lists/getByTitle(<List Title>)/items(<Item ID>)/roleassignments/addroleassignment(principalid=<user id>,roledefid=<roledef id>)

 

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

View solution in original post

19 REPLIES 19
sudharsan1985
Solution Sage
Solution Sage

Hi @Gottijay2000 

You can try using 'Send Http request to SharePoint' using the REST API to change the permission of an item.

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

 @sudharsan1985 do you know what endpoint would do the trick?

Hi @Gottijay2000 

Please refer the below links.

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/set-custom-permissions-on-a-list-by-using...

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?t...

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

@sudharsan1985 none of the links have what i'm looking for which is the ability to remove a user from an item that has item level permissions

Hi @Gottijay2000 

To modify the item permission,

1. You have to break the inheritance from the parent which can be done using the below endpoint

_api/web/lists/getByTitle(<List Title>)/items/getById(<Item id>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

2. Find the permission level ID.

_api/web/roledefinitions/getByName('contribute')

3. Get the user id

4. You have to assign the user the above roledef id

_api/web/lists/getByTitle(<List Title>)/items(<Item ID>)/roleassignments/addroleassignment(principalid=<user id>,roledefid=<roledef id>)

 

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

Hi @Gottijay2000 I'm delving back into my memory to when I used to do more SharePoint development, and if I remember correctly then there wasn't an explicit "remove" endpoint. The way that we did it was to reset and reapply the permissions without the user that you wanted to remove.

 

Is it too late to consider using SharePoint groups for your permissions instead? They are much more manageable through code.

@sudharsan1985 this was helpful thanks. 

Hi @Gottijay2000 

Please mark the correct response as a solution to help others in the community.

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...
OliverR-82
Continued Contributor
Continued Contributor

Anonymous' reply is a better answer to the initial question than the one that is currently marked as a solution. The question was if there was a way to remove a specific user's permissions on an item, which is what Anonymous' answer does. Whereas the suggestion that is currently marked as solution really only adds permissions for a user after breaking permission inheritance. A workaround could be to remove all permissions for all users and then reassign permissions for all users that still need them, as suggested by MattWeston365. While that is a way to achieve the desired endgoal, it's a workaround that, depending on your list and number of users, may result in a lot of unnecessary action requests from your flow.

 

So, to confirm Anonymous' answer, the below action removes one specific permission from one specific user, on one specific item. Do note, though, that you do need to break permission inheritance first. If you're going to need to assign unique permissions for all items in your list, it's best to break inheritance on your entire list. If you only need unique permissions on a single item, then you can break inheritance using the HTTP request described in step 1 of sudharsa1985's solution.

 

The following action works for me.

OliverR82_0-1651342435813.png

The URI is:

 

_api/web/lists/getbytitle('Meeting Notes')/items(90)/roleassignments/removeroleassignment(principalid=<userId>,roleDefId=<permissionID>) 

 

 

To get the user's principal ID, you need to make an HTTP request to the following URI:

 

_api/web/siteusers/getbyemail('jsmith@mysite.com') 

 

 

The URI to get the roledefID was already mentioned above, but I'll repeat it here for completeness sake:

 

_api/web/roledefinitions/getByName('contribute')

 

 

This solution is not removing users, its only assigning different role. not sure why this is marked as accepted solution. Totally misleading!

@Rampriyar2022  You're right, the marked solution does not really address the original question. But read the entire thread, there is a proper solution posted by Anonymous user. I also elaborated on it to further clarify. Hope it helps you.

very good answer... thanks you and Anonymous!!

I will make use of your solution. Just one question, if the inheritance is already broken, I do not need to apply the steps to re-break the inheritance right? @OliverR-82 

Seems I have yet another question, which I don't know if you can answer. Is there a way to see in Power Automate which users have been given permission. Our scenario is that when a new distinct user is added, the old distinct user gets removed (but we keep all the other users that has permission so resetting won't work).

OliverR-82
Continued Contributor
Continued Contributor

Hi @shavora 

 

1. Correct, once permission inherritance is broken on an item, you don't need to break it again; permission inherritance will remain broken until you explicitly restore it again.

 

2. Yes, querying the SharePoint API via the HTTP action it is possible to check existing item-level permissions for a given user. To do that, you'll need to make 2 separate calls to the SharePoint API: one to get the principal ID of the user on the site (this can differ between site collections), and one to check the user's permissions on a given item.

 

Get the principal ID of a user by their e-mail address

OliverR82_1-1671632414580.png

Use the following Uri to get the user's principal ID:

 

 

_api/web/siteusers/getbyemail('user@yourdomain.com')?$select=Id

 

 

Specifying the "?$select=Id" at the end will make it so that you only get back the Id, which is what you need. It's always good practice to limit as much as possible the amount of data that is exchanged when making API calls. The less data is transferred, the quicker your flow will run. The output will look like this:

OliverR82_3-1671632930246.png

To use this output in following actions, you would use the expression (noting that I renamed my action to "Get user ID" and any spaces should be replaced by underscores when used in expressions):

 

 

body('Get_user_ID')['Id']

 

 

 

Checking the user's permissions for an item

OliverR82_4-1671633139738.png

Use the following Uri to get the permissions:

 

 

_api/web/lists/getbytitle('<list displayname>')/items(<item id>)/roleassignments/getbyprincipalid(<Id returned by previous action>)/RoleDefinitionBindings?$select=Name

 

 

Again I'm appending "?$select=Name" to the end to get just the info I need and nothing else. The output wil look like the following:

OliverR82_5-1671633274143.png

In the above example, the user has "Read" permissions on the item. Depending on the permissions of the user, the output can be something else, eg. "Contribute" or "Full control".

 

To reference that value, you would use the following expression (again noting that I renamed my action to a meaningful name, replacing any spaces with underscores):

 

 

body('Check_permissions')['value']['Name']

 

 

If the user in question does not have any permissions on the item at all, the "Check permissions" action will fail with a status of 404 and a message saying "Can not find the principal with id: xx".

 

I hope this helps you solve your problem.

OliverR-82
Continued Contributor
Continued Contributor

I experimented a bit further with these API calls and, if you wanted to, you could also get an overview of all the users and their permissions for a specific list item by querying the following Uri:

 

_api/web/lists/getbytitle('<list displayname>')/items(<item id>)/roleassignments?$select=RoleDefinitionBindings/Name,Member/Title&$expand=RoleDefinitionBindings,Member

 

This would give you an output like the following:

OliverR82_6-1671635493346.png

You could also get the users' e-mail addresses instead of their display names by replacing Member/Title with Member/Email in the Uri. Just thought I'd share this here in case it was of interest to anyone.

The main problem with this solution is that you need to reset everyone else's permissions on the item. The "Anonymous" and Oliver's responses worked for me. Imagine if you have 3-10 different users or groups who have access to this specific item. In your solution, the flow will need to 1.) read all the other existing permissions, then, 2.) add them back again.

@OliverR-82 thank you for this - a question I have is how would the uri be structured to reference a document library folder? Thank you.

Helpful resources

Announcements

Celebrating the May Super User of the Month: Laurens Martens

  @LaurensM  is an exceptional contributor to the Power Platform Community. Super Users like Laurens inspire others through their example, encouragement, and active participation. We are excited to celebrated Laurens as our Super User of the Month for May 2024.   Consistent Engagement:  He consistently engages with the community by answering forum questions, sharing insights, and providing solutions. Laurens dedication helps other users find answers and overcome challenges.   Community Expertise: As a Super User, Laurens plays a crucial role in maintaining a knowledge sharing environment. Always ensuring a positive experience for everyone.   Leadership: He shares valuable insights on community growth, engagement, and future trends. Their contributions help shape the Power Platform Community.   Congratulations, Laurens Martens, for your outstanding work! Keep inspiring others and making a difference in the community!   Keep up the fantastic work!        

Check out the Copilot Studio Cookbook today!

We are excited to announce our new Copilot Cookbook Gallery in the Copilot Studio Community. We can't wait for you to share your expertise and your experience!    Join us for an amazing opportunity where you'll be one of the first to contribute to the Copilot Cookbook—your ultimate guide to mastering Microsoft Copilot. Whether you're seeking inspiration or grappling with a challenge while crafting apps, you probably already know that Copilot Cookbook is your reliable assistant, offering a wealth of tips and tricks at your fingertips--and we want you to add your expertise. What can you "cook" up?   Click this link to get started: https://aka.ms/CS_Copilot_Cookbook_Gallery   Don't miss out on this exclusive opportunity to be one of the first in the Community to share your app creation journey with Copilot. We'll be announcing a Cookbook Challenge very soon and want to make sure you one of the first "cooks" in the kitchen.   Don't miss your moment--start submitting in the Copilot Cookbook Gallery today!     Thank you,  Engagement Team

Announcing Power Apps Copilot Cookbook Gallery

We are excited to share that the all-new Copilot Cookbook Gallery for Power Apps is now available in the Power Apps Community, full of tips and tricks on how to best use Microsoft Copilot as you develop and create in Power Apps. The new Copilot Cookbook is your go-to resource when you need inspiration--or when you're stuck--and aren't sure how to best partner with Copilot while creating apps.   Whether you're looking for the best prompts or just want to know about responsible AI use, visit Copilot Cookbook for regular updates you can rely on--while also serving up some of your greatest tips and tricks for the Community. Check Out the new Copilot Cookbook for Power Apps today: Copilot Cookbook - Power Platform Community.  We can't wait to see what you "cook" up!    

Welcome to the Power Automate Community

You are now a part of a fast-growing vibrant group of peers and industry experts who are here to network, share knowledge, and even have a little fun.   Now that you are a member, you can enjoy the following resources:   Welcome to the Community   News & Announcements: The is your place to get all the latest news around community events and announcements. This is where we share with the community what is going on and how to participate.  Be sure to subscribe to this board and not miss an announcement.   Get Help with Power Automate Forums: If you're looking for support with any part of Power Automate, our forums are the place to go. From General Power Automate forums to Using Connectors, Building Flows and Using Flows.  You will find thousands of technical professionals, and Super Users with years of experience who are ready and eager to answer your questions. You now have the ability to post, reply and give "kudos" on the Power Automate community forums. Make sure you conduct a quick search before creating a new post because your question may have already been asked and answered. Galleries: The galleries are full of content and can assist you with information on creating a flow in our Webinars and Video Gallery, and the ability to share the flows you have created in the Power Automate Cookbook.  Stay connected with the Community Connections & How-To Videos from the Microsoft Community Team. Check out the awesome content being shared there today.   Power Automate Community Blog: Over the years, more than 700 Power Automate Community Blog articles have been written and published by our thriving community. Our community members have learned some excellent tips and have keen insights on the future of process automation. In the Power Automate Community Blog, you can read the latest Power Automate-related posts from our community blog authors around the world. Let us know if you'd like to become an author and contribute your own writing — everything Power Automate-related is welcome.   Community Support: Check out and learn more about Using the Community for tips & tricks. Let us know in the Community Feedback  board if you have any questions or comments about your community experience. Again, we are so excited to welcome you to the Microsoft Power Automate community family. Whether you are brand new to the world of process automation or you are a seasoned Power Automate veteran - our goal is to shape the community to be your 'go to' for support, networking, education, inspiration and encouragement as we enjoy this adventure together.     Power Automate Community Team

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

Tuesday Tip | How to Report Spam in Our Community

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   As our community family expands each week, we revisit our essential tools, tips, and tricks to ensure you’re well-versed in the community’s pulse. Keep an eye on the News & Announcements for your weekly Tuesday Tips—you never know what you may learn!   Today's Tip: How to Report Spam in Our Community We strive to maintain a professional and helpful community, and part of that effort involves keeping our platform free of spam. If you encounter a post that you believe is spam, please follow these steps to report it: Locate the Post: Find the post in question within the community.Kebab Menu: Click on the "Kebab" menu | 3 Dots, on the top right of the post.Report Inappropriate Content: Select "Report Inappropriate Content" from the menu.Submit Report: Fill out any necessary details on the form and submit your report.   Our community team will review the report and take appropriate action to ensure our community remains a valuable resource for everyone.   Thank you for helping us keep the community clean and useful!

Users online (4,193)