cancel
Showing results for 
Search instead for 
Did you mean: 
BenFetters

Power Automate and SharePoint Permissions

Power Automate and SharePoint Permissions

Set/Change Security on items using Power Automate (Flow)

 

Beginning image.jpg

 

 

 
 
 
 

 

 

 

 

Level: Intermediate - Advanced

 

Hello!

 

If you're new to Power Automate (Flow), this post might be a little confusing.

 

So, please feel free to check out any of our other blog posts to help you get started with Power Automate (Flow)!

 

As always, if you have any questions, feel free to shoot us an email at: ben.fetters@sovereignsp.com

 

We'd be happy to answer any questions you have!

 

If you'd rather watch a video about this, click here to watch the video about this post on our YouTube Channel

 
BenFetters_0-1597245852976.gif

 

 

Introduction

 

If you've used SharePoint designer before, you know how easy it is to change item level permissions by first breaking the inheritance (List/Library Level Permissions on the item/file) and then adding new permissions for a person, people, or a specific SharePoint Group.

 

In this post, we'll be going over how to do all of these things using Power Automate (Flow)!

 

This post will also help you become more aware of what Power Automate is capable of as well as replace more of your SharePoint Designer workflows - if that's what you're trying to do, of course.

 

Now a fair warning.

 

This solution does require a bit more "coding" or whatever you'd like to call it. But be assured, once you've done this a few times, it will make much more sense and you'll have it down in no time.

 

Take it from me, who learned Power Automate and Power Apps without any previous coding knowledge AT ALL.

 

Because of this, I hope my explanations of what we'll be doing will make more sense to you, as it has only just recently made sense to me.

 

Using the Security Setting Actions Already Available

 

That being said, if your situation isn't too complex, you might be in luck. Power Automate has a few "Security Actions" that allow you to do simple permission changes as you can see below:

 

Stop Sharing.jpg

 

Stop sharing an item or file

Delete all links giving access to an item or a file and remove all people with direct access except for owners.

Click to Learn More

 

Grant Access.jpg

 

Grant access to an item or file

Grant access to an item or a folder in SharePoint to specific people.

Click to Learn More

 

 

I imagine there will be a day when Power Automate will just have available all the permission actions that are needed, but for now, we can at least be grateful for HTTP request that can get the job done for now.

 

Using HTTP Requests to Change Item Level Permissions

 

If you haven't heard anything about HTTP Requests, here's the simple run down:

 

HTTP Requests essentially add, update, and get data. They do more than that, but for our purposes, we'll just keep it to these three things.

 

So, as you can imagine, we're going to be using the Send HTTP request to SharePoint. To help us change the permissions (update data) for a specific item in SharePoint.

 

The great part about them HTTP Requests is that they can be customized to do more than just the Out-of-the-box functionality that the Stop sharing an item or file or Grant access to an item or file have to offer.

 

Of course, this does make them more complicated and tricky to implement correctly.

 

That being said, if you follow these next steps, you should be updating your permissions in no time. And hopefully learn a little on the way.

 

Let's get started!

 

Step 1 - Break Inheritance

 

If you don't know what breaking inheritance means, remember that breaking inheritance on an item in SharePoint means that the item (or file) will no longer "inherit" its permission settings based on the list (or library).

 

So, if your list/library has permissions set to a specific group, all the items/files/folders will "inherit" that permission setting and have the same permissions, unless the inheritance is broken and you want its permission settings to be something else (which of course we do).

 

Essentially, breaking the inheritance means the item/file won't have any permission settings for the moment.

 

Without further delay, let's see how to do this using an HTTP Request:

 

HTTP Break Inheritance.jpg

 
  1. Add the action Send an HTTP request to SharePoint.

  2. For Site Address, select or enter the site where your list or library is.

  3. For the method, choose Post (this means we're sending information to the server and asking it to store it somewhere or make a change).

  4. For the Uri, type in the following:

 

_api/lists/getByTitle('<Your List Name>')/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

 

Make sure that you replace <Your List Name> with your own list name and that you put in the item ID of the item you are wanting to break inheritance on instead of <Item ID>.

 

The request should handle any spaces in the name, but if doesn't, you may need to add "%20" instead of spaces. (Example: "Your List Name" would look like "Your%20List%20Name"

 

Tip: try running your flow on a test item and check the permissions to make sure the inheritance was broken correctly.

 

Step 2 - Get the Role Principal ID of the Group or Person you want to Add Permissions for  

 

The next thing we need to do is get the Principal ID of the group or person that we want to set the permissions for.

 

We need this Principal ID so that SharePoint will know what group we're setting the permissions for.

 

For example, if I have a group named "Sovereign Employees Group" that I want to just be able to just have Read rights, I would first need to get the Principal ID of the "Sovereign Employees Group".

 

Luckily, we can do this using an HTTP Request.

 

  1. First, we need to Initialize a Variable so that we can store the Principal ID somewhere.

 

So here, all we need to do is use the Initialize Variable action, give our variable a name (I'd call it something like varGroupNameID to keep things more organized), and make sure that the variable type is an Integer.

 

(See Below)

 

Initialize Variable.jpg

 

  1. Next, we'll use an HTTP request to get the Group or User Principal ID

 

To do this, we'll just use the Send an HTTP Request to SharePoint action

 

However, since we're either setting the permissions to a SharePoint group or User, there are two different scenarios we'll need to cover.

 

Group Principal ID
Get Group ID.jpg

 

User Principal ID

Get User Principal ID.jpg

 
  1. Add the action Send an HTTP request to SharePoint.

  2. For the Site Address, select or enter the site where your list or library is.

  3. Make sure the Method is Get, this means that we're "Getting" data back from SharePoint.

  4. For the Uri, type in the following:

 

Group: _api/web/SiteGroups/getbyname('<Group Name>')

 

User: _api/web/SiteUsers/getByEmail('<User Email>')

 

Of course, remember to replace <Group Name> with the name of your group or replace <User Email> with the user's email.

 

The request should handle any spaces in the name, but if doesn't, you may need to add "%20" instead of spaces. (Example: "Your Group Name" would look like "Your%20Group%20Name"

 

  1. Now, we will set our variable that we initialized (see Step 1.1) to the principal group or user ID that we retrieved from the previous HTTP request (see Step 1.2).

 

Whether you got a group's or a user's principal ID, this step will be the same.

 

To do this, we'll use the Set Variable action.

Set Variable Group ID.jpg

 

  1. Add the action Set Variable

  2. Select the variable you created in Step1.1 for the Name

  3. For the Value, you will need to add an Expression in order to get the Principal Group ID from the HTTP Request (see Step 1.2)

  4. In the text box for the expression, enter in the following: body('Send_an_HTTP_request_to_SharePoint_2')?['d']['id']

 

Of course, you'll need to change Send_an_HTTP_request_to_SharePoint_2 to whatever you named your action that is getting the Group Principal ID. In may case, it was called, "Send an HTTP request to SharePoint 2". You will also need to make sure you replace any spaces with "_".

 

  1. Hit okay.

 

If you did this correctly, you should see this: (see the screen shot below)

Set Variable Correctly.jpg

 

Step 3 - Set Security
 

Now for the moment we've all been waiting for… let's set the security!

 

To do this, as you already know, we'll be using the Send an HTTP request to SharePoint action

Set Permissions.jpg

 

  1. Add the Send an HTTP request to SharePoint action

  2. For the Site Address, select or enter the site where your list or library is.

  3. Make sure the method is Post (this means we're sending information to the server and asking it to store it somewhere or make a change). In this case, you already know that we're asking SharePoint to add permissions to a specific item/file.

  4. For the Uri, type the following:

 

_api/lists/getByTitle('<Your List Name>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<Principal ID>,roledefid=<Permission Setting>)

 

Make sure that you replace <Your List Name> with your own list name and that you put in the item ID of the item you are wanting to break inheritance on instead of <Item ID> as you did when you were breaking the inheritance.

 

Also, make sure you change <Principal ID> with the variable we set to the Group/User Principal ID (see screen shot above).

 

As for the <Permission Setting> part, there are different series of numbers you can set that will mean different things (see what I put in the screen shot above).

 

Here's a table showing what each number series will do:

 

Full Control------1073741829

Design-----------1073741828

Edit---------------1073741830

Contribute-------1073741827

Read-------------1073741826

View Only--------1073741924

 

Need to Find the Custom Permission Role Definition ID?

 

Here's how you do it! You'll need to type in your browser:

 

https://site-url/_api/web/roledefinitions

 

Of course, remember to replace "site-url" with your site url.

 

It will look a little interesting with a lot of text, but you should be able to find the name of it as well as the Role Definition ID that you need. (Pro tip: if you do "ctr F" to find text, you can simply type the name of your custom permission to find it faster) 🙂

 

Conclusion

 

Thank you so much for reading this post!

 

You learned a little bit more on how HTTP Requests work as well as how to set permission levels in SharePoint!

 

Here's what the final Flow looks like:

Final Look.jpg

 

(Remember you can get either the ID of a User OR Group as explained earlier in this post)

 

Please, if you need any help with implementing this, totally feel free send us an email! ben.fetters@sovereignsp.com It's always great to hear from you.

 

Power Apps and Power Automate Services  

If you're needing a jump start on your Power Apps or Power Automate (Flow) knowledge or are needing someone to just help build an application/workflow for you, we can help! We offer consulting and training as well as professional application and workflow development!

 

If you're thinking about any of these services but just aren't sure yet, feel free to email us explaining the situation and we can let you know what we could potentially do for you as well as answer any questions you have. Our Services

 

In the meantime, check out some more of our videos and posts!

 

Thanks for reading and feel free to SUBSCRIBE to our blog to be notified of any new posts!  

Have a great day,

  Ben Fetters
 
Comments

@BenFetters do you know if this works for downgrading a permission? Say the person already has contribute rights and I want to change them to read rights? Let me know, thanks!

Hi @roedimat, that is possible! Though this is how I would do something like that. I would first use the "Stop Sharing an Item or File" action on the item that you're changing the permissions of. This will reset all the permissions on the item or file except the site owners. Basically, it will blank out the permissions and just leave the site owners group. Then, after that, you can add the http request to set the permissions to read or whatever you're changing them to.

 

So, it is a bit more time consuming especially if you're just wanting to change the permission settings for one group or user. But, that is what we have done at the company I'm at and it has worked well. Basically every time we need to change the permissions in the process we just reset all of them and add them all back with any changes. Copying an action to your clipboard makes it faster though which is nice.

 

Did that answer your question? And if any of that didn't make sense let me know and I'd be happy to explain it better! 

@BenFetters I thought about this solution as well, but I don't believe it will work in my situation. I will keep looking for a solution. Thanks for the info!

Hey @BenFetters ! Thanks for the detail. This is a great post. I am wondering if you have tips for making this work for folders, not lists? I need to give direct access to a folder so the user has automatic access to all folders beneath it (when using the "grant access" connector, the inheritance is broken). The folder path and ID I have as dynamic content, so am just looking for the http code for the Post connector.

Hey, @quantumbeats , Thanks for the feedback! So glad it could help a little. 

And that is a cool scenario, I believe you can actually do that with the "Grant access to an item or folder". There's a neat trick you can do with the "Role" field on that action. By default you can only choose view or edit, but if you select, "Enter custom value", then you can specify the exact role definition ID, like you would normally do in the HTTP request, by putting: role:1073741830 or whatever the right role definition ID is for your situation. You have to include the "role:" at the beginning for the action to know what you're wanting to do. You can also just select "View" or "Edit" for the role, and then in the action on the top right you can select "Peek Code" and then this will make more sense of what the flow is doing. 

Does that make sense? I've explained it a little further in this updated version of this blog under the place where I talk about the "grant access to an item or folder" section: https://www.sovereignsp.com/post/power-automate-and-sharepoint-permissions

 

Anyways, that should work for your situation, let me know if I didn't explain this well enough though and I can explain it better!

@BenFetters this is EXACTLY what I'm looking for but I'm having quite a bit of trouble getting this to work. I heavily leveraged your article here, and have posted a detailed description of my issue on the Tech Community page here.

 

In my situation, I'm trying to change permissions of an individual user (not a group). My flow runs successfully, but the permissions aren't updating as I'd expect.

Both the "Send and HTTP Request to SharePoint" and the "Send an HTTP request to SharePoint 3" actions are returning "null" outputs for the BreakRoleInheritance and AddRoleAssignment requests.

 

It would be SUPER helpful if you (or others) could review my post and provide any feedback either here or directly on the Tech Community page. I'm at the 1-inch line and just need a little bit of help to make my solution air tight.

 

Thanks in advance!!!

@JFADI2020 , Thanks so much! So glad it could help.

 

And that is interesting! I would take a look at your post but for some reason it's not showing me anything when I click on either link you gave. Maybe try adding it again? 

 

In the mean time, I'd try using the "Stop sharing an item/file" action to "break inheritence", as I'm quite sure that it will break the inheritence if you do that automatically. Then, since your setting security for a person, you can actually use the "Grant access to an item or file" and specify the exact security permissions you want. You can check out this same blog (updated with this new solution) here.

 

But, I'll just put what I updated the blog with right below:

Under the "Roles" field, you can actually select "enter custom value" and then enter in "role:123456789" if you are wanting to set a custom permission level or just a different permission level besides "View" or "Edit". Click on the three dots on the top right corner and then click on "Peek Code" to see the exact syntax of what this action is looking for.

 
In other words, under the "Role" field, you can select "Enter custom value" and put in something like: Role:1073741827
 
Of course, changing the number to the security level you're needing. But, you'll have to put in the phrase "Role:" at the beginning.
 
Does this make sense at all? Let me know if it doesn't and I can explain it better! It actually ends up being easier than using an http request, but only works right now with user emails. 

Also, forgot that I'm in the wrong account 😂 But this is Ben Fetters!

@BenFetters Thanks for the quick reply!!! Here's the text from the post I submitted on the Tech Community page. For some reason, I was having trouble even finding my own post...I'll investigate that later.

 

--------------------

Hi there! First time posting and pretty new to Power Automate.

 

Here's my situation...

 

I have a SharePoint site with a few OWNERS and number number of files that each have a UNIQUE set of users. The OWNERS can see everything, while the UNIQUE users only see content that's been shared directly with them. Each file represents a manufacturing location, so when "Jerry" visits the SharePoint site, he only sees files relevant to the location he manages. As intended, Jerry only sees the file that is related to the "FLORIDA" location. It's important to note that "Erica" also provides inputs to the FLORIDA file. To give Jerry and Erica their initial permissions, I manually went into the SharePoint "Documents" library, clicked on the FLORIDA file, went to "Manage Access" and granted "Can edit" direct access to both of them.

 

I've created a new column within the Documents library and called it "Completed?" and created a JSON "I'm done!" button within this column which initiates a Power Automate approval flow. This button is clicked by Jerry, Erica, and the rest of the UNIQUE users when they are done entering their respective data. When this button is clicked, an approval loop is initiated, and at the end, a new item is created in an "EVENT LOG" SharePoint list that indicates that a user, i.e. Jerry, is done editing the FLORIDA file, and that I have approved of his edits. To this point, everything works fine.

 

However, when the new item pops up in the EVENT LOG list, I have another flow that is automatically triggered. My goal with **this** flow is to change ONLY the file permissions of the person who CLICKS the "I'm done" button, thus preventing them from making additional edits to the FLORIDA file. So, as Jerry and Erica both start with "Can edit" permissions, when Jerry clicks the "I'm done!" button and after I approve of his edits, the intent is that only Jerry's permissions get changed to "Can view". Erica will still be able to edit until she clicks "I'm done". The flow is outlined in the 3 screenshots attached.

 

The flow is running "successfully", however, the UNIQUE user permissions are NOT being changed from "Can edit" to "Can View".

 

The Output for the first "Send an HTTP request to SharePoint" action looks as follows.

 

{ "d": { "BreakRoleInheritance": null } }

 

 

The output of the third "Send an HTTP request to SharePoint 3" action looks as follows.

 

{ "d": { "AddRoleAssignment": null } }

 

Again, I've attached 3 screenshots of the code associated with my flow that I'm having issues with. In the screenshots, you'll see some "comments" that I added for the "Send an HTTP Request to SharePoint" and the "Send an HTTP Request to SharePoint 3" actions. These comments outline some of the other iterations of code that I've tried to get this to work.

 

Please let me know if there are any other details I can share to help troubleshoot this.

 

Lastly, I leveraged much of my code associated with this flow from THIS POST by @BenFetters.

 

For reference, in the "Set Variable" action for varUserID, "d.id" code reads as follows.

{ "inputs": { "name": "varUserID", "value": "@body('Send_an_HTTP_request_to_SharePoint_2')?['d']['id']" } }

 

1 of 31 of 32 of 32 of 33 of 33 of 3

Hi @JFADI2020 , Thanks for posting that! That is interesting. I looked through it and it looks like it should work. So, you could try the solution I gave in my previous comment which involves utilizing the "Stop Sharing an item/file" action and the "Grant Access to an item/file" action and entering a custom value for "Role". Did that solution make sense? If you'd like we could also try doing a quick Teams meeting sometime and you can show me the flow and we can try to solve it real quick. Here's my email: ben.fetters@sovereignsp.com

 

Kind regards,

 

Ben Fetters

Hi Ben,

Fantastic blog and video. Just wanted to mention that in your video when setting the variable it doesn't go into detail about the expression needed or mention spaces need to be replaced with underscore '_'.

It was only after a few hours I found this blog and amended my code to get it working.

 

 

 

 

Hi @MartynLiv ,

 

Glad it could be useful to you! And thanks for the feedback, I definitely could've explained that! 

@BenFetters thank you for this excellent article. It got me MOST of the way there.

 

In Power Automate, I am trying to set unique permissions on a Folder in a document library.

 

It seems when I use the HTTP call "_api/lists/getByTitle('Private Share')/items(@{outputs('Create_MLA_folder')?['body/ID']})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)" I can successfully break permissions, but I am always given FULL CONTROL permissions. The Flow connections are my user id, which I assume is relevant).

 

So, is there a way to break the inheritance and not set myself as FULL CONTROL implicitly? Or, if that's by design, can I remove my Full Control access after breaking inheritance (well, at the end of the flow when my work here is done. 😁)? How? Is there an Action or REST call you can suggest?

 

A related question: doesn't the Grant Access to an item or folder action create unique permissions? It would have assumed that it does, but it was not working that way, so I am using HTTP request to break inheritance, then using the Grant Access action to assign the permissions.

 

Thank you,

Gerry Brimacombe

Lightlever Systems

 

@BenFetters Thank you! It's very interesting. 

 

I am trying to set unique permissions on a Folder in a document library. I need to grant access to individual users (not a group). In the above example SharePoint 2, you have used User Email with the user's email.

Is there any possibility to give read access to multiple user's emails?

 

Thank you!

That is what I search  and take one day ~~~~

 

@BenFetters , Thank you very much .

 

In my environment  , I use powerapps+ sharepoint list . Use your method even user bypass my apps then access sharepoint list , they can not get any data in this list !!!

 

Great Job!

Hi @BenFetters ,

 

Thanks for this, it's a great post! You show how it works for users with an email address and also SharePoint groups. Have you found a way to add an Azure Active Directory Security Group which doesn't have an email address?

 

Thanks,

About the Author
  • Experienced Consultant with a demonstrated history of working in the information technology and services industry. Skilled in Office 365, Azure, SharePoint Online, PowerShell, Nintex, K2, SharePoint Designer workflow automation, PowerApps, Microsoft Flow, PowerShell, Active Directory, Operating Systems, Networking, and JavaScript. Strong consulting professional with a Bachelor of Engineering (B.E.) focused in Information Technology from Mumbai University.
  • I am a Microsoft Business Applications MVP and a Senior Manager at EY. I am a technology enthusiast and problem solver. I work/speak/blog/Vlog on Microsoft technology, including Office 365, Power Apps, Power Automate, SharePoint, and Teams Etc. I am helping global clients on Power Platform adoption and empowering them with Power Platform possibilities, capabilities, and easiness. I am a leader of the Houston Power Platform User Group and Power Automate community superuser. I love traveling , exploring new places, and meeting people from different cultures.
  • Read more about me and my achievements at: https://ganeshsanapblogs.wordpress.com/about MCT | SharePoint, Microsoft 365 and Power Platform Consultant | Contributor on SharePoint StackExchange, MSFT Techcommunity
  • Encodian Owner / Founder - Ex Microsoft Consulting Services - Architect / Developer - 20 years in SharePoint - PowerPlatform Fan
  • Founder of SKILLFUL SARDINE, a company focused on productivity and the Power Platform. You can find me on LinkedIn: https://linkedin.com/in/manueltgomes and twitter http://twitter.com/manueltgomes. I also write at https://www.manueltgomes.com, so if you want some Power Automate, SharePoint or Power Apps content I'm your guy 🙂
  • I am the Owner/Principal Architect at Don't Pa..Panic Consulting. I've been working in the information technology industry for over 30 years, and have played key roles in several enterprise SharePoint architectural design review, Intranet deployment, application development, and migration projects. I've been a Microsoft Most Valuable Professional (MVP) 15 consecutive years and am also a Microsoft Certified SharePoint Masters (MCSM) since 2013.
  • Big fan of Power Platform technologies and implemented many solutions.
  • Passionate #Programmer #SharePoint #SPFx #M365 #Power Platform| Microsoft MVP | SharePoint StackOverflow, Github, PnP contributor
  • Web site – https://kamdaryash.wordpress.com Youtube channel - https://www.youtube.com/channel/UCM149rFkLNgerSvgDVeYTZQ/