Power Platform : Custom SharePoint Online Permissions using Power Automate.

.

“Do something today that your future self will thank you for.”

.

Hello Everyone,

Greetings for the day.

Hope you all are doing well.

Today in this article I am going to discuss about how to grant permissions to a group/user on SharePoint list item using Power Automate flow.

Also we have good number of articles on Power Platform, please have a look.

https://knowledge-junction.in/category/technology-articles/power-platform/

So without getting late, lets get started.

Background

In one of our project requirement give the permissions to the person who is approving the SharePoint list item. So we have used Power Automate http request to break the role and set security for the SharePoint list item.

Introduction

If we’ve used SharePoint designer before, we know how easy it is to change item level permissions by first breaking the inheritance (List/Library Level Permissions on the item/file) and then adding new permissions for a person, people, or a specific SharePoint Group.

In this post, we’ll be going over how to do all these things using Power Automate (Flow)! This post will also help us become more aware of what Power Automate is capable of as well as replace more of our SharePoint Designer workflows – if that’s what we’re trying to do, of course.

SharePoint:

Microsoft SharePoint is a cloud-based service that helps organizations share and manage content, knowledge, and applications to:

• Empower teamwork
• Quickly find information
• Seamlessly collaborate across the organization

SharePoint Permissions

SharePoint permissions control the access that employees, partners, third-party suppliers, and others have to our SharePoint content. We can choose who can read specific information and who cannot. SharePoint permissions extend not only to display data in lists and document libraries, but also to search results and even the user interface. For instance, if we do not have permissions to a specific document list, then in the results of a search, we will not see any documents from that list. This permissions model helps protect sensitive data from people who should not see or distribute it.

Power Automate:

Power Automate is a service that helps us create automated workflows between our favorite apps and services to synchronize files, get notifications, collect data, and more.

• Automate business processes
• Send automatic reminders for past due tasks
• Move business data between systems on a schedule
• Connect to more than 500 data sources or any publicly available API
• We can even automate tasks on our local computer like computing data in Excel.

High Level Steps:

• Break Inheritance
• Get the Role Principal ID of the Group or Person we want to Add Permissions for
• Set Security

Detailed Steps:

Using the Security Setting Actions Already Available

If our situation isn’t too complex, we might be in luck. Power Automate has a few “Security Actions” that allow us to do simple permission changes as we can see below:

Stop sharing an item or file

Delete all links giving access to an item or a file and remove all people with direct access except for owners.

Grant access to an item or file

Grant access to an item or a folder in SharePoint to specific people.

We imagine there will be a day when Power Automate will just have available all the permission actions that are needed, but for now, we can at least be grateful for HTTP request that can get the job done for now.

Using HTTP Requests to Change Item Level Permissions

If we haven’t heard anything about HTTP Requests, here’s the simple run down:

HTTP Requests essentially add, update, and get data. They do more than that, but for our purposes, we’ll just keep it to these three things.

So, as we can imagine, we’re going to be using the Send HTTP request to SharePoint. To help us change the permissions (update data) for a specific item in SharePoint.

The great part about them HTTP Requests is that they can be customized to do more than just the Out-of-the-box functionality that the Stop sharing an item or file or Grant access to an item or file have to offer.

Of course, this does make them more complicated and trickier to implement correctly.

If we follow these next steps, we should be updating our permissions in no time. And hopefully learn a little on the way.

Let’s get started!

Step 1 – Break Inheritance

If we don’t know what breaking inheritance means, remember that breaking inheritance on an item in SharePoint means that the item (or file) will no longer “inherit” its permission settings based on the list (or library).

So, if our list/library has permissions set to a specific group, all the items/files/folders will “inherit” that permission setting and have the same permissions, unless the inheritance is broken, and we want its permission settings to be something else (which of course we do).

Essentially, breaking the inheritance means the item/file won’t have any permission settings for the moment.

Without further delay, let’s see how to do this using an HTTP Request:

• Add the action Send an HTTP request to SharePoint.
• For Site Address, select or enter the site where our list or library is.
• For the method, choose Post (this means we’re sending information to the server and asking it to store it somewhere or make a change).
• For the Uri, type in the following:

_api/lists/getByTitle('<Our List Name>')/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

Make sure that we replace <Our List Name> with our own list name and that we put in the item ID of the item we are wanting to break inheritance on instead of <Item ID>.

The request should handle any spaces in the name, but if doesn’t, we may need to add “%20” instead of spaces. (Example: “Our List Name” would look like “Our%20List%20Name”

Tip: try running our flow on a test item and check the permissions to make sure the inheritance was broken correctly.

Step 2 – Get the Role Principal ID of the Group or Person we want to Add Permissions for  

The next thing we need to do is get the Principal ID of the group or person that we want to set the permissions for.

We need this Principal ID so that SharePoint will know what group we’re setting the permissions for.

For example, if We have a group named “New Employees Group” that we want to just be able to just have Read rights, we would first need to get the Principal ID of the “New Employees Group”.

Luckily, we can do this using an HTTP Request.

• First, we need to Initialize a Variable so that we can store the Principal ID somewhere.

So here, all we need to do is use the Initialize Variable action, give our variable a name (we’d call it something like varGroupID to keep things more organized), and make sure that the variable type is an Integer.

(See Below)

• Next, we’ll use an HTTP request to get the Group or User Principal ID

To do this, we’ll just use the Send an HTTP Request to SharePoint action

However, since we’re either setting the permissions to a SharePoint group or User, there are two different scenarios we’ll need to cover.

Group Principal ID

User Principal ID

• Add the action Send an HTTP request to SharePoint.
• For the Site Address, select or enter the site where our list or library is.
• Make sure the Method is Get, this means that we’re “Getting” data back from SharePoint.
• For the Uri, type in the following:

Group: _api/web/SiteGroups/getbyname('<Group Name>')

User: _api/web/SiteUsers/getByEmail('<User Email>')

Of course, remember to replace <Group Name> with the name of our group or replace <User Email> with the user’s email.

The request should handle any spaces in the name, but if doesn’t, we may need to add “%20” instead of spaces. (Example: “Our Group Name” would look like “Our%20Group%20Name”

• Now, we will set our variable that we initialized to the principal group or user ID that we retrieved from the previous HTTP request.

Whether we got a group’s or a user’s principal ID, this step will be the same.

To do this, we’ll use the Set Variable action.

• Add the action Set Variable
• Select the variable we created for the Name
• For the Value, we will need to add an Expression in order to get the Principal Group ID from the HTTP Request
• In the text box for the expression, enter in the following: 

body('Send_an_HTTP_request_to_SharePoint_2')?['d']['id']

Of course, we’ll need to change Send_an_HTTP_request_to_SharePoint_2 to whatever we named our action that is getting the Group Principal ID. In our case, it was called, “Send an HTTP request to SharePoint 2“. We will also need to make sure we replace any spaces with “_”.

• Hit OK.

If we did this correctly, we should see this: (see the screen shot below)

Step 3 – Set Security

Now for the moment we’ve all been waiting for… let’s set the security!

To do this, as we already know, we’ll be using the Send an HTTP request to SharePoint action.

• Add the Send an HTTP request to SharePoint action
• For the Site Address, select or enter the site where our list or library is.
• Make sure the method is Post (this means we’re sending information to the server and asking it to store it somewhere or make a change). In this case, we already know that we’re asking SharePoint to add permissions to a specific item/file.
• For the Uri, type the following:

_api/lists/getByTitle('<Our List Name>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<Principal ID>,roledefid=<Permission Setting>)

Make sure that we replace <Our List Name> with our own list name and that we put in the item ID of the item we are wanting to break inheritance on instead of <Item ID> as we did when we were breaking the inheritance.

Also, make sure we change <Principal ID> with the variable we set to the Group/User Principal ID.

As for the <Permission Setting> part, there are different series of numbers we can set that will mean different things.

Here’s a table showing what each number series will do:

Full Control——1073741829

Design————-1073741828

Edit—————-1073741830

Contribute——-1073741827

Read—————1073741826

View Only——–1073741924

Need to Find the Custom Permission Role Definition ID?

Here’s how we do it! We’ll need to type in our browser:

https://site-url/_api/web/roledefinitions

Of course, remember to replace “site-url” with our site url.

It will look a little interesting with a lot of text, but we should be able to find the name of it as well as the Role Definition ID that we need. (Pro tip: if we do “ctr F” to find text, we can simply type the name of our custom permission to find it faster) 

Conclusion

Thank you so much for reading this post!

We learned a little bit more on how HTTP Requests work as well as how to set permission levels in SharePoint!

Here’s what the final Flow looks like:

(Remember we can get either the ID of a User OR Group as explained earlier in this post).

.

Also get my article updates on my social media handles.

LinkedIn – https://www.linkedin.com/in/khasim-shaik-8784a1232/

Twitter – https://twitter.com/KhasimShaik2009

Facebook – https://www.facebook.com/profile.php?id=100078255554660

Thank you for your support, will catch up with new article soon.

Keep learning and keep smiling.

Have a great day.

Thanks.