Set SharePoint List Item Permissions Using Power Automate

Introduction

Over the past few years, Microsoft has been actively promoting MS Flow with a range of helpful features. Recently, MS Flow has been rebranded as Power Automate, offering a multitude of connectors and actions that make it a valuable tool for both power users and developers to automate tasks such as approvals, scheduling, and business processes. Microsoft has also announced the deprecation of SharePoint 2010 workflows in SharePoint online, and they are recommending Power Automate as a replacement. They are suggesting their online clients to migrate their SP 2010 workflows to Microsoft Power Automate.

In SP 2010 workflow, there was a feature called impersonation step with which we could change the permission of a list item or files. So, with the deprecation of the SP 2010 workflow, this feature will not be available for us. And in SP 2013 workflow, there is no provided action to change permission. Without custom code, Power Automate is certainly the best approach.

Creating MS Flow

In this article, we will explain how to remove and set custom permission for a list item or a library file. The step by step procedure is given below.

Go to the following link.
Log in with your credential.
Click on the “Create” tab as shown in the image (Fig 1) below.

Fig 1: Selecting flow type
Fig 1: Selecting flow type

It will give us different options to create different types of flows.
We will select the “Automated flow” as shown in the above image (Fig 1).

The above window will be opened where we have to provide the flow name in position 1.
Now we have to select a trigger by which this flow will be started as shown in position 2. Any of these option can be selected. For this demo, we are selecting the “When an item is created” trigger option.
Then click on the create button.

**Fig 3: Providing triggering properties**

After clicking the create button the above window will be opened where we have to provide the site address and list name, from where the flow will be triggered.
The site address can be selected from the drop-down in position 1. If the desired site address couldn’t found from the provided options, select the “Enter Custom Value” option from the drop-down and past your site address.
We can select the List Name from the drop-down in Position 2.

Remove all Permissions

Now select a new action, “Stop sharing an item or a file” as the next step.
With this provided action, all permission on the item will be revoked.
Select/Enter site address in position 1.
Select the specific List or Library name from the drop-down in position 2.
Now click in the text box for ID in position 3 to get the dynamic contents. From the dynamic content, select the ID of the current item.

Note: This provided action will break the item’s inheritance permission. However, this action has a potential issue: if any group or user has “full control” permission on the list, this permission will persist for the item. This action can’t remove their permission from the item.

Set Permissions for User

**Fig 5: Action – Grant access to an item or a folder**

Now to set permission, flow provides “Grant access to an item or a folder” action. Select this action as the next step as shown in the image (fig 5).
Now insert the same site address in position 1.
Select the list name from the drop-down in position 2 as shown in the above image.
Now you can insert the ID, as this is dynamic content by putting it from the dynamic content helper as position 3. You can even provide static value in this field.
To provide permission in the List item or library file, the user or group has to have an email address, by which flow would be able to identify and provide permission. In position 4, we have to provide an email address.
In position 5, we have to provide the “Role” which will identify the permission level. In this box, two option has been given as drop-down which is “Can edit” and “Can view”. We can select one of these options. Additionally, we have the option to specify a custom value, which must be a valid value.
If we want to add a custom value, we have to provide the Role Definition Id of the permission levels which we want to permit for the user.
If we want to notify the user about this given permission, then select “Yes” in position 7 and put your message in the message box on position 6.
For this demo, we are not notifying the user, so we have selected “No” in position 7.

Set permissions for SharePoint Group

With this provided action “Grant access to an item or a folder” in MS flow, we can’t change the permissions of the SP group. Because this action could only recognize the user/group who have an AD email address. As the SP group doesn’t have any, we can change permission for the SP group with this action. To change permission for the SharePoint group, we have to call the REST API endpoint for role assignment. We are using the following REST API to change the permission of the SP group.

_api/web/lists/getbytitle('<List Name>')/items(<List Item ID>)/roleassignments/addroleassignment(principalid='<Group/User’s Principle ID>',roleDefId=<Role Definition ID>)

From the above rest api, we have to change the red marked portion with the respective value. The details are given below.

**Fig 6: Action – Send an HTTP request to SharePoint**

For next step, select a new action “Send an HTTP request to SharePoint”.
Enter the site address in position 1.
Select “POST” as a method in position 2.
Put the rest URI in position 3. Provide your specific list name and list item id as shown in the above image. (Fig 6)
In position 5, provide the role definition id. Each SharePoint Permission level has a specific role definition id which you can get in detail in this article: Get SharePoint Role Definition IDs.
We have selected the role definition id “1073741926” which is for “Read” access.
In position 4, we have to provide the group’s principle id. To get the principle ID of a group, we have to get it from the site settings as described below.

Get the Group’s Principle ID

Fig 7: Getting the group's Principle ID — **Fig 7: Getting the group’s Principle ID**

Go to the Site Settings page.
Now, click in the ‘People and Group’ which is under ‘Users and.
Click on the specific group’s name. Site Settings > Users and Permissions > People and groups > “Groups Name”.
The group’s page will be opened with the group members as shown in the image (fig 7).
From this group’s page, we will get the Group’s Principle Id from the page URL. As an example, the “Tahmid Dev Members” group’s page, the URL has the parameter “MembershipGroupId” with the value ‘6’. As a result, this group’s PrinicipleID is 6.

Run the flow

Now the flow has been completed. We can test the flow now.
Here is the image of the full flow given below:

First, save the flow. Then click in the test.
Then create a new item in the “Test” list.
Let’s check the item’s permission as the flow hasn’t been running yet.

**Fig 9: Item’s Permission before running the flow**

We can see that the item is inheriting the list’s permission. And two groups have permission on this item which are Approvers and Designers.
Now, let’s see the situation after running the flow successfully.

**Fig 10: The item’s permission after running the flow**

After running the flow, the list item’s inheritance permission will be broken as shown in the image above (Fig 10).
The User and Group, for which we provided the permission “Read”, has given as we see can see in the image.

Conclusion

As we have previously noted, it is not possible to grant permission to a SharePoint group using the available actions. In order to achieve this, we must use REST API endpoints. Similarly, removing the permission for a specific user or group from an item cannot be done through the actions currently provided by MS Flow. In such cases, we must resort to using REST API endpoints to manage item level permissions in MS Flow.

I hope this article will help you. This article has also been published on C# Corner. Be safe. Happy Coding.