Set/Change Security on items using Power Automate (Flow)
Level: Intermediate - Advanced
Hello!
If you're new to Power Automate (Flow), this post might be a little confusing.
So, please feel free to check out any of our other blog posts to help you get started with Power Automate (Flow)!
As always, if you have any questions, feel free to shoot us an email at: ben.fetters@sovereignsp.com
We'd be happy to answer any questions you have!
If you'd rather watch a video about this, click here to watch the video about this post on our YouTube Channel
Also, if you're interested, our company offers Power Automate, Power Apps, and SharePoint training and services. Feel free to check them out!
"I am so glad that I purchased your course. I like your teaching style and find it easy to learn." - Ray from Canada
But enough about that, let's begin!
Introduction
If you've used SharePoint designer before, you know how easy it is to change item level permissions by first breaking the inheritance (List/Library Level Permissions on the item/file) and then adding new permissions for a person, people, or a specific SharePoint Group.
In this post, we'll be going over how to do all of these things using Power Automate (Flow)!
This post will also help you become more aware of what Power Automate is capable of as well as replace more of your SharePoint Designer workflows - if that's what you're trying to do, of course.
Now a fair warning.
This solution does require a bit more "coding" or whatever you'd like to call it. But be assured, once you've done this a few times, it will make much more sense and you'll have it down in no time.
Take it from me, who learned Power Automate and Power Apps without any previous coding knowledge AT ALL.
Because of this, I hope my explanations of what we'll be doing will make more sense to you, as it has only just recently made sense to me.
Using the Security Setting Actions Already Available
That being said, if your situation isn't too complex, you might be in luck. Power Automate has a few "Security Actions" that allow you to do simple permission changes as you can see below:
Stop sharing an item or file
Delete all links giving access to an item or a file and remove all people with direct access except for owners.
Grant access to an item or file
Grant access to an item or a folder in SharePoint to specific people.
I imagine there will be a day when Power Automate will just have available all the permission actions that are needed, but for now, we can at least be grateful for HTTP request that can get the job done for now.
The recipients field is where you can put a string of emails separated by a ";". Everyone in the recipients field will get the permission setting set in the "Roles" field.
*Update* Under the "Roles" field, you can actually select "enter custom value" and then enter in "role:123456789" if you are wanting to set a custom permission level or just a different permission level besides "View" or "Edit". Click on the three dots on the top right corner and then click on "Peek Code" to see the exact syntax of what this action is looking for.
Of course, the number from my example, "123456789" would need to be replaced with the appropriate permission role number (this will be explained later on in the blog) but you can go to the section in this blog titled, "Permission Role Numbers", near the end of the blog to see which number correlates with the permission setting you're wanting.
Also, later on in this blog is information on getting the permission role number for a custom permission level that you have setup on your SharePoint site.
This is actually much easier than an http request, but it requires that you have the emails of all the people you're setting permissions for. In other words, this is great when you're not wanting to set permissions for a group or groups, but are setting permissions for a user or group of users.
Our company uses a mixture of this method and the http request method - for when we want to set permissions for entire groups as well. But, the way you choose to set security is up to you, we have just found that a mixture of these two methods works best.
Now, on to the http request method for setting security!
Using HTTP Requests to Change Item Level Permissions
If you haven't heard anything about HTTP Requests, here's the simple run down:
HTTP Requests essentially add, update, and get data. They do more than that, but for our purposes, we'll just keep it to these three things.
So, as you can imagine, we're going to be using the Send HTTP request to SharePoint. To help us change the permissions (update data) for a specific item in SharePoint.
The great part about them HTTP Requests is that they can be customized to do more than just the Out-of-the-box functionality that the Stop sharing an item or file or Grant access to an item or file have to offer.
Of course, this does make them more complicated and tricky to implement correctly.
That being said, if you follow these next steps, you should be updating your permissions in no time. And hopefully learn a little on the way.
Let's get started!
Step 1 - Break Inheritance
If you don't know what breaking inheritance means, remember that breaking inheritance on an item in SharePoint means that the item (or file) will no longer "inherit" its permission settings based on the list (or library).
So, if your list/library has permissions set to a specific group, all the items/files/folders will "inherit" that permission setting and have the same permissions, unless the inheritance is broken and you want its permission settings to be something else (which of course we do).
Essentially, breaking the inheritance means the item/file won't have any permission settings for the moment.
Without further delay, let's see how to do this using an HTTP Request:
Add the action Send an HTTP request to SharePoint.
For Site Address, select or enter the site where your list or library is.
For the method, choose Post (this means we're sending information to the server and asking it to store it somewhere or make a change).
For the Uri, type in the following:
_api/lists/getByTitle('<Your List Name>')/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Make sure that you replace <Your List Name> with your own list name and that you put in the item ID of the item you are wanting to break inheritance on instead of <Item ID>.
The request should handle any spaces in the name, but if doesn't, you may need to add "%20" instead of spaces. (Example: "Your List Name" would look like "Your%20List%20Name"
Tip: try running your flow on a test item and check the permissions to make sure the inheritance was broken correctly.
Step 2 - Get the Role Principal ID of the Group or Person you want to Add Permissions for
The next thing we need to do is get the Principal ID of the group or person that we want to set the permissions for.
We need this Principal ID so that SharePoint will know what group we're setting the permissions for.
For example, if I have a group named "Sovereign Employees Group" that I want to just be able to just have Read rights, I would first need to get the Principal ID of the "Sovereign Employees Group".
Luckily, we can do this using an HTTP Request.
First, we need to Initialize a Variable so that we can store the Principal ID somewhere.
So here, all we need to do is use the Initialize Variable action, give our variable a name (I'd call it something like varGroupNameID to keep things more organized), and make sure that the variable type is an Integer.
(See Below)
Next, we'll use an HTTP request to get the Group or User Principal ID
To do this, we'll just use the Send an HTTP Request to SharePoint action
However, since we're either setting the permissions to a SharePoint group or User, there are two different scenarios we'll need to cover.
Group Principal ID
User Principal ID
Add the action Send an HTTP request to SharePoint.
For the Site Address, select or enter the site where your list or library is.
Make sure the Method is Get, this means that we're "Getting" data back from SharePoint.
For the Uri, type in the following:
Group: _api/web/SiteGroups/getbyname('<Group Name>')
User: _api/web/SiteUsers/getByEmail('<User Email>')
Of course, remember to replace <Group Name> with the name of your group or replace <User Email> with the user's email.
The request should handle any spaces in the name, but if doesn't, you may need to add "%20" instead of spaces. (Example: "Your Group Name" would look like "Your%20Group%20Name"
Now, we will set our variable that we initialized (see Step 1.1) to the principal group or user ID that we retrieved from the previous HTTP request (see Step 1.2).
Whether you got a group's or a user's principal ID, this step will be the same.
To do this, we'll use the Set Variable action.
Add the action Set Variable
Select the variable you created in Step1.1 for the Name
For the Value, you will need to add an Expression in order to get the Principal Group ID from the HTTP Request (see Step 1.2)
In the text box for the expression, enter in the following: body('Send_an_HTTP_request_to_SharePoint_2')?['d']['id']
Of course, you'll need to change Send_an_HTTP_request_to_SharePoint_2 to whatever you named your action that is getting the Group Principal ID. In may case, it was called, "Send an HTTP request to SharePoint 2". You will also need to make sure you replace any spaces with "_".
Hit okay.
If you did this correctly, you should see this: (see the screen shot below)
Step 3 - Set Security
Now for the moment we've all been waiting for… let's set the security!
To do this, as you already know, we'll be using the Send an HTTP request to SharePoint action
Add the Send an HTTP request to SharePoint action
For the Site Address, select or enter the site where your list or library is.
Make sure the method is Post (this means we're sending information to the server and asking it to store it somewhere or make a change). In this case, you already know that we're asking SharePoint to add permissions to a specific item/file.
For the Uri, type the following:
_api/lists/getByTitle('<Your List Name>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<Principal ID>,roledefid=<Permission Setting>)
Make sure that you replace <Your List Name> with your own list name and that you put in the item ID of the item you are wanting to break inheritance on instead of <Item ID> as you did when you were breaking the inheritance.
Also, make sure you change <Principal ID> with the variable we set to the Group/User Principal ID (see screen shot above).
As for the <Permission Setting> part, there are different series of numbers you can set that will mean different things (see what I put in the screen shot above).
Here's a table showing what each number series will do:
Permission Role Numbers
Full Control---1073741829 Design-----------1073741828 Edit--------------- 1073741830 Contribute------1073741827 Read--------------1073741826 View Only------1073741924
Need to Find the Custom Permission Role Definition ID?
Here's how you do it! You'll need to type in your browser:
https://site-url/_api/web/roledefinitions
Of course, remember to replace "site-url" with your site url.
It will look a little interesting with a lot of text, but you should be able to find the name of it as well as the Role Definition ID that you need. (Pro tip: if you do "ctr F" to find text, you can simply type the name of your custom permission to find it faster) :)
Conclusion
Thank you so much for reading this post!
You learned a little bit more on how HTTP Requests work as well as how to set permission levels in SharePoint!
Here's what the final Flow looks like:
(Remember you can get either the ID of a User OR Group as explained earlier in this post)
Please, if you need any help with implementing this, totally feel free send us an email! ben.fetters@sovereignsp.com It's always great to hear from you.
Power Apps and Power Automate Services
If you're needing a jump start on your Power Apps or Power Automate (Flow) knowledge or are needing someone to just help build an application/workflow for you, we can help! We offer consulting and training as well as professional application and workflow development!
If you're thinking about any of these services but just aren't sure yet, feel free to email us explaining the situation and we can let you know what we could potentially do for you as well as answer any questions you have. Our Services
In the meantime, check out some more of our videos and posts!
Thanks for reading and feel free to SUBSCRIBE to our blog to be notified of any new posts!
Have a great day,
Ben Fetters
P.S. Check out my Sci-Fi/Fantasy Novel! - benfetters.com