Set Item Level Permission in SharePoint List using Power Automate - Netwoven

Set Item Level Permission in SharePoint List using Power Automate

By Amit Baruli  •  November 3, 2020  •  17982 Views

Set Item Level Permission in SharePoint List using Power Automate

Introduction

In SharePoint List, if any privilege (like Read, Contribute or Full Control) is provided to any SharePoint User or Group, then that user or people of that group enjoy their level of access on all the items.

However, it may sometimes be required to limit user access to their own created or modified items only.

I quote an example as in the case of employee payslips. While all members of the Accounts Department (group), which generates payslips, can access all payslips for all employees of the organization at any central storage location, the payslips of any user are accessibly only to the corresponding user

Considering real world scenarios, this may seem to be a cumbersome manual process considering the volume of items for which permissions have to be uniquely provided to a specified set of users of groups, since the default behavior of each list item is to inherit from its parent (list).
One approach to break and reset permission at item level is to use Power Automate which breaks the default permission inheritance and sets up unique permission on each SharePoint list item.

Creating the Solution

Create SharePoint List

I have used another example in the article to demonstrate the case study and its solution. Begin with adding a SharePoint list named ‘ContactList’ to the Site Contents. In that ‘ContactList’, add a Manager column of type Person or Group.

Set Item Level Permission in SharePoint List using Power Automate

I am trying to associate a Manager for each contact item in the list, who will be assigned Contribute access to the item for any modification on the list item.

The next sections demonstrate the process to reaching the solution using Power Automate.

Setup the Flow

Log in with your Office 365 account to https://flow.microsoft.com/, and Create a new “Automated flow”.

Assign a name to the Flow and select the trigger as “When an item is created or modified”.

Set Item Level Permission in SharePoint List using Power Automate

Create and follow the below steps:

Step 1

Point the Flow trigger to the appropriate SharePoint Site Address and List Name.

Set Item Level Permission in SharePoint List using Power Automate

Step 2

Add the new step as “Send an HTTP request to SharePoint” action.

Note: Since this action will be used multiple times in the process, rename the action for better identification.

This action here will break the default inheritance permission on the list item.

Set Item Level Permission in SharePoint List using Power Automate

Fill the above fields as follow:

Site Address: Select the Site Address as in Step 1

Method: POST

Uri: Enter the following text:

_api/lists/getByTitle('List_Name')/items(@{triggerOutputs()?['body/ID']})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

copyRoleAssignments – Specifies whether to copy the role assignments from the parent securable object.

clearSubscopes – with the clearSubscopes parameter set as true, the role assignment for all child objects will be cleared and those objects will inherit role assignments from the current object after this call.

Step 3

Next step is to fetch all the Manager Ids of a particular item from this list to modify their access to Contribute. To do so, we will add another “Send an HTTP request to SharePoint” action and rename it for identification of this step.

Set Item Level Permission in SharePoint List using Power Automate

Site Address remains the same throughout.

Use the GET method. And enter the below text as URI

_api/web/lists/getByTitle(‘List_Name’)/items(@{triggerOutputs()?[‘body/ID’]})?$select=Manager/Id&$expand=Manager

Step 4

Parse the JSON output from the “Send an HTTP request to SharePoint – Get User List” request, using the “Parse JSON” action, as shown in the below image.

Set Item Level Permission in SharePoint List using Power Automate

Paste the below text in Schema field. Schema is nothing but it is the structure and semantic of output of the previous step (i.e. Step 3). (Refer this link for how to generate schema).

{
    "type": "object",
    "properties": {
        "d": {
            "type": "object",
            "properties": {
                "__metadata": {
                    "type": "object",
                    "properties": {
                        "id": {
                            "type": "string"
                        },
                        "uri": {
                            "type": "string"
                        },
                        "etag": {
                            "type": "string"
                        },
                        "type": {
                            "type": "string"
                        }
                    }
                },
                "Manager": {
                    "type": "object",
                    "properties": {
                        "results": {
                            "type": "array",
                            "items": {
                                "type": "object",
                                "properties": {
                                    "__metadata": {
                                        "type": "object",
                                        "properties": {
                                            "id": {
                                                "type": "string"
                                            },
                                            "type": {
                                                "type": "string"
                                            }
                                        }
                                    },
                                    "Id": {
                                        "type": "integer"
                                    }
                                },
                                "required": [
                                    "__metadata",
                                    "Id"
                                ]
                            }
                        }
                    }
                }
            }
        }
    }
}

Step 5

Use the results output from the parse JSON action to get the entire users list, which will be iterated through for each Manager’s Id which can be either User Id or Group Id associated with the specific item ID.

Set Item Level Permission in SharePoint List using Power Automate

Add another action “Send an HTTP request to SharePoint” to assign the required permission to the specific item ID.

Set Item Level Permission in SharePoint List using Power Automate

Method: POST

Uri: Enter the below text:

_api/lists/getByTitle('List_Name')/items(@{triggerOutputs()?['body/ID']})/roleassignments/addroleassignment(principalid=@{items('Apply_to_each')?['Id']},roledefid=1073741827)

PrincipalId: It is taken from Id field of the Parse JSON request.

RoleDefId: 1073741827 is the ID associated with Contribute permission. Refer to the below table for roles/access and associated predefined IDs for assignment per the requirement.

Permission LevelPermission ID
Full Control1073741829
Read1073741826
Contribute1073741827

That is all, the flow is ready to run.

Verifying the Flow Solution

Create a new item on the list, select any Person or Group in the Manager field and save the item.

Set Item Level Permission in SharePoint List using Power Automate

For the item for which modification is made, check “Manage Access” to confirm that the selected person/group in the Manager field have gotten the contribute permission for that item.

Set Item Level Permission in SharePoint List using Power Automate

9 comments

  1. Hello, I am interested in your article but there is a missing url at step 3 “Use the GET method. And enter the below text as URI” is it possible to specify it
    Thank you very much for your work

    1. Hi Eric,
      I’d missed the text. Enter the below text as URI-

      _api/web/lists/getByTitle(‘List_Name’)/items(@{triggerOutputs()?[‘body/ID’]})?$select=Manager/Id&$expand=Manager

  2. Hi,

    Is there any reasons why the actions “Grant access to an item or a folder” and “Stop sharing an item or a file” wouldn’t be used for this instead of messing with the HTTP requests?

    Cheers

  3. I was researching this as well and from what I’ve found, it seems like “grant access” does not allow you to grant access to a group – only to an email address or a people field.

  4. Hello,

    first of all many thanks for this super tutorial.
    If I search for another attribute instead of manager, where do I have to make adjustments everywhere?

    I currently get errors and just don’t see where anything else needs to be adjusted.

    Kind regards and thank you!

  5. Hello Amit,

    I facing issue on step 3.
    I already have column “Manager” but it’s giving me this error. Can you help me with this sir?
    The field or property ‘Manager’ does not exist.
    clientRequestId: 9fc0ca5a-61a5-42dd-824e-ab7f6ba7f853
    serviceRequestId: b1f3fa9f-f099-0000-b56a-8ea96d09bdea

Leave a comment

Your email address will not be published. Required fields are marked *

Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Fast Track
Microsoft Partner
MISA
MISA
Unravel The Complex
Stay Connected

Subscribe and receive the latest insights

Netwoven Inc. - Microsoft Solutions Partner

Get involved by tagging Netwoven experiences using our official hashtag #UnravelTheComplex