By 
Set SharePoint item level permissions using Power Automate – in this tutorial, we will learn how to set item level permissions in SharePoint online list using Power Automate step by step in detail. This is a very common use case in SharePoint business problems – for example, in a leave request application – after submitting the leave request, they shouldn’t edit the submitted leave request, only approver group members should be able to edit the leave request form – there are many scenarios, but this is just an example.
Many of you might say that this could be handled through the Conditionally show or hide columns in a SharePoint list but that solution won’t be the full proof of permission, we will write a separate article on the flaws of SharePoint permissions.
Now, let’s get into the demo walk-through. In this demo, once the user added an item to the leave request list, the site members group will lose edit permission and only will have read-only permission, then we will add a custom group (Leave Approvers) to Full control permission. Let’s get started.
Key-Highlights: Manage SharePoint Online permissions with Power Automate (SharePoint Item Level Permissions)
In this tutorial, we will learn how to manage the item level permissions in the below two ways:
- Manage SharePoint Online permissions with the Send an HTTP request to SharePoint requests
- Manage SharePoint Online permissions without Send an HTTP request to SharePoint requests
Manage SharePoint Online permissions with the Send an HTTP request to SharePoint requests
We assume that we have a leave request list along with the required columns ready.
Step 1: Add a Trigger Point – When an item is created in SharePoint
Step 2: Break Inheritance – Send an HTTP request to SharePoint (GET Operation)
API URI:
_ api/lists/getByTitle('<Your SPO List Name>')/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Enter the below parameters:
- Site Address: <Your Site Address>
- Method: POST
- Uri: _ api/lists/getByTitle(‘<Your SPO List Name>’)/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Notes:
- In the above Uri – select the item id from your previous step, when an item is created – from the Dynamic Content tab
- In the list name – it should be your list title. For example, Leave Request
Step 3: Initialize Variables
Initialize the below variables:
- varMemberGroupName – type (String), Default value <Your Site Members Group>
- varGroupID_Int – type (Integer) – it will hold the site members’ group id
- varLeaveApproverGroup – type (String), Default value <Your Site Custom Group>
- varCustomGroupIDInt_LeaveApprovers – it will hold the site custom members group id
Step 4: Get Group ID (Site Members Group)
API URI: Group
_api/web/SiteGroups/getbyname('<Your Group Name>')
API URI: User
Similarly, for the user the API is below:
_api/web/SiteUsers/getByEmail('<Your User Email>')
Step 5: Set Group ID to variable
The variable value should be below:
body('Send_an_HTTP_request_to_SharePoint_-_Get_Group_ID_(GSDRnD_Members)')?['d']?['Id']
Note:
- Replace this “Send_an_HTTP_request_to_SharePoint_-_Get_Group_ID_(GSDRnD_Members)” value with your send HTTP request action value – it should be from the get group id. Here you don’t get confused if you multiple send an HTTP request to a SharePoint connection, you need to select the correct one, and you will get it from the “Dynamic Content” tab.
- Sometimes, constructing the body string will make us confused – so, just use the above example as syntax and replace only the send HTTP request part with yours.
Step 6: Update site group permission to Read Only
API: After execution
_api/lists/getByTitle('Leave Request')/items(@{triggerOutputs()?['body/ID']})/roleassignments/addroleassignment(principalid=@{variables('varGroupID_Int')},roledefid=1073741826)
API Syntax:
_api/lists/getByTitle('<Your List Name(Title)>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<Principal ID(Group ID)>,roledefid=<Permission Setting(Read, Full Control, Contribute etc)>)
Explanations:
- In this API we need to pass the list title, and item id for which you want to update the permission, you will get the item ID from the Power Automate Trigger action when an item is created in SharePoint (or you might have an item created and modified trigger).
- principalid=<Principal ID (Group ID> – here the principal ID is nothing but the group ID which you got from the previous step.
- roledefid=<Permission Setting> – this is a predefined numeric value, For each permission like “Read”, “Contribute”, “Full Control”, “Design”, “Edit”, “View Only” and “Limited Access” has different unique values, have a look at the below table:
Permission levels in SharePoint Online
In the below, table permission levels in SharePoint online are shown in the hierarchical order from the higher permission to lower permission, ie. from Full Control to limited Access.
| Permissions | Values |
|---|---|
| Full Control | 1073741829 |
| Design | 1073741828 |
| Edit | 1073741830 |
| Contribute | 1073741827 |
| Read | 1073741826 |
| View Only | 1073741924 |
| Limited Access | 1073741825 |
Notes:
- In the above demo, we have generated the “principal id (Group ID)” using the Power Automate itself, we can get the group principal ID (Group ID) from the site itself also. You will see this in the below section on how to get it.
URL to get the site Group ID in SharePoint Online: How to find SharePoint group ID
URL Syntax:
YourSiteURL/_layouts/15/people.aspx?MembershipGroupId=14
Example:
https://globalsharepoint2020.sharepoint.com/sites/GSDRnD/_layouts/15/people.aspx?MembershipGroupId=14
Go to your site “_layouts/15/people.aspx” page, and select the group for which you want the Group ID from the left side navigation, then you can see the “MembershipGroupId=” query string parameter, that value is nothing but the group id or principal id, you can use that directly in the above Power Automate instead of handling through the Power Automate.
However, getting the Group ID from the Power Automate itself is recommended which makes the process more dynamic.
Demo to get Group ID from the site group page. How to find SharePoint group ID
Now, let’s get back to the agenda of this article. Till now we have seen for the site members group we are able to update the permission from Edit to Read as soon as any items get added to the leave request list.
Similarly, we can add the “Full Control” permission to the custom group “Leave Approvers”, the steps are exactly the same as the above.
Power Automate Grant access to SharePoint group
In the below part of the Power Automate, we are assigning “Full Control” permission to the custom site group “Leave Approvers”, for this demo, we have just created this test custom group, however, you can create any custom groups, can use the same techniques.
Item level permissions in SharePoint Online list using Power Automate – Get site groups by name
API URI from the demo
_api/lists/getByTitle('Leave Request')/items(@{triggerOutputs()?['body/ID']})/roleassignments/addroleassignment(principalid=@{variables('varCustomGroupIDInt_LeaveApprovers')},roledefid=1073741829)
API Syntax:
_api/lists/getByTitle('<Your List Name(Title)>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<Principal ID(Group ID)>,roledefid=<Permission Setting(Read, Full Control, Contribute etc)>)
Note:
- In the API, pass your list title, item ID, Principal ID (Group ID), and “roledefid” from the permission table above, here we have passed the role definition id as “073741829” which is the value for the “Full Control”.
Item level permissions in SharePoint Online list using Power Automate – Complete Power Automate Steps
Here we have added the complete screenshots steps of the complete Power Automate.
Item level permissions in SharePoint Online list using Power Automate
Item level permissions in SharePoint Online list using Power Automate – Demo Result
Let’s, recap what we did, in this demo, whenever site group (GSDRnD Members) members (which have Edit permission by default) add any items to the “Leave Approver” list, automatically that “GSDRnD Members” site group will lose the edit permission and will be granted new permission “Read“, so they cannot edit the items they have created just before.
On the other hand the custom site Group “Leave Approvers” will get the “Full Control” permission.
Let’s go to the GSD RnD site, and add a few test items to the Leave Request list.
Wait to complete the Power Automate runs. Check your flow whether it ran successfully, in this demo it ran successfully.
.Now, if you refresh your “Leave Request” list, you can see you are not able to edit the items you have created just before – in this demo, we have created three leave request test items, so, we could see the lock icon to the list items, which indicates, the user has just Read permission, this lock icon wasn’t there at the moment you have created the list items – this happened due to the Power Automate execution.
At the same time, if you are a member of the “Leave Approvers” custom site group, go to the “Leave Request” list, you will be able to edit the same list items because in this Power Automate for the “Leave Approvers” custom site group we have assigned “Full Control” Permission.
Now, let’s log in to the same Leave Request list using the Global SharePoint Diary account which is a member of the “Leave Approvers” custom site group, there we could see that this account is able to edit the list items.
Manage SharePoint Online item level permissions without the Send an HTTP request to SharePoint requests
In the above demo, we have seen we can manage the SharePoint Online permissions with the send an HTTP request to a SharePoint request, in this section how we can manage SharePoint Online permissions without the send an HTTP request to SharePoint request. For this, we just need to add two actions:
- Stop sharing an item or a file
- Grant access to an item or a folder
Stop sharing an item or a file: Item level permissions in SharePoint Online list
To stop sharing permission for the item we need to add the “Stop sharing an item or a file” action.
In Stop sharing an item or a file action, we need to pass the below parameters:
- Site Address – your site URL
- List or Library Name – your list Title
- Id – Item ID
Grant access to an item or a folder: Item level permissions in SharePoint Online list
In Grant access to an item or folder action, we need to pass the below parameters:
- Site Address – your site URL
- List or Library Name – your list Title
- Id – Item ID
- Recipients – a collection of recipients who will receive the sharing invitation, you can add more than one recipient.
- Roles – specify a role that is to be granted to the recipients
- Message – optional Parameter
- Notify recipients – optional parameter with the type of Yes/No.
That’s it we are done with both types of permissions management in SharePoint Online using Power Automate.
Summary: Set Item level permissions in SharePoint Online list (Set item level permissions using Power Automate)
Thus, in this tutorial, we have learned how to manage or set item level permissions in the SharePoint Online list using Power Automate, using the below two techniques:
- Manage SharePoint Online permissions with the Send an HTTP request to SharePoint requests
- Manage SharePoint Online permissions without Send an HTTP request to SharePoint requests
- How to use the send an HTTP request to SharePoint action.
- How to use the Stop sharing an item or a file action.
- How to use the Grant access to an item or a folder action.
See Also: Power Automate Tutorial
You may also like the below Power Automate Tutorials:
-
- Trigger Power Automate (Flow) based on condition in SharePoint Online
- Power Automate: Difference between Send an email notification (V3) Send an email (V2)
- Learn HTML table formatting using Microsoft Power Automate step by step
- Power Automate: How to Export and Import Microsoft Team Flows across environment
- [Fixed]: Error from token exchange: Bad Key authorization token in Power Automate
- SharePoint Online conditional row formatting based on a LOOKUP column value using JSON
- Scheduler Power Automate: Move Old documents in SharePoint Automatically using Scheduled Cloud Flow
- Conditionally show or hide columns in a SharePoint list
- Validate is it really Power Apps = Low Code No Code? Power Apps low code no code
- Explore Power Automate architecture
About Post Author
