break and change list item permission using Power Automate

Using Power automate (Microsoft Flow) to assign permissions on a single item, folder or file is fairly easy, but can quickly become complicated, if you traverse through many sites and lists. This is a simple guide for the very basic setup. I often start by restoring the permissions for the item, so I know, there is nothing inherited or old informaiton on the item, that I need to care about. This basic example will set the permissions of the author to read. So right after the item is created, the author will not be able to edit the item.

How to break and change list item permission using Power Automate

  1. When an item is created
  2. Restore permissions on item (unnessary in the instance but still)
  3. Break Permissions Inheritance on item
  4. Get the Author who needs the permissions
  5. Assign read permissions to the Author of the item

Restore Permissions

Flow action Action Name Details
Restore permissions Send an HTTP request to SharePoint
Trigger
Comment: The flow runs whenever an item is created.
Restore permissions Send an HTTP request to SharePoint
Send an HTTP request to SharePoint
Comment: Restore the inheritance of permissions on the item. This is not need in this example, but still relevant if you change the trigger to “on create and modified”
Site Address: https://[domain].sharepoint.com
Method: POST
Uri: _api/lists/getByTitle(‘Temp list’)/items(@{triggerOutputs()?[‘body/ID’]})/ResetRoleInheritance()
Break Permissions Inheritance Send an HTTP request to SharePoint
Send an HTTP request to SharePoint
Comment: Break the inheritance of the permissions on the item. If you want to keep the roles from the list use “copyRoleAssignments=true” in the Uri.
Site Address: https://[domain].sharepoint.com
Method: POST
Uri: _api/lists/getByTitle(‘Indtastning’)/items(@{triggerOutputs()?[‘body/ID’]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=false)
Get User Send an HTTP request to SharePoint
Send an HTTP request to SharePoint
Comment: Get the user based on the email. A user has a principal ID. So here we get the userinformation. Ready for use in the next step.
Site Address: https://[domain].sharepoint.com
Method: POST
Uri: _api/web/SiteUsers/getByEmail(‘@{triggerOutputs()?[‘body/Author/Email’]}’)
Assign permissions Send an HTTP request to SharePoint
Send an HTTP request to SharePoint
Comment: Assign permissiosn for the user, that was fetched in the previous step. See the table below to get the ID’s for other permission roles.
Site Address: https://[domain].sharepoint.com
Method: POST
Uri: _api/lists/getByTitle(‘Indtastning’)/items(@{triggerOutputs()?[‘body/ID’]})/roleassignments/addroleassignment(principalid=@{body(‘GetUser’)[‘d’][‘id’]},roleDefId=1073741826)

roleDefId

Permission levelRole ID
Full Control1073741829
Design1073741828
Edit1073741830
Contribute1073741827
Read1073741826
View Only1073741824

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.