Skip to content

Let's POWER Automate

From no-code to low-code

Menu
  • Expressions
  • Filters
  • General
  • Problems
  • Triggers
  • Application specific solutions
    • Excel
    • Forms
    • Planner
    • Outlook
    • SharePoint
    • Teams
  • Resources
Menu

Manage SharePoint permissions without HTTP requests (Power Automate)

Posted on October 7, 2020March 20, 2022 by Tom

“It was so easy to manage item permissions in SharePoint 2010 flow, but in Power Automate I’m confused from all the HTTP requests and REST API .”


While you could manage permissions easily in SharePoint 2010 flow, in Power Automate it’s a different situation. Now you’ve got two options how to handle the permissions. A simple one using dedicated Power Automate actions and a complex one with HTTP requests and REST API. This post will be about the dedicated Power Automate actions.

Stop sharing an item or a file

The ‘Stop sharing an item or a file’ action breaks permission inheritance and removes permissions from all users and groups, except the ones with Full Control. That means all the Admins / Owners / Users who had Full Control on the list / library before the action will keep it. All it needs is the ID of an item or a file.

SharePoint permissions Power automate

To achieve the same functionality via REST API you’d need at least 4 HTTP requests.

1. break permission inheritance
_api/web/lists/getByTitle('ListName')/items(ID)/breakroleinheritance(true)

2. get all current permissions
_api/web/lists/getByTitle('ListName')/items(ID)/roleassignments

3. remove all current permissions (with "X-HTTP-Method": "DELETE" header, in a loop)
_api/web/lists/getByTitle('ListName')/items(ID)/roleassignments(UserOrGroupID)

4. assign back Full Control to Owners / Admins / Users
_api/lists/getByTitle('ListName')/items(ID)/roleassignments/addroleassignment(PrincipalId=UserOrGroupID,roleDefId=FullControlRoleID)

Limitation

I heard a complaint that the action keeps the Full Control permissions. That you don’t have control over it. That you can’t remove access for users with Full Control. But I don’t think it’s a valid complaint. If you need to remove users with Full Control, they probably shouldn’t even have Full Control in the first place.

Grant access to an item or a folder

‘Grant access to an item or a folder’ action is the next step after the ‘Stop sharing an item or a file’ action. You removed all permissions from the item or file, but now you need to give some of them back. This action needs a bit more than just an item ID. You have to enter also recipients (users) and Roles to assign. By default it offers only 2 roles in a dropdown: Can edit (Edit permission level) and Can view (View permission level).

Luckily, you can define also your own ‘Roles’ value for the other permission levels, including your custom ones. For example, to assign Read permission level.

SharePoint permissions Power automate

This action doesn’t replace as many REST API HTTP request as the one before, but it’s still a few.

1. get user ID
_api/web/siteusers/getbyemail('userEmail')

2. assign permissions to user
_api/lists/getByTitle('ListName')/items(ID)/roleassignments/addroleassignment(PrincipalId=UserID,roleDefId=RoleID)

Permission level IDs

As already mentioned, you don’t have to stay with Edit and View permissions, but you can use all the permission levels available on your SharePoint site. Below you can see a table with the default RoleIDs.

Default permission level IDs
Full Control1073741829
Design1073741828
Edit1073741830
Contribute1073741827
Read1073741826
Approve1073741927
View1073741832

You can also find all of the permission level IDs, including your custom levels, using browser, REST API (_api/web/roledefinitions), and search (<d:name>).

Limitation

As already mentioned, you can assign permissions only to users (with email address). That means users and Microsoft 365 group. You can’t assign permission to SharePoint group using this action, that’ll always need an HTTP request.

Summary

In my opinion the ‘Stop sharing an item or a file’ action is a good starting point for all permissions setting flows. It saves a lot of HTTP requests and the other related actions.

Not so is the second dedicated action ‘Grant access to an item or a folder’. It’s not a full replacement for the HTTP requests to assign permissions, you’ll still need those for SP groups. But if you use it, it’ll still do some of the work, just don’t expect miracles.


Do you struggle with the various expressions, conditions, filters, or HTTP requests available in Power Automate?

I send one email per week with a summary of the new solutions, designed to help even non IT people to automate some of their repetitive tasks.

All subscribers have also access to resources like a SharePoint Filter Query cheat sheet or Date expressions cheat sheet.

Zero spam, unsubscribe anytime.

12 thoughts on “Manage SharePoint permissions without HTTP requests (Power Automate)”

  1. Ali says:
    June 8, 2021 at 10:54 am

    Hello,
    Thanks for sharing this useful article.
    I tried provided steps. I am getting 404 – File or directory not found. error at the step to assignment of permission.

    Reply
    1. Tom says:
      June 9, 2021 at 8:20 pm

      Hello Ali,
      I’d check if the item with the ID exists in the list/library, if you have the action configured correctly.

      Reply
  2. Soon Keang TAN says:
    September 8, 2021 at 1:34 pm

    Hi Tom,

    This is great article, exactly what I looking for!!!

    This work great since we would like to restrict the access to limited users. Just one question, when there is new person joining the SharePoint site/ lists, he/ she would be able to see all items created in the past correct? Is there a solution on this?

    Thanks in advance for your support!

    Reply
    1. Tom says:
      September 10, 2021 at 10:40 pm

      Hello Soon Keang,
      it depends whom you assign the permissions:
      – If you assign the permissions directly to users, only the selected users will have access.
      – If you assign the permissions to a Microsoft 365 or Mail-enabled security group then every new member of that group will have access (and this is a preferred solution).

      Reply
  3. Nico says:
    September 24, 2021 at 9:20 am

    Hi Tom,

    thanks for your article!

    However I have a question: We are using document sets and the “stop sharing an item or file” action results in a JSON error. Therefore I’d like to use the REST API to remove all permissions on a document set.
    Can you do it without using IDs? I just want to remove every single R + R+W permission on the document set and set the permissions later on in the flow with the “Grant access” action.
    You describe it in your article with “(with “X-HTTP-Method”: “DELETE” header, in a loop)” – can you help me how to build this in Power Automate?

    Your help would be greatly appreciated, thank you! 🙂

    Reply
    1. Tom says:
      September 29, 2021 at 9:53 pm

      Hello Nico,
      did you check the other post on managing permissions on folders (as document set is basically a folder): https://tomriha.com/how-to-remove-permissions-from-a-sharepoint-folder-with-power-automate/? The ‘Stop sharing…’ actions don’t work on folders so I guess it’s expected that it won’t work on document sets either. But the http requests should work on both.

      Reply
  4. Nico says:
    October 21, 2021 at 2:33 pm

    Hello Tom.
    sorry for the late reply, been busy weeks.
    Just wanted to let you know that this worked perfectly fine. I didn’t see the other post, my bad.
    Thank you so much!
    I hope you have great week! 🙂

    Reply
  5. Joseph Davoli says:
    January 8, 2022 at 8:05 pm

    Dear Tom,

    If it is not too much bother, I would like to share with you a strange experience I am having with the “Recipients” field of the “Grant access to an item or a folder”. I have an automated Flow that, among other things, grants access to items in a SharePoint XML forms library hosted on SharePoint Online. The library uses an InfoPath form (which is not going away anytime soon), and contains a list of Approvers created using a People Picker in a repeating section. However, as an InfoPath promoted property, only the user name of each approver (no e-mail address) is saved in the form and, thus available to the Flow.

    My Flow uses “Search for users (V2)” (Office 365 Users) to locate the current Approver’s e-mail, which I extract into a variable and then use that variable in the “Recipients” field for granting access. This works nearly all of the time, but the Flow crashed on the “Grant access etc.” step with the error “Couldn’t resolve user George.Washington@MyOrg.com“. When I looked at the JSON returned from “Search for users (V2), I see that there are actually two properties that contain e-mail addresses for a User:
    “Mail” and “UserPrincipalName”. Moreover, the e-mail addresses of this user, though similar, are different. The “Mail” property holds an address in the format “FirstName.LastName@MyOrg.com”; the UserPrincipalName property holds an e-mail address in the form FirstInitial and LastName (e.g.: GWashington@MyOrg.com“).

    I am not certain whether the e-mail address in the UserPrincipalName will work either, but it must, since the Current Approver was initially selected using a People Picker which uses the same address list as Outlook.

    Any thoughts on how to resolve this? Somehow trapping the error of the “Grant access etc.” when it fails on “Mail” and re-trying it with “UserPrincipalName”, perhaps?

    I appreciate any insights you can offer.

    Sincerely,
    Joseph Davoli

    Reply
    1. Tom says:
      January 10, 2022 at 9:23 pm

      Hello Joseph,
      unless your Active Directory is a mess, it should be always the same user property – either the Mail or the UserPrincipalName property for all the users. But if you’d like to try both of the values, you can do it as you described. Try one of the properties first, and if it fails, try the other one.
      Each Power Automate action allows a run after configuration (shown e.g. here: https://tomriha.com/3-ways-to-disable-an-action-or-a-section-of-a-flow-in-power-automate/). You can:

      • ‘Grant access…’ using one of the emails
      • ‘Grant access… 2’ using the other email, this one configured to run if the 1st ‘Grant access…’ has failed
      • the action that follows, configured to run if the ‘Grant access… 2’ is successful or if it is skipped. That way will the flow continue in both situations.
      Reply
  6. Caliel says:
    January 19, 2022 at 6:30 pm

    Dear Ton,

    First I would like to thank and congratulate you for the content made available here, it is of great help.

    I have a question about collecting all objects from a parameter, as in the example below:

    I would like to return all blocks that contain “GroupId” = “00G5f000000PMOOEA4”.

    [
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “04bee7bb-3350-456e-a5c8-9e24b”,
    “GroupId”: “00G5f000000PMOLEA4”,
    “Id”: “0115f0000000yolAAA”,
    “SystemModstamp”: “2022-01-10T03:39:18Z”,
    “UserOrGroupId”: “0055f000007Vz7sAAC”
    },
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “4279baa9-5ea5-4002-96b0-30a1e8”,
    “GroupId”: “00G5f000000PMOQEA4”,
    “Id”: “0115f0000000yp6AAA”,
    “SystemModstamp”: “2022-01-10T03:50:50Z”,
    “UserOrGroupId”: “0055f000007Vz7iAAC”
    },
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “1fc4afd9-9969-4eac-a168-7ed381”,
    “GroupId”: “00G5f000000PMOKEA4”,
    “Id”: “0115f0000000yxOAAQ”,
    “SystemModstamp”: “2022-01-10T12:44:38Z”,
    “UserOrGroupId”: “0055f000007W2JfAAK”
    },
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “0389fe40-908c-4261-9ce5-778eef”,
    “GroupId”: “00G5f000000PMOOEA4”,
    “Id”: “0115f0000000yxnAAA”,
    “SystemModstamp”: “2022-01-10T12:46:00Z”,
    “UserOrGroupId”: “0055f000007W2JeAAK”
    },
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “205dc347-a75d-4d83-86e5-77bcdc,
    “GroupId”: “00G5f000000PMOMEA4”,
    “Id”: “0115f0000000yygAAA”,
    “SystemModstamp”: “2022-01-10T12:57:01Z”,
    “UserOrGroupId”: “0055f000007Vz7jAAC”
    },
    {
    “@odata.etag”: “”,
    “ItemInternalId”: “41439b91-955d-4015-acee-ed177”,
    “GroupId”: “00G5f000000PNmqEAG”,
    “Id”: “0115f0000000z0NAAQ”,
    “SystemModstamp”: “2022-01-10T14:18:39Z”,
    “UserOrGroupId”: “0055f000007Vz7gAAC”
    ]

    The goal is to collect all “UserOrGroupId” that are in a given “GroupId”.

    Thanks.

    Reply
    1. Caliel says:
      January 20, 2022 at 2:37 pm

      I ended up using the wrong topic to ask this question, I apologize.

      Reply
    2. Tom says:
      January 23, 2022 at 5:30 pm

      Hello Caliel,
      use the ‘Filter array’ action to do that. Add the array of objects as the input, and filter only the items where GroupId 00G5f000000PMOOEA4.
      Once you have the items filtered, you can use ‘Select’ to extract only the UserOrGroupId from the remaining objects.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Now available:

The Ultimate Power Automate expressions cheat sheet
Equip yourself with the tool to translate your thoughts into Power Automate expressions!

Do you struggle with the various expressions, conditions, filters, or HTTP requests available in Power Automate?

I send one email per week with a summary of the new solutions, designed to help even non IT people to automate some of their repetitive tasks.

All subscribers have also access to resources like a SharePoint Filter Query cheat sheet or Date expressions cheat sheet.

Zero spam, unsubscribe anytime.

Hello and welcome!

My name is Tom and I'm a business process automation consultant and Microsoft MVP living in the Czech Republic. I’ve been working with Microsoft technologies for almost 10 years, currently using mainly Power Automate, SharePoint, Teams, and the other M365 tools.

I believe that everyone can automate part of their work with the Power Automate platform. You can achieve a lot by "clicking" the flows in the designer, but you can achieve much more if you add a bit of coding knowledge. And that's what this blog is about.

To make the step from no-code Power Automate flows to low-code flows: using basic coding knowledge to build more complex yet more efficient flows to automate more of your daily tasks.

  • Format results of date calculation in SharePoint columnJune 29, 2022
  • Why is your Power Automate flow creating duplicatesJune 26, 2022
  • How to create a unique identifier in your Power Automate flowJune 22, 2022
  • How to assign custom SharePoint permission level with Power AutomateJune 19, 2022
  • Remove permissions from a specific SharePoint user with Power AutomateJune 15, 2022

Power Automate blogs worth visiting

Damien Bird
Dennis (Expiscornovus)
Paul Murana

© 2022 Let's POWER Automate | Powered by Superbs Personal Blog theme