“I’d like to store approval history in another, read-only SP list, how should I set the permissions for such manually started Power Automate flow?”
Every action Power Automate flow does it does using an existing account in your organisation. There’s no “workflow” account, if it creates a SharePoint item, it’s created under that account. If it checks mailbox, it checks mailbox of that account, etc. Which can be good or bad.
Since it’s using a specific account it can do only the tasks that the account has permissions to do. If the account has permissions to delete a SP item, the flow will delete them. But if the user doesn’t have such permissions, the flow will fail – a potential problem when using manually started flows.
Permissions in manually started flows
Unlike automatically started flows where the account is always the same, in manually started flows you have a choice. The ‘Run only users’ settings allows you to define the flow connections – whose account should be used for the actions.
For every connection in the flow you can use either the connection of the user who started the flow, or a connection of the flow author.
Approval flow example
When you build for example an approval flow, you want to store also the approval history somewhere safe. Ideally in a location that users can’t edit, e.g. a separate SharePoint list with read-only permissions.
If you set the ‘Connections Used’ to ‘Provided by run-only user’, the flow will fail while creating the history entry. The users don’t have permissions to create the items and the flow can’t do it on their behalf.
If you on the other side set it to ‘Use this connection (…)’, all actions in the flow will be done under that account. If such flow sets the request status ‘In approval’, it’ll do so using the selected account instead of the user who started the flow. On the other side it can do all the actions that the account can do.
The last, and a bit confusing option is a combination. If you use different connections for the actions (even though they’re connecting to the same source), it’ll show the connection twice in the settings as seen on the image above.
That way you can keep some actions under the user account, while increasing the “permissions” for the ones the user wouldn’t be able to do otherwise.
Unfortunately I didn’t find any way to recognise which connections is which when sharing the flow – you’ll have to try it out.
When building a manually started Power Automate flow, you must consider also the permissions. If the flow uses the user account, it can use only the resources the user has access to. Once there’s a need to access some more restricted location you can’t use it anymore. For such actions enforce the use of another, fixed account with higher permissions.