Setting and creating permissions with precision using HTTP flow actions
📅 Originally published May 26, 2022 - hamsandwich.dev
Background
SharePoint is known for its highly customizable permissions. That flexibility can have its perils, of course, but with the right approach (and for the right scenarios) it can be very effective.
Power Automate provides a few basic connector actions for working with SharePoint permissions:
- Revoke access to an item
- Create access links for an item
Not much for now, but fortunately the HTTP to SharePoint action opens up numerous other possibilities.
Familiar Methods, New Approach
SharePoint's REST API has a number of endpoints for managing permissions. Most methods can be re-used across different entities like sites, lists, items, etc.
If you've done on-premises SharePoint development, you may already be familiar with some of them.
The calls are simple - no payloads, headers or returns to process for most scenarios. The only tricky part can be finding the exact syntax, and there may be some data peculiarities to manage, depending on your scenario.
HTTP Action Examples
🔷 Getting the Principal ID of a Group
Type: GET
ℹ️ Note: Replace GROUP NAME with your target group name
_api/web/sitegroups/getbyname('GROUP NAME')/Id
🔷 Getting Principal IDs for All Groups
Type: GET
_api/web/sitegroups?$select=Title,ID
Results will be an array of all groups available on the site.
ℹ️ Note: You can find group IDs manually by clicking individual groups within Site Settings -> People and Groups and checking the address bar.
Cutting this corner won't save you much time, however. For most scenarios, it's better to fetch the value(s) at runtime.
🔷 Getting Principal ID for Specific User
Type: GET
There are a couple ways to do this. First, you might want to use a tool like SP Insider (pictured above) to get familiar with the SiteUsers data structure within your site.
Here are two sample queries - one for email, one for user name:
_api/Web/SiteUsers?$filter=Email eq 'Sample.Person@samplesite.com'
ℹ️ Note: The search terms are case sensitive!
_api/Web/SiteUsers?$filter=Title eq 'Sample Person'
You'll get a single-node array in the return, containing the user's ID value for that site.
🔷 Getting Principal IDs for All Users
Type: GET
ℹ️ You'll be getting a lot of data back with this one, potentially, so consider using select to narrow the return down to just the fields you need.
_api/Web/SiteUsers?$select=ID,Title,Email
There are some important limitations to consider here:
- SiteUsers data is site-specific
- A user's Principal ID on one site will be different from their Principal ID on another
- The SiteUsers list will only contain records for users who have visited the site (or have been added via a few other methods).
There is an ensureUser method to explore, if you want to pursue this approach further.
🔷 Getting All List/Library GUIDs
Type: GET
I tend to work with GUIDs more than GetByTitle endpoints, so the examples on this page are tailored to that approach. Here's a quick way to get all list GUIDs on a site, in case you need it:
/_api/Web/Lists?&$select=Title, ID
🔷 Getting All Role Definitions
Type: GET
Each permission role in SharePoint (Full Control, Edit, etc.) has a specific ID associated with it. You'll need this value for some of the example calls below.
_api/web/roledefinitions
Results will be an array containing objects for each role definition.
🔷 Get Current Permissions on Item/Document
Type: GET
_api/web/lists/getbytitle('LIST NAME')/items(ITEM ID)/roleassignments
Will return an array of objects. Each PrincipalId will tell you who has permission to the item, but not the permission type.
Use an Apply to Each step to loop through the results and perform further actions.
🟩 Break Permission Inheritance on an Item or Document
Type: POST
_api/Web/Lists(guid'LIST GUID')/Items(12)/breakroleinheritance(copyRoleAssignments=true, clearSubscopes=true)
🟩 Restore Permission Inheritance on Item/Document
*Added August, 2024
Type: POST
💡 Tip of the cap to Tom Riha on this one, which I neglected to include when I first slapped this page together. Saved me a few minutes of head scratching tonight.
_api/Web/lists/getByTitle('YOUR-LIST-OR-LIBRARY-HERE')/items(ITEM-ID-HERE)/ResetRoleInheritance()
🔶 Remove Permissions from a List/Library
Type: DELETE
_api/Web/Lists(guid'LIST GUID')/RoleAssignments/GetByPrincipalId(5)
ℹ️ Note: Replace the principal ID value for the user/group you are targeting, and the GUID for your list or library.
🔶 Remove Permissions from an Item/Document
Type: DELETE
_api/Web/Lists(guid'LIST GUID')/Items(12)/RoleAssignments/GetByPrincipalId(5)
ℹ️ Note: Replace the the principal ID and list GUID values to suit your specific scenario
You don't need a specific role definition for this one - it will simply remove the target entity's permissions (whatever those may be) for the item.
🟩 Add Permissions to a List/Library
Type: POST
_api/Web/Lists(guid'LIST GUID')/RoleAssignments/addroleassignment(principalid=5,roledefid=1073741827)
ℹ️ Note: Replace the the principal ID, role definition and list GUID values to suit your specific scenario
Conclusion
That covers many of the more common permission management activities in SharePoint. You can extend this approach to cover lots of other scenarios, as well. 👍
Top comments (0)