I recently came across a challenge which consists in setting unique permissions for SharePoint list items.

Instead of using a third party component such as Plumsail, I decided to tackle this using Power Automate.

Basically, the scenario is that I needed to strip all the permissions and set certain groups and/or users based on a certain criteria (SharePoint list items columns).

The context, is that we have a list of confidential employees data, such as salary, personal addresses, …etc.

1- Prep

I have declared certain variables in my flow to simply this task.

ListName and ItemID are set to the actual SharePoint List Name and ItemID is the actual Item which will have unique permissions.

Other SharePoint groups and Permissions level’s IDs, will be stored in variables as well.

PS: This step is not mandatory, but it would be good in case you want to reuse the flow in other places.

If you want to retrieve a sharePoint Permissions Group ID, simply, navigate to your site settings > Site Permissions.

From the list of SharePoint Permissions Groups, select the group you want to get the id for.

From the URL the group ID will be displayed at the end of the URL:

2- Brake the SharePoint Permissions Inheritance

The first step, is to break the inheritance of permissions, this can be done using a SharePoint Api call, Post call to be more precise.

This is the “Send and HTTP Request to SharePoint” action, which wil have the following parametres:

• Site Address: Your SharePoint site Address
• Method: Post
• Uri: _api/lists/getByTitle(‘LISTNAME’)/items(ITEMID)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

3- Grant Permissions to a SharePoint Group

In order to grant a SharePoint Group access to the List Item (which has unique permission), you will need two main parameters:

• The group Id, which we covered above.
• The Role Definition Id, which represents the permission level this group will have.

3.1 Predefined permissions levels’ IDs

Once you have figured these two parameters, we will use Send and HTTP Request to SharePoint action, as follow:

• Site Address: Your SharePoint site Address
• Method: Post
• Uri: _api/web/lists/getbytitle(‘LISTNAME’)/items(ITEMID)/roleassignments/addroleassignment(principalid=’GROUPID’, roleDefId=ROLEDEFID)

4- Grant Permission to a specific user (by email address)

In order to grant permission to a specific user, you will need first to retrieve the user object from Sharepoint.

To do this, we will need to make a post call to the Sharepoint Api, with the following parameters:

• Site Address: Your SharePoint site Address
• Method: Post
• Uri: _api/web/SiteUsers/getByEmail(‘USEREMAILADDRESS’)
  

I have noticed that this call would fail if the user has not been added to the SharePoint Site permissions, using the special account “everyone except external users” would not help.

So please make sure you add the user to the site first, before trying to retrieve his/her object id.

4.1 Add a use to the SharePoint Group

Here, we make a post call, with the following details

• Site Address: Your SharePoint site Address
• Method: Post
• Uri: _api/web/sitegroups(GROUPID)/users
• Headers:
  • Accept : application/json;odata=verbose
  • Content-Type: application/json;odata=verbose
• Body: {
  “__metadata”: {
  “type”: “SP.User”
  },
  “LoginName”: “i:0#.f|membership|EMAILADDRESS”
  }

4.2 Grant permissions to the user

Once, you have ensured the user has been added to the SharePoint site, you can grant the user access to the SharePoint list item id.

Again, using SharePoint api, we make a Post call with the following parameters:

• Site Address: Your SharePoint site Address
• Method: Post
• Uri: _api/lists/getByTitle(‘LISTNAME’)/items(LISTID)/roleassignments/addroleassignment(principalid = @{outputs(‘Get_User_Line_Manager’)?[‘body’][‘d’][‘id’]}, roleDefId =ROLEDEFID})

@{outputs(‘Get_User_Line_Manager’)?[‘body’][‘d’][‘id’]} –> Response from the get user action.