How to manage permissions on a SharePoint List Item using Microsoft Flow

2019-04-23

Fibonacci Elephant logo with Microsoft's Flow logoAs part of a project I needed to change the permission on an item just after it is created to only be visible to people based on column values in the item. The building the flow included lots of topics from using REST api, extracting information from a previous step and separating my flow into re-usable parts. This is Part 1 of the series.

In this post we will create a flow that will break inheritance permission on an item when it created. It will use SharePoint REST api and a HTTP request.

Part 1 – Flow to Break Inheritance

This walk through is based off a custom list. For part 1 it needs no extra columns.

  1. Create a new flow from blank and add the trigger When a new item is created. Add in your site name and list name from the drop downs.
    New item is created trigger
  2. Next initialise variables to save the Site Address and List Name used in the trigger. This saves you typing them again later.
    Initialising variables
  3. Next we need to build the URI string needed for the REST call. I create this as a variable so it’s easier to explain and debug later. The command that is needed can be found either on the Microsoft Set Custom permissions or Serge Luca’s blog, links are at the bottom of this post.

    The command to break inheritance on item 1 in a list called My List is:

    _api/lists/getByTitle('MyList')/items(1)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

    So we initialise a variable URI-String inserting in the ListName and ID from the trigger.
    Entering the URI-String

  4. The final step for breaking inheritance is to Send the HTTP Request to SharePoint. The site address you have saved, the method is Post and we already have the URI-String.
    HTTP Request
  5. Save and create a new item in the list. Then look at the permissions for the new item and you will see it has unique permissions and you have full control.
    Viewing item permissionsThe next post in this series will be to add Contribute permission for one person to the item.

Resources

As always we all learn from each other and I am grateful to the resources provided online. Here are the ones that helped me create this series.

“How to manage permissions on a SharePoint List Item using Microsoft Flow! – Series Navigator:

(Visited 8,560 times, 29 visits today)

About the author 

Laura Graham-Brown

SharePoint Trainer, Consultant and Agony Aunt

Leave a Reply

  1. Is it possible to set items to read only (lock) based on a date. For example when quarter 1 closes then items created in quarter 1 must be set to read only.

  2. Hi Laura, Thanks for the nice article. Just wanted to check do you have any flow article reference where I can notify external users on the status change of a document in a document library. The users will be external users not my Office 365 users.

    1. Hi
      That’s a topic I can add to my list of ones to blog, but for a really quick answer. There are templates that will trigger on a document change and the Send an Email action will allow you to send an email to any email address so outside of your tenancy is not a problem. Be aware that the email will come from the id used as the connection.

      1. uri: _api/lists/getByTitle(‘List Name’)/items(@{body(‘Get_item’)?[‘ID’]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
        Getting unauthorized error, any resolution?

  3. When you initialise the URI string variable i see you are referencing the ID of the item however i do not get that field returned from the “When and item is created” action. Am i doing something wrong here? Thanks.

  4. All the five articles are awesome. Really thank you very match for the fantastic explanation. Its too complete. I would just recommend something else to make it perfect: show how to remove the permissions that you have already assigned to an item.

  5. Agree with darkandres – I’ve been trying to find a way to remove a user’s permission from an item (not in a group, just a single user) and no go so far. Any hints?

  6. Hi, great job, it was very important for me.

    I would like to create Flow, that change permission for every item based on some Column value. Could U please to answer how change a flow for working with Sharepoint Groups or Active Directory Groups?

    Thanks a lot!

  7. Hi, I am trying to use this method to set permissions on a document library but it does not work. Are you able to advise how this should be configured please?

  8. With help from your postings and from another site, I’ve managed to implement this successfully for new items.
    The issue I’ve run into is that we’d like to rest the permission on modification of the item.
    An example is, the user submits an item and gets read rights and Approver group has edit rights. If the Approver wants to reject the time, we want to reset the users permissions back to Contribute. This works, but instead of clearing and readding the “new” permission, it just adds the new permission additional to the existing one so their permissions now show “Contribute, Read”. Which is fine while they edit the item. But once they resubmit theitem, I need to reset their permission back to read only. Any idea why “Clear permissions” only runs on new items?

  9. Hi Laura

    I am getting a 401 UNAUTHORIZED error on the first HTTP request action which clears the item permissions, any ideas on this? I have full control on sharepoint site and also site collection admin and the SharePoint connector in Flow is on my name. Anyone have any ideas ion this? Should the connector be using a service account for example?

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

2 Free Ebooks: How to govern Microsoft teams 

Download your 2 free Microsoft Teams governance Ebooks and learn the steps necessary to create a bullet-proof governance strategy.