Power Automate can be used to set permissions on items in SharePoint Lists and Libraries. This can allow custom permissions to be set based on metadata or other parameters. In this post I will explain how to set permissions on an item using a Flow that triggers on item creation.
Microsoft provides some documentation on Power Automate and SharePoint permissions, but this only helps with part of the problem. In many cases unique permissions are required and sometimes you may want to change the default permissions e.g. where a user can initially create an item but once created, should only have read access.
The basic steps to solve the problem are:
- Trigger the Flow
- Break inheritance on the Item or File (API call to SharePoint)
- Grant permission to a SharePoint Group (API call to SharePoint)
- Set the new permissions (Power Automate action)
This Flow has two SharePoint API Calls – the URi code is as follows (replacing the ID with dynamic content ID from the Flow trigger e.g. the ID of the item whose permission will be changed.
- _api/lists/getByTitle(‘Site Pages’)/items(@{triggerOutputs()?[‘ID‘]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
- _api/web/lists/getbytitle(‘Site Pages’)/items(@{triggerOutputs()?[‘ID‘]})/roleassignments/addroleassignment(principalid=’5‘, roleDefId=1073741826)
Learn more about the Power Automate send a SharePoint HTTP request.
In this example I give the SharePoint ‘Members’ group for the site Read access to the item. The RoleDefId parameter in the second API call can use these values:
- Edit: 1073741830
- Contribute: 1073741827
- Read: 1073741826
- View Only: 1073741924
The PrincipalID is the value used for SharePoint Group. This is found by going to Site Permissions and clicking the SharePoint Group. The value is part of the URL e.g. _layouts/15/people.aspx?MembershipGroupId=5
Have fun with permissions and remember that if you change the permission to Read Only, you can’t update the item or file metadata later in your Flow (voice of experience)!
SharePoint lightbulb moments 
Best information ever!
Hi Steve, where can I retrieve the roleDefId from? I have custom permission levels that I want to use in the flow.
In SharePoint, go to the Advanced Site Permissions, click the Group and you will see the roleDefId in the URL parameters
Hi Steve, where can I retrieve the roleDefId from? I have custom permission levels that I want to use in the flow.
Hi any idea how to assign a multi person field using grant access i cant get it to work
Hi David, multi-person fields are an array. You can either use a For Each to loop through the array and add permissions individually or create a string with the email addresses seperated with comma’s to add the permission. This post might help 😉 https://powerusers.microsoft.com/t5/General-Power-Automate/How-to-retrieve-multiple-users-from-a-multiple-user-field-and/m-p/353277#M34393
Thanks, got that bit working now 🙂
Having issues with the post http to add a group though, does this look right
https://1drv.ms/u/s!AvjPghw_mih6ifZlueqZOpEMu3rfmQ?e=wXagq0
Good morning,
I have followed this flow to the letter as a test (as well as trying to recreate in my actual flow) and keep getting the same error. Essentially saying the HTTP request is not valid (I can share an image if requested).
Please help!
The API calls have a syntax error–they are missing the opening square bracket before ‘ID’. They should be as follows:
_api/lists/getByTitle(‘Prospect Documents – Archive’)/items(@{triggerOutputs()?[‘ID’]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
_api/web/lists/getbytitle(‘Prospect Documents – Archive’)/items(@{triggerOutputs()?[‘ID’]})/roleassignments/addroleassignment(principalid=’81’, roleDefId=1073741830)
Thank you David, I’ve updated the post. I appreciate the feedback.
My pleasure. Actually, I couldn’t get it to work with just the ID in the triggerBodyOutputs. This worked for me:
_api/lists/getByTitle(‘Prospect Documents – Archive’)/items(@{triggerOutputs()?[‘body’]?[‘entity’]?[‘ID’]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
_api/web/lists/getbytitle(‘Prospect Documents – Archive’)/items(@{triggerOutputs()?[‘body’]?[‘entity’]?[‘ID’]})/roleassignments/addroleassignment(principalid=’81’, roleDefId=1073741830)
I am sorry if this is a dumb question – what does the grant access to an item or folder do in this flow? I don’t understand that element.
It can do either . The first part is removing the inherited permissions then the “Grant” action can be applied to either a folder, document or item
Just putting a note here for people that are getting errors when running this. the single quotes (‘) here are the wrong character. They look mostly the same but need to be changed so this:
_api/web/lists/getbytitle(‘Site Pages’)/items(@{triggerOutputs()?[‘ID‘]})/roleassignments/addroleassignment(principalid=’5‘, roleDefId=1073741826)
should be this:
_api/web/lists/getbytitle(‘Site Pages’)/items(@{triggerOutputs()?[‘ID’]})/roleassignments/addroleassignment(principalid=’5′, roleDefId=1073741826)
Super subtle, but it causes big problems.