Power Automate can be used to set permissions on items in SharePoint Lists and Libraries. This can allow custom permissions to be set based on metadata or other parameters. In this post I will explain how to set permissions on an item using a Flow that triggers on item creation.

Microsoft provides some documentation on Power Automate and SharePoint permissions, but this only helps with part of the problem. In many cases unique permissions are required and sometimes you may want to change the default permissions e.g. where a user can initially create an item but once created, should only have read access.

The basic steps to solve the problem are:

• Trigger the Flow
• Break inheritance on the Item or File (API call to SharePoint)
• Grant permission to a SharePoint Group (API call to SharePoint)
• Set the new permissions (Power Automate action)

This Flow has two SharePoint API Calls – the URi code is as follows (replacing the ID with dynamic content ID from the Flow trigger e.g. the ID of the item whose permission will be changed.

• _api/lists/getByTitle(‘Site Pages’)/items(@{triggerOutputs()?’ID‘]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

• _api/web/lists/getbytitle(‘Site Pages’)/items(@{triggerOutputs()?’ID‘]})/roleassignments/addroleassignment(principalid=’5‘, roleDefId=1073741826)

Learn more about the Power Automate send a SharePoint HTTP request.

In this example I give the SharePoint ‘Members’ group for the site Read access to the item. The RoleDefId parameter in the second API call can use these values:

• Edit: 1073741830
• Contribute: 1073741827
• Read: 1073741826
• View Only: 1073741924

The PrincipalID is the value used for SharePoint Group. This is found by going to Site Permissions and clicking the SharePoint Group. The value is part of the URL e.g. _layouts/15/people.aspx?MembershipGroupId=5

Have fun with permissions and remember that if you change the permission to Read Only, you can’t update the item or file metadata later in your Flow (voice of experience)!