Using Power automate (Microsoft Flow) to assign permissions on a single item, folder or file is fairly easy, but can quickly become complicated, if you traverse through many sites and lists. This is a simple guide for the very basic setup. I often start by restoring the permissions for the item, so I know, there is nothing inherited or old informaiton on the item, that I need to care about. This basic example will set the permissions of the author to read. So right after the item is created, the author will not be able to edit the item.
How to break and change list item permission using Power Automate
- When an item is created
- Restore permissions on item (unnessary in the instance but still)
- Break Permissions Inheritance on item
- Get the Author who needs the permissions
- Assign read permissions to the Author of the item
Restore Permissions
| Flow action | Action Name | Details |
|---|---|---|
 |
 Trigger |
Comment: The flow runs whenever an item is created. |
 |
Send an HTTP request to SharePoint |
Comment: Restore the inheritance of permissions on the item. This is not need in this example, but still relevant if you change the trigger to “on create and modified” Site Address: https://[domain].sharepoint.com Method: POST Uri: _api/lists/getByTitle(‘Temp list’)/items(@{triggerOutputs()?[‘body/ID’]})/ResetRoleInheritance() |
 |
Send an HTTP request to SharePoint |
Comment: Break the inheritance of the permissions on the item. If you want to keep the roles from the list use “copyRoleAssignments=true” in the Uri. Site Address: https://[domain].sharepoint.com Method: POST Uri: _api/lists/getByTitle(‘Indtastning’)/items(@{triggerOutputs()?[‘body/ID’]})/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=false) |
 |
Send an HTTP request to SharePoint |
Comment: Get the user based on the email. A user has a principal ID. So here we get the userinformation. Ready for use in the next step. Site Address: https://[domain].sharepoint.com Method: POST Uri: _api/web/SiteUsers/getByEmail(‘@{triggerOutputs()?[‘body/Author/Email’]}’) |
 |
Send an HTTP request to SharePoint |
Comment: Assign permissiosn for the user, that was fetched in the previous step. See the table below to get the ID’s for other permission roles. Site Address: https://[domain].sharepoint.com Method: POST Uri: _api/lists/getByTitle(‘Indtastning’)/items(@{triggerOutputs()?[‘body/ID’]})/roleassignments/addroleassignment(principalid=@{body(‘GetUser’)[‘d’][‘id’]},roleDefId=1073741826) |
roleDefId
| Permission level | Role ID |
| Full Control | 1073741829 |
| Design | 1073741828 |
| Edit | 1073741830 |
| Contribute | 1073741827 |
| Read | 1073741826 |
| View Only | 1073741824 |
Leave a Reply