Setting Granular Permissions in SharePoint Online with Power Automate

Setting Granular Permissions in SharePoint Online with Power Automate

Managing and modifying permissions with precision using HTTP

ยท

4 min read

Background

SharePoint is known for its highly customizable permissions. That flexibility can have its perils, of course, but with the right approach (and for the right scenarios) it can be very effective.

Power Automate provides a few basic actions for handling SharePoint permissions:

  1. Revoke access to an item

  2. Create access links for an item

That's really it for right now.

Familiar Methods, New Approach

SharePoint's REST API has some good endpoints for managing permissions. Most methods can be used across different entities - sites/lists/items, etc., making them very useful. If you've done on-premises SharePoint development, you may already be familiar with some of the methods.

We can bring that approach to the cloud using the HTTP to SharePoint request action within Automate!

http to sharepoint action

The calls are simple - no payloads, headers or returns to process for most scenarios. The only tricky part can be finding the exact syntax, and there may be some data peculiarities to manage, depending on your scenario.

Automate HTTP Examples - SharePoint Permissions

Getting the Principal ID of a Group

Type: GET

flow http action

Note: Replace GROUP NAME with your target group name

_api/web/sitegroups/getbyname('GROUP NAME')/Id

Getting Principal IDs for All Groups

flow http action

_api/web/sitegroups?$select=Title,ID

Results will be an array of all groups available on the site.

Note: You can find group IDs manually by clicking individual groups within Site Settings -> People and Groups and checking the address bar.

People and Groups

Cutting this corner won't save you much time, however. For most scenarios, it's better to fetch the value(s) at runtime.

Getting Principal ID for Specific User

exploring data structure with SP Insider

There are a couple ways to do this. First, you might want to use a tool like SP Insider (pictured above) to get familiar with the SiteUsers data structure within your site.

flow action http

Here are two sample queries - one for email, one for user name:

_api/Web/SiteUsers?$filter=Email eq 'Sample.Person@samplesite.com'

Note: The search terms are case sensitive!

_api/Web/SiteUsers?$filter=Title eq 'Sample Person'

http result array

You'll get a single-node array in the return, containing the user's ID value for that site.

Getting Principal IDs for All Users

flow http action

You'll be getting a lot of data back with this one, potentially, so consider using select to narrow the return down to just the fields you need.

_api/Web/SiteUsers?$select=ID,Title,Email

There are some important limitations to consider here:

  1. SiteUsers data is site-specific

  2. A user's Principal ID on one site will be different from their Principal ID on another site

  3. The SiteUsers list will only contain records for users who have visited the site (or have been added via a few other methods).

There is an ensureUser method to explore, if you want to pursue this approach further.

Getting All List/Library GUIDs

I tend to work with GUIDs more than GetByTitle endpoints, so the examples on this page are tailored to that approach. Here's a quick way to get all list GUIDs on a site, in case you need it:

flow action GUIDs

Type: GET

/_api/Web/Lists?&$select=Title, ID

Getting All Role Definitions

Each permission role in SharePoint (Full Control, Edit, etc.) has a specific ID associated with it. You'll need this value for some of the example calls below.

image.png

Type: GET

_api/web/roledefinitions

Results will be an array containing objects for each role definition.

Get Current Permissions on Item/Document

Type: GET

_api/web/lists/getbytitle('LIST NAME')/items(ITEM ID)/roleassignments

Will return an array of objects. Each PrincipalId will tell you who has permission to the item, but not the permission type.

Use an Apply to Each step to loop through the results and perform further actions.

Break Permission Inheritance on Item/Document

flow action

Type: POST

_api/Web/Lists(guid'LIST GUID')/Items(12)/breakroleinheritance(copyRoleAssignments=true, clearSubscopes=true)

Remove Permissions from a List/Library

flow http action

Type: DELETE

_api/Web/Lists(guid'LIST GUID')/RoleAssignments/GetByPrincipalId(5)

Note: Replace the principal ID value for the user/group you are targeting, and the GUID for your list or library.

Remove Permissions from an Item/Document

image.png

Type: DELETE

_api/Web/Lists(guid'LIST GUID')/Items(12)/RoleAssignments/GetByPrincipalId(5)

Note: Replace the the principal ID and list GUID values to suit your specific scenario

You don't need a specific role definition for this one - it will simply remove the target entity's permissions (whatever those may be) for the item.

Add Permissions to a List/Library

flow http action

Type: POST

_api/Web/Lists(guid'LIST GUID')/RoleAssignments/addroleassignment(principalid=5,roledefid=1073741827)

Note: Replace the the principal ID, role definition and list GUID values to suit your specific scenario

Conclusion

That covers many of the more common permission management activities in SharePoint. You can extend this approach to cover lots of other scenarios, as well. ๐Ÿ‘

ย