Share via

SharePoint Online: Break Inheritance, Remove And Set List Item-Level Permissions with Power Automate

  • Article

Introduction

In this article, we will explore how to create a flow with Power Automate to break inheritance permissions on list item-level SharePoint Lists, remove existing permissions and set new List Item-Level permissions in SharePoint Online (new permissions).

In the previous article, we had to explore break inheritance permissions on list item-level SharePoint Lists and add roles. In this same step, follow for break inheritance permissions on list item-level and we see how to remove existing permissions and set new List Item-Level Permissions in SharePoint Online.

Issues

If your group already has permissions, it will add the new permissions to the existing one.

For example, in case we are adding Read permissions on the list item, if the SharePoint Group members already have Edit permissions, it won't remove the Edit one, you will see that he has Edit and Read permissions.

Solutions

We can achieve the unique item-level permissions to the SharePoint list follow the below point and steps.

We can also check one by one:

  1. Break inheritance on list item-level List
  2. Remove list item level roles (permission)
  3. Add list item-level roles (new permissions)

Break inheritance on list item-level List

We are going to define custom permissions for the list item level, and we are going to have to break the inheritance role. This will not change permissions but will simply change the current users into 'specified' permissions instead of 'inherited.'

We will see step-by-step how to implement it with Power Automate.

http://[SHAREPOINT_SITE_URL]/_api/web/lists/getByTitle('[LIST_TITLE]')/breakroleinheritance(copyRoleAssignments=true, clearSubscopes=true)

As you can see, in the URL I have "copyRoleAssignments = true," if set to true, this means it copies the parent's roles/permissions, if set to false, it does not copy the parent's roles/permissions.

Remove list item-level list role (Permission)

Then following REST API to remove list item level roles/ permission

http://[SHAREPOINT_SITE_URL]/_api/web/lists/getByTitle(''[LIST_TITLE]')/items([ItemID])/roleAssignments/groups/removebyid([Group_PRINCIPLE_ID])

Add list item-level roles (new permissions)

Then following REST API to Add list item level roles/ permissions

http://[SHAREPOINT_SITE_URL]/_api/web/lists/getByTitle('[LIST_TITLE]')/roleassignments/addroleassignment(principalid=[GROUP_ID/User_ID],roleDefId=[ROLE_ID])

The step-by-step Flow action to build

We have created an Employee information list for adding new candidate's information and submitted it to HR Approval Group For approval. After approval, HR Approves groups assigned to read permission.

Step 1

Go here and log in with your Office 365 account.

We start with a blank canvas and build the Flow ourselves. Therefore, click the + New button and select “Automated – from blank, follow the numerical points, as shown in the below screenshot:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img2.png

Provide a name and choose which Flow will trigger (or start). In our case, this will be “When an item is created or modified” then click the Create button. Follow the numerical points, as shown in the below screenshot:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img3.png

Enter the site address (URL) and select the list on which you want this Flow to run:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img4.png

Step 2

We have initiated two variables for the list name and HR Group principle ID:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img5.png

Step 3

In these steps, we verified the HR approval group approve the employee information request status:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img6.png

If Approval Status is Approval then start the process of remove the permission and set new permission to the HR approval group. First, we break the inheritance on an approval list item:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img7.png After Break, the inheritance, send the HTTP request to getting HR approval group Principle ID using REST API in the below screen: https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img11.png

Set the HR approval group principle ID to GroupPrinciple ID:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img9.png

In the below steps, we first remove the HR Approval Group Item level permission and set the read-only permission to the same list item.

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/img10.png

To assign item level permission, we need to have the role definition IDs. Here are a few out of the box IDs below.

Role Definition Name

Role Definition Id

Full Control

1073741829

Design

1073741828

Edit

1073741830

Contribute

1073741827

Read

1073741826

View Only

1073741924

Limited Access

1073741825

O/p

Before Approval Status:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/output_juvIEp.gif

After Approval Status:

https://csharpcorner.azureedge.net/article/power-automate-break-inheritance-remove-and-set-list-item-level-permissions-i/Images/output_r0ZSk9.gif