For a SharePointer like me the new Microsoft Flow action Send an Http Request to SharePoint action released yesterday is an important milestone because now we can easily start using the SharePoint REST api (without having to deal with digest, tokens, all those horrible things that are now encapsulated into the action 🙂) and there is almost no limit to what we can do with SharePoint…as long as we know how to use the SharePoint REST API. And as long as the account defined in the SharePoint connection has the permission to do what you into to do. Therefore, it is not an action for normal users, but mostly for developers. Perhaps some Power users should be able to deal with it. More details on the REST operation on SharePoint here.
I will start with a basic example: how can we set a unique permission to a list item (or a document library item). There are some business scenarios where this is crucial. Example: we have an onboarding Flow that is triggered when a new employee is hired: a contract is generated, signed by both the employee and his new manager and the contract is uploaded in a document library; however, confidentiality is important: only members of HR and the employee himself can read the document. I’ve implemented such scenario with pdf generation, e-signatures, Office 365 account creation (see my video…). See my video here. But I didn’t implement the unique permission on the document.
Just to illustrate how the new action works, let’s start from an out of the box document library named ”contracts” with several (documents) contracts; a new contract (“ContractBrianc.docx”) has been uploaded and I want only Brian Cox and the site owners to be able to read. (in a clean implementation an employee metadata is provided, and the flow will check the employee id end so on… but I want to keep it simple here)
In a nusthell the SharePoint REST API instructions to execute are the followings:
1.We need to broke the list items permissions inheritance
_api/lists/getByTitle(‘Contracts’)/items(1)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
(I suppose the document has the ID=1 that is why I specify …/items(1)….
2.We need to find the user principal id from his e-mail address
_api/web/SiteUsers/getByEmail(‘brianc@shareql.com’)
3.We need to assign the read permission to this user
_api/lists/getByTitle(‘Contracts’)/items(1)/roleassignments/addroleassignment(principalid=<principalid>} ,roledefid=1073741826)
(roledefid=1073741826) : means “read only”
Hands on
1.Create an out of the box Document library “Contracts” and upload a few documents
2.Create a workflow that can be started from a button and the new Send an Http request to SharePoint :
2. Save the flow, run it and take a look at the document library security settings :
You will notice that the document has already a unique permission; permission inheritance has been broken.
3.Now we need to find the user principal , I’ve hard-coded to user e-mail (brianc@shareql.com) to make it simple :
4.When the principal has been returned, we need to store it in a variable
4.And we can now give the read-only permission to our user on this document
5. Run the flow and check the list & list item security :
In a next blog post I will illustrate how to integrate this knowledge into the more complex OnBoarding flow.
If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully exercises oriented, 0 slide.
Check my web site : https://www.shareql.com
Serge Luca aka "Doctor Flow" (Microsoft Power Platform/Business Applications MVP) 
Pingback: Create Multiple Document Libraries Using SharePoint HTTP Request Connector – SharePointing·