Assign unique permissions to a document with the new Send an Http Request to SharePoint action (How to use the SharePoint REST API in Flow)

For a SharePointer like me the new Microsoft Flow action Send an Http Request to SharePoint action released yesterday is an important milestone because now we can easily start using the SharePoint REST api (without having to deal with digest, tokens, all those horrible things that are now encapsulated into the action 🙂) and there is almost no limit to what we can do with SharePointas long as we know how to use the SharePoint REST API. And as long as the account defined in the SharePoint connection has the permission to do what you into to do. Therefore, it is not an action for normal users, but mostly for developers. Perhaps some Power users should be able to deal with it. More details on the REST operation on SharePoint here. 

I will start with a basic example: how can we set a unique permission to a list item (or a document library item). There are some business scenarios where this is crucial. Example: we have an onboarding Flow that is triggered when a new employee is hired: a contract is generated, signed by both the employee and his new manager and the contract is uploaded in a document library; however, confidentiality is important: only members of HR and the employee himself can read the document. I’ve implemented such scenario with pdf generation, e-signatures, Office 365 account creation (see my video…). See my video here. But I didn’t implement the unique permission on the document.

Just to illustrate how the new action works, let’s start from an out of the box document library named ”contracts” with several (documents) contracts; a new contract (“ContractBrianc.docx”) has been uploaded and I want only Brian Cox  and the site owners to be able to read. (in a clean implementation an employee metadata is provided, and the flow will check the employee id end so on… but I want to keep it simple here)

In a nusthell the SharePoint REST API instructions to execute are the followings:

1.We need to broke the list items permissions inheritance 

_api/lists/getByTitle(‘Contracts’)/items(1)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

(I suppose the document has the ID=1 that is why I specify …/items(1)….

2.We need to find the user principal id from his e-mail address 

_api/web/SiteUsers/getByEmail(‘brianc@shareql.com’)

3.We need to assign the read permission to this user 

_api/lists/getByTitle(‘Contracts’)/items(1)/roleassignments/addroleassignment(principalid=<principalid>} ,roledefid=1073741826) 

 

(roledefid=1073741826) : means “read only”

 Hands on

1.Create an out of the box Document library “Contracts” and upload a few documents

contract1

2.Create a workflow that can be started from a button and the new Send an Http request to SharePoint :

contract2

2. Save the flow, run it and take a look at the document library security settings :

contract3

You will notice that the document has already a unique permission; permission inheritance has been broken.

3.Now we need to find the user principal , I’ve hard-coded to user e-mail (brianc@shareql.com) to make it simple :

contract4

 

4.When the principal has been returned, we need to store it in a variable

contract54.And we can now give the read-only permission to our user on this document

contract6

5. Run the flow and check the list & list item security :

contract7

In a next blog post I will illustrate how to integrate this knowledge into the more complex OnBoarding flow.

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully exercises oriented, 0 slide.

Check my web site : https://www.shareql.com

shareqltraining

One response to “Assign unique permissions to a document with the new Send an Http Request to SharePoint action (How to use the SharePoint REST API in Flow)

  1. Pingback: Create Multiple Document Libraries Using SharePoint HTTP Request Connector – SharePointing·

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s