Item level permission in SharePoint using REST and Power Automate

Sometimes when an item is created we might need to set item level permission for those items. Fortunately, SharePoint’s REST API can help with this and Power Automate / Flow supports SharePoint HTTP calls.

For this to work, make sure the Power Automate is created with an account having site collection administrator access.

First the basics of how this works

Step 1 is to identify to whom the permissions should be granted to. It can be either a person or a group.

Step 2 is to identify what kind of permission i.e. role should be granted.

Step 3 is breaking the inheritance.

Step 4 is assigning the permission.

Second is knowing the supporting APIs to gather the information

Step 1: To whom the permission should be granted?

Individual user

To identify the individual user the following API can be used. Commonly everyone relies on e-mail ID so lets take that as an example

URL: _api/web/SiteUsers/getByEmail('email@domain.com')
Method: Get

When you use Power Automate, make sure to extract the ID and place it in a variable.

body('Get_User_Id')['d']['Id']

Site Group

To identify the site group the following API can be used.

URL: _api/web/sitegroups/getbyname('Group Name')
Method: Get

When you use Power Automate, make sure to extract the ID and place it in a variable.

body('Get_Group_Id')['d']['Id']

Step 2: What kind of permission?

This is defined by the role definitions available in the site. The following API will help in identifying the role definitions and their ID.

URL: _api/roledefinitions/getbyname('Full Control')
Method: Get

When you use Power Automate, make sure to extract the ID and place it in a variable.

body('Get_Role_Definition_Id')['d']['Id']

Step 3: Breaking the inheritance

For this first thing is we need to identify the target for which the inheritance should be broken. In the following example it’s a list item.

URL: _api/lists/getByTitle('<List Name>')/items(<Item ID>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Method: POST

Example:

URL: _api/lists/getByTitle('Test List')/items(1)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

Step 4: Assigning permission

As said before permission can be assigned to an individual or a group. The following API will help with that

URL: _api/lists/getByTitle('<List Name>')/items(<Item ID>)/roleassignments/addroleassignment(principalid=<User ID or Group ID>,roledefid=<Role ID>)
Method: POST

Example:

URL: _api/lists/getByTitle('Test List')/items(1)/roleassignments/addroleassignment(principalid=10,roledefid=1073741829)

Following is the list of out of the box role definitions which I came across in the internet

Role Definition NameRole Definition Id
Full Control1073741829
Design1073741828
Edit1073741830
Contribute1073741827
Read1073741826
View Only1073741924
Limited Access1073741825

Useful URL

You can refer the following URL which has code example to use REST api.

Set custom permissions on a list by using the REST interface