cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Override SharePoint List Item Permissions

Hello,

 

I have successfully created a Flow that breaks permissions and sets the user's permission to read only for certain items in a list using HTTP API call.

 

The problem is that now no one has any access to the items except for the user's read only permissions.  I am a global admin and the owner of the list with Full Control of the list and the subsite both explictly and by group membership.

 

I've rerun the HTTP API based Flow again breaking permissions and setting the new permissions for both the test user and myself but no further modification to the items is happening.

 

Is there any way to reset the permissions?

2 ACCEPTED SOLUTIONS

Accepted Solutions

It could be as simple as changing the Flow from one started via Powerapps to one that is triggered by a change to the list.  Flows that are started by a trigger run in the context of the user who made the Flow.  If that is you and you have Manager Permissions that will all work with the Trigger.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

View solution in original post

@jarodpearcy :

You can "hide" a list by opening the site up in SharePoint Designer.  Go to the list and then list properties.  Under General settings, check the box that says "hide from browser".  The list will not show up in site contents or anywhere else on the site (unless you manually create a link, page, etc.).  However, a user can still access the list via the browser of they know the URL.  In addition, the list will still be access via other tools such as MS Access, scripts, etc..

 

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Scott

View solution in original post

26 REPLIES 26
RezaDorrani
Community Champion
Community Champion

Hi @jarodpearcy 

 

Try using the new MS Flow actions for setting permissions

https://flow.microsoft.com/en-us/blog/july-updates-for-microsoft-flow/

 

Regards,

Reza Dorrani

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

Pstork1
Most Valuable Professional
Most Valuable Professional

The simplest way would be to run the HTTP call and re-establish inheritance of permissions for the item.  That would reset everything back to normal.  Otherwise, there are ways to give multiple users or groups permissions using the same REST calls you've already used.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
ScottShearer
Most Valuable Professional
Most Valuable Professional

@jarodpearcy 

Have you tried making yourself an SCA in the site collection (not a site owner)?  You can do so in the SharePoint Office 365 admin console.  As an SCA you should be able to see everything regardless of the permissions as well as reset permissions.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Scott

Hello Reza,

 

I tried your suggestion of using the SharePoint 'Grant access to an item or a folder' connector and the flow completed successfully with a Status Code of 200.  However, nothing changed.  The Recipient still has Edit permissions when set to View Only.

 

Any idea why everything appears to work yet nothing changes?  Does inheritance need to be broken using the SharePoint connector?

 

 

Hi @jarodpearcy 

 

That should grant access

There is also a stop sharing an item or a folder, whic revokes all access to an item to all people except for Owners

Try that first and then try grant access (assuming Flow is being run by the site Owner)

Hello Scott,

 

I discovered that I was targeting an Office 365 Group's SharePoint site and not a team site.  I've recreated the tables on a new team subsite and am trying to recreate the problem.  

However now the API call is returning a status of insufficient permissions even though it appears to have a valid access token.

 

Is it possible for the https://accounts.accesscontrol.windows.net/....Tenant ID..../tokens/OAuth/2 request to return a token but it not have access permissions?

Okay, so you're saying if a user already has Edit permissions then setting it to Read permissions does nothing to limit permissions.  I would have to revoke all permissions and then grant Read permissions.  Is that right?

That is correct.  Permissions in SharePoint are always additive.  Its the sum of whatever permissions you get for that particular securable object of whatever securable object it inherits permissions from.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

This approach works if the Owner is excuting the flow.  However the flow is part of a PowerApp that is being executed by the user and does not have the access to reset permissions via the SharePoint connector.  

 

It looks like the previous method of using the API Break Inheritance is the only pracitcal approach.

If the user executing the Flow doesn't have 'Manage Permissions' permission I don't think you will find that you can do the REST call successfully.  You need to have that permission in the permission level assigned to you to be able to break inheritance and change the permission no matter how you do it.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Hi @jarodpearcy 

@Pstork1 is correct - rest api wont help either

 

Your challenge here is to trigger the Flow not in the context of PowerApps

What I would recommend is when user needs to trigger the PowerApps do not call PowerApps from Flow. Instead create an item in a hidden SharePoint list (all this list will do is trigger the Flow when item is created). Now you can have a Flow which gets called on item added and this Flow can run in context of the Owner account to modify permissions

 

Regards,

Reza Dorrani

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

If I'm not mistaken, the permissions lie within the bearer token. The REST call contains a bearer token with FullControl permissions and is agnostic as to who is executing the call.  

 

That being said, I've executed the (2) REST call from the flow with correct URI's and they both return status code 200.  However, the permissions for the test user remain unchanged.  Everything looks perfect yet there is no change.

 

Call 1:
https://xxxxx.sharepoint.com/sites/Team%20Site/Expenses/_api/web/lists/getByTitle('Reimbursement Item')/items(4)/breakroleinheritance(copyRoleAssignments=false, clearSubscopes=true)

OUTPUTS: 

Status Code: 200

Body: 

 

Call 2:

https://xxxxx.sharepoint.com/sites/Team%20Site/Expenses/_api/web/lists/getByTitle('Reimbursement Item')/items(4)/roleassignments/addroleassignment(principalid=20, roledefid=1073741827)

OUTPUTS: 

Status Code: 200

Body:

<?xml version="1.0" encoding="utf-8"?><d:AddRoleAssignment xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml" m:null="true" />

 

But the bearer token is created using the context of the user logged into the site.  User's who don't have permission to change permissions on a SharePoint site can't change the permissions by making a REST call based on their login.  It just won't work.  The REST call itself may return a 200 status because the call was made successfully, but the change will be ignored if the user doesn't have the right permission level.  It wouldn't be secure if it worked differently.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

The bearer token I'm using is being generated via an App Add-in with "FullControl" permissions.  It's totally agnostic as to who the user is.  When the App Add-in had "Read" permissions the REST call would fail with insufficient permissions.  When I changed the App Add-in to "FullControl" the REST call succeeded status code 200.

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

Here is a summary of the approach I'm using.

 

Perhaps I need to rethink the approach.  The bottom line is that when a PowerApp user submits an item for expense reimbursement that they are no longer allowed to edit the item and if the submissions is rejected then they are once again allowed to edit the item so it may be resubmitted.

 

Is there a better approach than changing permissions on the item or a better way to instantiate the item permissions changes?

It could be as simple as changing the Flow from one started via Powerapps to one that is triggered by a change to the list.  Flows that are started by a trigger run in the context of the user who made the Flow.  If that is you and you have Manager Permissions that will all work with the Trigger.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

I see.  I could use the SP 'Item Changed' connector and then check to see if the change was the submission status and then the Flow would run under my Ower permissions.

 

I'd still like to know why the REST calls with a bearer token from an App Add-In aren't having any effect.  When I was incorrectly targeting an Office 365 Group's SharePoint site the break inheritance REST call worked.  It created other complications but it worked.

I would assume the connector is overriding and supplying its own bearer token to remove that from something the user is required to handle when using a Rest call action.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

No, the bearer token is imbedded in the header.  Of course there's a difference between a SP connector and HTTP REST API call.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (1,742)