cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Remove Specific User Access to a SharePoint List Item

I have item level permissions set up on SharePoint List, but i would like the ability to remove specific user access to some items. i'm seeing alot of information around adding users but nothing on removing users.

Any one have an idea on how to achieve this please?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @Gottijay2000 

To modify the item permission,

1. You have to break the inheritance from the parent which can be done using the below endpoint

_api/web/lists/getByTitle(<List Title>)/items/getById(<Item id>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

2. Find the permission level ID.

_api/web/roledefinitions/getByName('contribute')

3. Get the user id

4. You have to assign the user the above roledef id

_api/web/lists/getByTitle(<List Title>)/items(<Item ID>)/roleassignments/addroleassignment(principalid=<user id>,roledefid=<roledef id>)

 

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

View solution in original post

19 REPLIES 19

Hi @Gottijay2000 

You can try using 'Send Http request to SharePoint' using the REST API to change the permission of an item.

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

 @sudharsan1985 do you know what endpoint would do the trick?

Hi @Gottijay2000 

Please refer the below links.

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/set-custom-permissions-on-a-list-by-using...

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?t...

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

@sudharsan1985 none of the links have what i'm looking for which is the ability to remove a user from an item that has item level permissions

Hi @Gottijay2000 

To modify the item permission,

1. You have to break the inheritance from the parent which can be done using the below endpoint

_api/web/lists/getByTitle(<List Title>)/items/getById(<Item id>)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)

2. Find the permission level ID.

_api/web/roledefinitions/getByName('contribute')

3. Get the user id

4. You have to assign the user the above roledef id

_api/web/lists/getByTitle(<List Title>)/items(<Item ID>)/roleassignments/addroleassignment(principalid=<user id>,roledefid=<roledef id>)

 

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

Hi @Gottijay2000 I'm delving back into my memory to when I used to do more SharePoint development, and if I remember correctly then there wasn't an explicit "remove" endpoint. The way that we did it was to reset and reapply the permissions without the user that you wanted to remove.

 

Is it too late to consider using SharePoint groups for your permissions instead? They are much more manageable through code.

@sudharsan1985 this was helpful thanks. 

Hi @Gottijay2000 

Please mark the correct response as a solution to help others in the community.

Hope it helps, please like it or mark it as a solution if it resolves your clarification or issue
-Sudharsan K...

Anonymous' reply is a better answer to the initial question than the one that is currently marked as a solution. The question was if there was a way to remove a specific user's permissions on an item, which is what Anonymous' answer does. Whereas the suggestion that is currently marked as solution really only adds permissions for a user after breaking permission inheritance. A workaround could be to remove all permissions for all users and then reassign permissions for all users that still need them, as suggested by MattWeston365. While that is a way to achieve the desired endgoal, it's a workaround that, depending on your list and number of users, may result in a lot of unnecessary action requests from your flow.

 

So, to confirm Anonymous' answer, the below action removes one specific permission from one specific user, on one specific item. Do note, though, that you do need to break permission inheritance first. If you're going to need to assign unique permissions for all items in your list, it's best to break inheritance on your entire list. If you only need unique permissions on a single item, then you can break inheritance using the HTTP request described in step 1 of sudharsa1985's solution.

 

The following action works for me.

OliverR82_0-1651342435813.png

The URI is:

 

_api/web/lists/getbytitle('Meeting Notes')/items(90)/roleassignments/removeroleassignment(principalid=<userId>,roleDefId=<permissionID>) 

 

 

To get the user's principal ID, you need to make an HTTP request to the following URI:

 

_api/web/siteusers/getbyemail('jsmith@mysite.com') 

 

 

The URI to get the roledefID was already mentioned above, but I'll repeat it here for completeness sake:

 

_api/web/roledefinitions/getByName('contribute')

 

 

This solution is not removing users, its only assigning different role. not sure why this is marked as accepted solution. Totally misleading!

@Rampriyar2022  You're right, the marked solution does not really address the original question. But read the entire thread, there is a proper solution posted by Anonymous user. I also elaborated on it to further clarify. Hope it helps you.

very good answer... thanks you and Anonymous!!

I will make use of your solution. Just one question, if the inheritance is already broken, I do not need to apply the steps to re-break the inheritance right? @OliverR-82 

Seems I have yet another question, which I don't know if you can answer. Is there a way to see in Power Automate which users have been given permission. Our scenario is that when a new distinct user is added, the old distinct user gets removed (but we keep all the other users that has permission so resetting won't work).

Hi @shavora 

 

1. Correct, once permission inherritance is broken on an item, you don't need to break it again; permission inherritance will remain broken until you explicitly restore it again.

 

2. Yes, querying the SharePoint API via the HTTP action it is possible to check existing item-level permissions for a given user. To do that, you'll need to make 2 separate calls to the SharePoint API: one to get the principal ID of the user on the site (this can differ between site collections), and one to check the user's permissions on a given item.

 

Get the principal ID of a user by their e-mail address

OliverR82_1-1671632414580.png

Use the following Uri to get the user's principal ID:

 

 

_api/web/siteusers/getbyemail('user@yourdomain.com')?$select=Id

 

 

Specifying the "?$select=Id" at the end will make it so that you only get back the Id, which is what you need. It's always good practice to limit as much as possible the amount of data that is exchanged when making API calls. The less data is transferred, the quicker your flow will run. The output will look like this:

OliverR82_3-1671632930246.png

To use this output in following actions, you would use the expression (noting that I renamed my action to "Get user ID" and any spaces should be replaced by underscores when used in expressions):

 

 

body('Get_user_ID')['Id']

 

 

 

Checking the user's permissions for an item

OliverR82_4-1671633139738.png

Use the following Uri to get the permissions:

 

 

_api/web/lists/getbytitle('<list displayname>')/items(<item id>)/roleassignments/getbyprincipalid(<Id returned by previous action>)/RoleDefinitionBindings?$select=Name

 

 

Again I'm appending "?$select=Name" to the end to get just the info I need and nothing else. The output wil look like the following:

OliverR82_5-1671633274143.png

In the above example, the user has "Read" permissions on the item. Depending on the permissions of the user, the output can be something else, eg. "Contribute" or "Full control".

 

To reference that value, you would use the following expression (again noting that I renamed my action to a meaningful name, replacing any spaces with underscores):

 

 

body('Check_permissions')['value']['Name']

 

 

If the user in question does not have any permissions on the item at all, the "Check permissions" action will fail with a status of 404 and a message saying "Can not find the principal with id: xx".

 

I hope this helps you solve your problem.

OliverR-82
Skilled Sharer
Skilled Sharer

I experimented a bit further with these API calls and, if you wanted to, you could also get an overview of all the users and their permissions for a specific list item by querying the following Uri:

 

_api/web/lists/getbytitle('<list displayname>')/items(<item id>)/roleassignments?$select=RoleDefinitionBindings/Name,Member/Title&$expand=RoleDefinitionBindings,Member

 

This would give you an output like the following:

OliverR82_6-1671635493346.png

You could also get the users' e-mail addresses instead of their display names by replacing Member/Title with Member/Email in the Uri. Just thought I'd share this here in case it was of interest to anyone.

The main problem with this solution is that you need to reset everyone else's permissions on the item. The "Anonymous" and Oliver's responses worked for me. Imagine if you have 3-10 different users or groups who have access to this specific item. In your solution, the flow will need to 1.) read all the other existing permissions, then, 2.) add them back again.

@OliverR-82 thank you for this - a question I have is how would the uri be structured to reference a document library folder? Thank you.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (794)