A client had a rather unique use case where they needed to strip permissions from a folder in a document library and assign permissions only to specific people in the metadata against each folder and also ensure the site owners also maintained access.
The requirements were as follows:
HR can create a folder in a library
The workflow should take away all existing access and update it with the three people in the fields against the folder
The site owners shouldn't lose permissions to the item
If the folder had any of the three fields changed the permissions should be updated to reflect that
At first, I thought this would be relatively simple but it actually involved quite a few actions to get it right. The solution I built is below, there may be some other ways to do this but I hope others find this useful and take from it what they need.
Creating the SharePoint Library
OK, so basic stuff first...
Create a SharePoint site
Create a SharePoint Library
(I assume if you're interested in reading this you know how to make those)
For this solution, there were three people picker fields I needed to add to the library which would dictate who should have access to the folder once it has been created. So I simply added these in as site columns to the library.
Creating the workflow
So I knew I needed this workflow to fire on Item creation and modify as one of the requirements was to ensure permissions stayed up to date on any changes to the folder.
So I selected the automated flow trigger action (When an item is created or modified)
Setting trigger conditions
OK so to start off, I only want this workflow to fire if the item that is created or modified is a folder. Luckily, I have my colleagues post to help me here (Control your Flows with Trigger Conditions (dapt.uk)) so I can use workflow trigger conditions to stop it firing every time a file is uploaded too.
To test the correct trigger condition I am going to use a simple method by adding in an initialize variable action to check if the item is a folder.
equals(triggerBody()?['{IsFolder}'],true)OK, so when I fire this workflow in a test I want the result of this Boolean variable to equate to true. This worked and so I can now add this to my trigger action on the workflow trigger (revert to the previous post by Daniel on how to set this up).
I have to change it slightly to get it to work here but that's pretty straight forward:
@equals(triggerBody()?['{IsFolder}'],true)Breaking inheritance
First things first, I want to remove all permissions from this item, as this is sensitive stuff, I don't want the members or visitors to the site having access through inheritance so I break that using an HTTP call action:
_api/lists/getByTitle('Permission_Mgmt')/items(Item ID here)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
This works for the first time an item is created but if the inheritance is already broken and permissions are being updated I need to make sure that I am removing existing user access too. I can do this in a few steps.
Firstly I initialise a variable of type array and get the item's 'SharedWith' property.
Then I need to do the following:
For each user in the Array >> get their profile >> get that user's UserPrincipalID >> remove that user using their UserPrincipalID... Or in other words (or pictures) this...
For the last part of this you need to use an expression builder for the principalid element:
body('Get_User_Principal_ID')['d']['id']What we're doing here is getting the id number from an output of a previous step. If you wanted to know why ['d']['id'] then I have highlighted it below but you won't need to worry.
{
"d": {
"results": [
{
"__metadata": {
"id": "https://xxxxxxxxxxxxxx.sharepoint.com/sites/KnowledgeHub/_api/Web/GetUserById(6)",
"uri": "https://xxxxxxxxxxxx.sharepoint.com/sites/KnowledgeHub/_api/Web/GetUserById(6)",
"type": "SP.User"
},
"Alerts": {
"__deferred": {
"uri": "https://xxxxxxxxxx.sharepoint.com/sites/KnowledgeHub/_api/Web/GetUserById(6)/Alerts"
}
},
"Groups": {
"__deferred": {
"uri": "https://xxxxxxxxxxxx.sharepoint.com/sites/KnowledgeHub/_api/Web/GetUserById(6)/Groups"
}
},
"Id": 6,
"IsHiddenInUI": false,
"LoginName": "i:0#.f|membership|stephen@xxxxxxxxxxxxxxxx.onmicrosoft.com",
"Title": "Stephen Port",
"PrincipalType": 1,
"Email": "stephen@xxxxxxxxxxxxxxxx.onmicrosoft.com",
"Expiration": "",
"IsEmailAuthenticationGuestUser": false,
"IsShareByEmailGuestUser": false,
"IsSiteAdmin": true,
"UserId": {
"__metadata": {
"type": "SP.UserIdInfo"
},
"NameId": "xxxxxxxxxxxxxxxxxx",
"NameIdIssuer": "urn:federation:microsoftonline"
},
"UserPrincipalName": "stephen@xxxxxxxxxxxxxxxx.onmicrosoft.com"
}
]
}
}Adding users to the folder with permissions
Lastly, we need to add user permissions to the folder. I used a split here to run the flow at the same time but you could stack this up.
Adding users from the site columns is easy enough with the Grant Access action:
To re-add the site owners back in was a little more tricky.
First, we have to get the owners and get the output into an array
The HTTP request is a GET this time and we use the following
_api/web/sitegroups(3)/usersThe number three is the group id which we can get by going to the People and Groups page in the site you're on and looking at the GroupID at the end of the URL. In this case, this is the owners' group.
https://xxxxxxxxxx.sharepoint.com/sites/xxxxxxxx/_layouts/15/people.aspx?MembershipGroupId=3
You can generate the JSON from a sample when you run this workflow as a test and review the output. Click on 'Generate from sample' and then paste the body output in.
If you have made it this far well done, the last steps are to add the owners. You will need to loop through each owner found from the above step and add them in
And that's that, we've successfully removed user permissions from an item and resigned them in a few ways here, both from site column people pickers and a group.
