Use Power Automate (flow) to change SharePoint Group Permission Level | Quisitive
Use Power Automate (flow) to change SharePoint Group Permission Level
January 2, 2020
Quisitive
But there is a way to change permissions and permissions levels using

Unless you want to pay for premium connectors like Plumsail to handle permissions in Power Automate, there’s no easy way to work with permissions in your flows. But there is a way to change permissions and permissions levels using the good old “Send HTTP Request to SharePoint”.

I had a requirement to build a site archival solution that once it was approved, it should change the permission level for the Owners group from “Full Control” to “Read”.

So this was our starting point, standard vanilla SP permissions:

Here’s the full flow that is needed to get the job down, we’ll break down each part.

First step is to figure out what our Owners group object is. The first HTTP call will get all the groups on the site, with a filter on: Group Title contains ‘Owner’

_api/web/sitegroups/?$filter=((substringof(‘Owner’,Title)))

Next step is to parse the results that we get back from that HTTP call. There are several good blog posts out there on how to parse JSON so I won’t go into that. The Schema returns only two properties to save on call size:

“properties”: {
“Id”: {
“type”: “integer”
},
“Title”: {
“type”: “string”
}

Now we should have a nice and clean JSON containing the group details we need. Next step is the trickier one. To work with permissions levels we need to know the magic numeric values of “roledefid”.

“roledefid” for Permission Levels are:

Full Control: 1073741829
Contribute: 1073741827
Edit: 1073741830
Read: 1073741826

So the first call is to grab the ID from the JSON and assign that as “principalid”. This is the SharePoint Group ID. And then pass “roledefid” to tell it what to add.

_api/web/roleassignments/addroleassignment(principalid=@{items(‘For_Each_SP_Owner_Group’)?[‘Id’]},roledefid=1073741827)

Once that is done, it’s almost exactly the same to remove the old permission level. We’ll just make a “remove” instead of “add” call:

_api/web/roleassignments/removeroleassignment(principalid=@{items(‘For_Each_SP_Owner_Group’)?[‘Id’]},roledefid=1073741829)

That should do it! Once it has run the permissions should look like this:

If you want to tweak this to not only target the owners group, you can easily change the first HTTP call to not have the filter query. Then all groups will be included in your logic.