Unless you want to pay for premium connectors like Plumsail to handle permissions in Power Automate, there’s no easy way to work with permissions in your flows. But there is a way to change permissions and permissions levels using the good old “Send HTTP Request to SharePoint”.

I had a requirement to build a site archival solution that once it was approved, it should change the permission level for the Owners group from “Full Control” to “Read”.

So this was our starting point, standard vanilla SP permissions:

perm-before

Here’s the full flow that is needed to get the job down, we’ll break down each part.

flow-collapsed

First step is to figure out what our Owners group object is. The first HTTP call will get all the groups on the site, with a filter on: Group Title contains ‘Owner’

flow-getownergroup

_api/web/sitegroups/?$filter=((substringof(‘Owner’,Title)))

 

Next step is to parse the results that we get back from that HTTP call. There are several good blog posts out there on how to parse JSON so I won’t go into that. The Schema returns only two properties to save on call size:

flow-parsejson

“properties”: {
“Id”: {
“type”: “integer”
},
“Title”: {
“type”: “string”
}

Now we should have a nice and clean JSON containing the group details we need. Next step is the trickier one. To work with permissions levels we need to know the magic numeric values of “roledefid”.

“roledefid” for Permission Levels are:

Full Control: 1073741829
Contribute: 1073741827
Edit: 1073741830
Read: 1073741826

So the first call is to grab the ID from the JSON and assign that as “principalid”. This is the SharePoint Group ID. And then pass “roledefid” to tell it what to add.

flow-addpermission

_api/web/roleassignments/addroleassignment([email protected]{items(‘For_Each_SP_Owner_Group’)?[‘Id’]},roledefid=1073741827)

Once that is done, it’s almost exactly the same to remove the old permission level. We’ll just make a “remove” instead of “add” call:

flow-removepermission

_api/web/roleassignments/removeroleassignment([email protected]{items(‘For_Each_SP_Owner_Group’)?[‘Id’]},roledefid=1073741829)

 

That should do it! Once it has run the permissions should look like this:

perm-after

If you want to tweak this to not only target the owners group, you can easily change the first HTTP call to not have the filter query. Then all groups will be included in your logic.