Table of Contents
This post and video will show how to dynamically manage item security level in SharePoint lists based on Security groups. This automatic assignment is done from a Power Automate workflow.
This approach is really powerful and can be used to show or hide rows in Power Apps applications, the security configurations covered in this use case also cascades correctly into Power Apps. A Power App created from a SharePoint list respects the item-level permissions, ensuring users only see records they have rights to without needing additional filtering in the app.
Use case description
For this example, we’re working with a list of Projects that is linked to different departments. When the project is created, we extract the department and assign access to people that belong to security groups that were created to either View/Edit records for each department. The main goal is to dynamically assign permissions to users based on the department associated with a project record.
We will use two different departments: Finance and Marketing, and each department have different levels of access for member – view or edit:
For this video and blog, we’re working with SharePoint lists, but the same logic can be applied regardless of the data source being used, such as SQL or Dataverse.
Solution description
- Create security groups for each department or group or category for which you’d like to assign/grant access
- Create an Access Matrix list that has a list of all departments (or groups or categories) and add columns to indicate Group ID, Group Name and Access Level (view or edit).
- Create a Power Automate workflow that runs every time a new record is created in the Projects list.
- Dynamically lookup appropriate security groups from an “access matrix” SharePoint list that maps departments, access types (view/edit), and security group IDs. Learn about filtering SharePoint data in our post on OData filter queries.
- Stop sharing the item with all users, only owners will have access after this action.
- Share the item with the creator, if needed.
- Use the “Send HTTP Request to SharePoint” action to assign permissions to security groups dynamically based on the access matrix
Share items with Security groups
Method: POST
URI: _api/web/Lists(‘list-guid’)/GetItemById(‘item-id’)/ShareObject
Body:
{
"includeAnonymousLinkInEmail":false,
"peoplePickerInput":"[{\"Key\":\"c:0t.c|tenant|{group-id}\",\"DisplayText\":\"{group-name}\",\"IsResolved\":true,\"EntityType\":\"FormsRole\",\"EntityData\":{},\"MultipleMatches\":[],\"ProviderName\":\"Tenant\",\"ProviderDisplayName\":\"Tenant\"}]",
"propagateAcl":true,
"roleValue": "role:{role-type-id}",
"sendEmail": false,
"useSimplifiedRoles": true
}
Learn more about sharing SharePoint items using Power Automate here.
Step-by-step walkthrough
Watch the video below to see a step-by-step walkthrough by Graciela, where she shows how to use Power Automate to dynamically manage project access based on the department associated with each project, all based on Microsoft Entra ID security groups.
How our Power Automate Development services can help
We combine powerful concepts with different Microsoft 365 tools (SharePoint, Power Automate, Power Apps, Microsoft Entra ID) to build solutions that meet your data security needs. Contact us if you need help securing your applications and SharePoint lists.
