Something that I have come across a lot is solutions that require setting item level security after a particular occurrence on the list item (or in some workflow process). Specifically what I wanted to look at was how to do it using SharePoint Groups as opposed to AD users, though I will probably cover that later. This is going to be a two-part post as well because I am also going to do it with Microsoft Flow in my next blog. Moving forward, whenever I do a SharePoint Designer Workflow blog I am going to try and do a corresponding one for Flow as well.
Setting Item Level Security With SharePoint Designer Workflows
Back in 2013, Microsoft updated SharePoint Designer and brought in a feature that has been a huge help to SharePoint power users and developers. This being the ability to make an HTTP call to a web service. This allows workflows to make use of functionality that was not available to them in prior SPD workflows. Most of the instructions I have seen these days for setting security revolve around adding particular users to an item. So instead of that, I am going to focus on SharePoint Groups instead. The steps are pretty straightforward, but there are some supporting steps that I think everyone should be aware of.
- Set your URL and header variables ahead of time outside of the HTTP call. This allows you to reuse them later and limiting you to one place to make changes instead of a number of places.
- Setup your Header Dictionary. This is used to pass the headers along with the HTTP call.
- Content-Type: application/json;odata=verbose
- Accept: application/json;odata=verbose
![Setting Item Level Security - Configuring the headers]()
- Setup your Header Dictionary. This is used to pass the headers along with the HTTP call.
- Place all of the HTTP call steps into an App Step in the workflow
Breaking Inheritance
The first thing you want to do is break the inheritance on the item. To do this you need your headers as mentioned above and then an HTTP call. Set your URL to point to the item the workflow is attached to and call the function “breakroleinheritance”. The full string will look something like this: “[%Workflow Context: Current Site URL%]/_api/lists/getbytitle(‘%Workflow Context:List Name%]/items([%Current Item:ID%]/breakroleinheritance(true)”
In an App Step you want to add the action “Call HTTP Web Service”. The web service will have the following Properties:
- Address: Workflow Variable containing the address above
- RequestType: HTTP Post
- RequestHeaders: Workflow Variable with the Header dictionary you created above
- ResponseStatusCode: Variable to hold the response code.
Once complete your section of the WF should look something like this:
Get SP Group ID
Getting the SP Group ID you want to use the following REST endpoint: “[%Workflow Context: Current Site URL%]/_api/web/sitegroups/getbyname(‘GROUP NAME”)?$select=id”. The select id means the call will only return the id information of the SP Group. You next want to add the action “Gen an Item from a Dictionary Properties”. This step allows you to get the information returned by the REST call. Fill out the properties of this action as follows:
Note: the variable jsonSPGroupID is the variable captured from the previous HTTP Call.
Remove SP Group from Item
Removing the SP Group requires one more REST call. You need to create a new header as this actually defines the step the endpoitnt is to take. Create the dictionary item with on field it:
- X-HTTP-Method: DELETE
This call requires the following endpoint to be added: [%Workflow Context: Current Site URL%]/_api/lists/getbytitle(‘%Workflow Context:List Name%]/items([%Current Item:ID%]/roleassignments[%Variable: spGroupID%]
Adding these steps to a workflow will remove an SP Group for you. Click here to find out how to do it in Microsoft Flow
Thanks for reading!!
Comments