cancel
Showing results for 
Search instead for 
Did you mean: 
Workflow Hero

Read and Store item permissions before modifications

Hello, I created document review workflow using Request review task with fixed end date 2 days.

I deal with item permissions:

1. Document have custom permissions before WF start (eg. Felix = read)

2. I add new people / permissions via Request Review - Item permissions (eg. Felix = Edit)

3. I need to remove these added persmissons aftew end of task (eg. Felix = read)

The problem is, that i will completly remove permissions for Felix. Is it possible to somehow read item permissions before modification and set its "Original" state back at the end?

Thank you,

J.

Labels: (2)
Tags (2)
0 Kudos
Reply
2 Replies
Workflow Hero

Re: Read and Store item permissions before modifications

or mabye:

1. Document have custom permissions before WF start (eg. Felix = read, Thomas = Edit)
2. I add new people / permissions (eg. Felix = Edit, Thomas = Edit. New user = Edit, New user2 = Edit)

3. Set back original item permission, (in this case it is Felix = read, Thoms = Edit)

0 Kudos
Accept as Solution Reply
Workflow Hero

Re: Read and Store item permissions before modifications

Hi Poki!

Hmm... I do not thing it is going to be an easy and straightforward solution. There is no OOTB solution. First I'd recommend you to use "HTTP Web Request" action to call SharePoint rest api. You can get permissions of the particular user using the following REST call, using the "Accept: application/json;odata=verbose" header:

https://[web url]/_api/web/lists/getbytitle('[list name]')/items([item ID])/getusereffectivepermissions(@u)?@u='[http_escaped_user_login]'

However it will return you data in the follow:

{
  "d": {
    "GetUserEffectivePermissions": {
      "__metadata": {
        "type": "SP.BasePermissions"
      },
      "High": "2147483647",
      "Low": "4294967295"
    }
  }
}

The "High" and "Low" represents order bits for the permission. However not for the levels, but for the permissions scope itself, so "add", "edit", "delete" instead of "Contribute" for example. Moreover it is really hard without a custom code to translate them because you need to compare these values with binary masks. 

So there is another way round.. But longer.

  1. Call the following REST API URL, again using the "Accept: application/json;odata=verbose" header:
    https://[web url]/_api/web/lists/getbytitle('[list name]')/items([item id])/?$expand=RoleAssignments/RoleDefinitionBindings,RoleAssignments/Member/Users
  2. It will return you a lot of code. Put it in collection. Then get information stored under the path: "d/RoleAssignments/results"

  3. It will return you a collection built of "Member" and "RoleDefinitionBindings" sub-collections. For you the most interesting data is stored in this second one:

    It actually stores a set of all "Roles" assigned to a particular user, whose information is stored in the first sub-collection: "Member".

  4. Loop through every element from first (point 2) collection. For each run get this data from collection: "Member/LoginName" so that you will know what user you are querying. If the login name (or you cen reach for email) matches the user you want to check, get his roles (save them to another collection variable) from the second collection using this path: "RoleDefinitionBindings/results".

  5. Then for each element from that variable get data from that path: "Name".

  6. In the end you should receive a set of all roles your user have. Then you can use a "Parallel" action (one branch for each permission level) to add and configure a proper "Set item permissions" action or just to determine the highest permissions' role from those owned by a user and only grant him the highest permissions after all. Your choice.

I hope this will really help you

Regards,

Tomasz

Regards, Tomasz Poszytek
Accept as Solution Reply