This article describes using the Send HTTP Request action in Lightning Forms (or Lightning List Actions) to break permission inheritance on an item and then grant permission to a person or group.
Sometimes, you may wish to allow only certain people to have access to an item you have just created using Lightning Forms. A use case might be that many people have access to a SharePoint list on which you have created a custom form, so they can add a new entry. But after the entry is added, only managers or other specified people should have access to that item.
You can achieve this using the Send HTTP request action in Lightning Forms, to use the SharePoint API to modify SharePoint permissions on that item, rather than have it inherit permissions from the list (as it normally would). Here's how to do this within Lightning Forms. You could do something similar with Lightning List Actions.
NOTE: This will only work for accounts that have the SharePoint permission to manage permissions on this list.
On your NewForm, modify the actions associated with the Save button (or a custom button, if that's what you're using to save the form).
Add the Send HTTP request action after the Save Form action. The form must be saved first so that there is an item ID to refer to. Enter the following values as shown in the screenshot below (replace 'My List' with the name of the list you're working with).
URL: [[@Web.Url]]/_api/lists/getByTitle('My List')/items([[ID]])/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Header Key (click the + to add a Header): Accept
Header Value: application/json;odata=nometadata
Now, add another Send HTTP request action to grant the permissions to a user or group. The API request requires the Principal ID of the account, so that will be the .Id of a user or group name. Again, replace 'My List' with the name of your list, and replace [[Person.ID]] with the placeholder of the field in the current record containing the person or group to whom you are granting permission. roleDefId is a number representing one of the SharePoint permission levels, or it might be a custom permission level. See below for a reference list.
URL: [[@Web.Url]]/_api/lists/getByTitle('My List')/items([[ID]])/roleassignments/addroleassignment(principalid='[[Person.Id]]',roleDefId=1073741827)
Header Key: Accept
Header Value: application/json;odata=nometadata
You can get a list of SharePoint role definition IDs from the SharePoint API by typing the following into your browser URL (replacing site-url with the full URL of your site):
https://site-url/_api/web/roledefinitions
This will return quite a lot of text, but within it you'll see the role definition IDs for the current site and what all permissions each one gives. To save you time, here are the standard permission level role definition IDs:
Full Control
1073741829 Design 1073741828 Edit 1073741830 Contribute 1073741827 Read 1073741826
Restricted View 1073741832
Now when someone saves a new item using your custom New Form, the item will only be accessible to the person or group that you specified - and the Site Collection Admin, as it's not possible to remove their permissions.
NOTE: If you as a site owner or admin need to check who has permissions to items within this list, or modify the permissions at some later date, you can use our DeliverPoint permissions reporting and management tool.
Published Dec 8, 2022