Power Platform Community Forum Thread Details

Our organization has several Power Platform solutions for submitting and processing reports. For example, we have a "Daily Report" app, where each of our location managers must submit a report for their location. Each time a location manager submits a report for their location, the Power Platform solution generates a PDF and stores it in a SharePoint Document Library. However, we have strict permission requirements for these reports. Location managers need to have access to view their own past reports, but not each other's reports.

Currently, we solve this problem by using Power Automate to assign unique permissions to each PDF after its generation. This seems not ideal to me, since I've read that unique permissions slow things down in SharePoint, and of course it introduces complexity into the permissions structure. But separating these reports into separate document libraries for each location seems just as complex to me, since we would need to build some solution for executives to view all reports together, and we would need to make sure a new library is created and integrated into the Power Platform solution each time we open a new location.

Is our current solution the best solution? Or is there a better way to meet our permission requirements?

Categories:

Using flows

The simplest solution would be to create a folder for each manager based on their e-mail address and set unique permissions on each folder so only that person has access. When your flow saves the PDF file, it can place it in the corresponding folder based on the submitter’s e-mail. This approach limits the number of unique permissions by applying them at the folder level rather than per file.

Unique permissions only become a performance concern when you have a lot. While I don’t have an exact threshold, I have read recommendations of keeping the number of uniquely permissioned items below 5,000 to avoid performance issues; What are the workaround if our SharePoint list might contain more than 5,000 items which have unique permissions - Microsoft Q&A.

If you wanted to get more advanced, your workflow could first check whether a folder already exists for the submitter. If not, it could create the folder and apply the necessary permissions similar to how you're currently handling individual files. I prefer to keep things simple, so starting with the folder-per-manager approach is a good first step if it does not involve a lot of people and they do not change often.

I have not tried this, but if you gave the managers design permissions on their folder, I believe this would allow them to share the files within the folder with other people. Since design permission is at the folder level, they would not be able to modify or delete the document library as the design permission would only apply to the folder.