You’re offline. This is a read only version of the page.
29
I hope I'm over thinking this one and there is indeed an easy solution for this, but we'd like the ability to restrict who can approve requests that are created in Power Automate.
In SharePoint 2013, workflows achieved this because approvals were restricted to whoever had Edit/approval permissions on the workflow task list. Our testing with Power Automate shows that users who don't have any permissions to the site, let alone the document library can approve the request even though they can't even access the document they are approving.
I'm working on a document control approval flow for our organisation using a sharepoint document library. The flow allows users to kick off an approval flow which sends sequential approval requests to anyone entered by the user into the 'email' input field on the initial trigger for the flow.
So I had two ideas, one doesn't seem possible and I can't get the other one working:
1. Restrict the 'email' input field on the trigger to a certain group only
2. When the flow starts, check that the people entered in the trigger 'email' input field have 'Approve' rights on the Sharepoint library where the document they need to approve resides
My findings so far:
1. The 'email' field on a trigger seems very limited and it just allows anyone within the organisation to be input
2. So far I haven't got this one working using a HTTP GET getusereffectivepermissions call to the SharePoint library in question.
Share
Report_api/web/lists(guid'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/getusereffectivepermissions(@user)?@user='xxx@xxxx.mail.onmicrosoft.com'
I keep getting the error that 'The user does not exist or is not unique'. I'm testing using several users within our organisation. I also don't know how to parse the High/low values in Power automate that I should be getting once this works.
I've tried the following which works but that doesn't help as it's only giving permissions of the user running the HTTP get request.
_api/web/lists(guid'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/EffectiveBasePermissions
While writing this I've thought of another way I could tackling my restriction problem: check the people entered in the trigger 'email' input field against a SharePoint list of approvers.
Any thoughts and feedback would be really appreciated, I would have thought that restricting who could approve a Power Automate approval request would be a common thing.
Hi @janeway5 ,
In my opinion, restrict user inputs will always be not that "rigorous" and hard to implement. Will you able to customize a form for the library? If it is possible, you can achieve you goal by following below steps:
1. Add a person column in the library;
2. Customize form for the library;
3. Restrict inputs for the Combo box. You can leverage the Office 365 Groups as well as Office 365 Users connector to retrieve available users as the Items/Selections of the Combo box for users to select from.
4. Trigger the flow on file creation or metadata modification, use the selected users within the person column as Approvers.
Hope this helps.
Best regards,
Community Support Team _ Jeffer Ni
If this post helps, then please consider Accept it as the solution to help the other members find it.
All responses (
Answers (
