In a SharePoint 2013 workflow environment it is not possible to break with out of the box workflow actions like in the 2010 versions. To achieve that the webservice call action can/must be used. The following description shows how to achieve that.
Allow workflow to use app permissions
First allow the workflow to use app permissions.
- Go to the site settings
- In the site actions select Manage site features
- Locate the feature called Workflows can use app permissions (should be the last one) and then click Activate.
- Check if it has been activated correctly by revisiting the site features
Create the workflow
After that it is time to create the workflow. In SharePoint Designer 2013 open the site collection.
- Go to the workflow section
- Create a new list workflow (for that library where you want to make it available)
- Give it a name
- In the settings section of the workflow deactivate the checkbox Automatically update the workflow status to the current stage name
- Edit the workflow
- Add the following Actions to the stage 1:
- Log WF Started to the WF history list
- then add tow builds
Add the Log action, add the build action 
Add two dictionary items with the same value (value: application/json;odata=verbose) - Then add a webservice call action
- In the call options enter this in the string builder (build it with Add or Change Lookups): [%Workflow Context:Current Site URL%]/_api/lists/getbytitle(‘[%Workflow Context:List Name%]’)/items([%Current Item:ID%])/breakroleinheritance(true)
- Change the method to Post
Enter the http web service URL, change http method - Change the properties of the action
Change the action properties - Then add three additional Action logs, it should look like the following
- In the transition stage let the workflow end
Add the loggin actions as well as the end of the workflow - Save and publish the workflow
Grant full control permissions to the worklow
Now you can grant full control permissions to the workflow, so that it can execute the webservice call with appropriate permissions.
- In the site go to the site settings
- Select the Site app permissions
- Now copy the app identifier like visible in the screenshot (Mark everthing between “|” and the “@” and copy it)
Copy the app identifier id - Navigate to the Grant permission page, you have to enter the follwoing url: http://{hostname}/{catalog site}/_layouts/15/appinv.aspx
- Here paste the app identifier id and click Lookup
- Now the Title and other information should be appear automatically
- In the apps permission Request XML enter the following code (change the site URL to your site URL):
<AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> </AppPermissionRequests>
Appinv.apsx with all details - Confirm with Create
- Then a confirmation page should appear, confirm with Trust it
- Thats it, proceed with the next steps:)
Wrap the workflow actions inside an App step
Now finally open the workflow again and wrap the webservice call around an App Step.
- Open the workflow with SPD 2013
- Add an App Step
Add an app step by pushing the button in the ribbion UI menue - Move the Webservice call into that app step
Final workflow with app step - Republish the workflow
Now go to the document library an test the workflow, the workflow should break the inheritance of that document on which you run it.
2 thoughts to “SharePoint 2013 Workflow: Break permission inheritance”
When someone writes an piece of writing he/she maintains the plan of a user in his/her mind that how a user can understand
it. Thus that’s why this post is great. Thanks!
[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.
I want to assign item level permission on list using REST API in SPD 2013