SharePoint 2013 Workflow: Break permission inheritance

In a SharePoint 2013 workflow environment it is not possible to break with out of the box workflow actions like in the 2010 versions. To achieve that the webservice call action can/must be used. The following description shows how to achieve that.

Allow workflow to use app permissions

First allow the workflow to use app permissions.

  1. Go to the site settings
  2. In the site actions select Manage site features
  3. Locate the feature called Workflows can use app permissions (should be the last one) and then click Activate.
  4. Check if it has been activated correctly by revisiting the site features

Create the workflow

After that it is time to create the workflow. In SharePoint Designer 2013 open the site collection.

  1. Go to the workflow section
  2. Create a new list workflow (for that library where you want to make it available)
  3. Give it a name
  4. In the settings section of the workflow deactivate the checkbox Automatically update the workflow status to the current stage name
  5. Edit the workflow
  6. Add the following Actions to the stage 1:
    1. Log WF Started to the WF history list
    2. then add tow builds

      build options
      Add the Log action, add the build action

      build-options2
      Add two dictionary items with the same value (value: application/json;odata=verbose)
    3. Then add a webservice call action
    4. In the call options enter this in the string builder (build it with Add or Change Lookups): [%Workflow Context:Current Site URL%]/_api/lists/getbytitle(‘[%Workflow Context:List Name%]’)/items([%Current Item:ID%])/breakroleinheritance(true)
    5. Change the method to Post

      asdf
      Enter the http web service URL, change http method
    6. Change the properties of the action

      adsf
      Change the action properties
    7. Then add three additional Action logs, it should look like the following
    8. In the transition stage let the workflow end

      adf
      Add the loggin actions as well as the end of the workflow
    9. Save and publish the workflow

Grant full control permissions to the worklow

Now you can grant full control permissions to the workflow, so that it can execute the webservice call with appropriate permissions.

  1. In the site go to the site settings
  2. Select the Site app permissions
  3. Now copy the app identifier like visible in the screenshot (Mark everthing between “|” and the “@” and copy it)

    Copy the app identifier id
    Copy the app identifier id
  4. Navigate to the Grant permission page, you have to enter the follwoing url: http://{hostname}/{catalog site}/_layouts/15/appinv.aspx
  5. Here paste the app identifier id and click Lookup
  6. Now the Title and other information should be appear automatically
  7. In the apps permission Request XML enter the following code (change the site URL to your site URL):
    <AppPermissionRequests>
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
    </AppPermissionRequests>

    asdf
    Appinv.apsx with all details
  8. Confirm with Create
  9. Then a confirmation page should appear, confirm with Trust it
  10. Thats it, proceed with the next steps:)

Wrap the workflow actions inside an App step

Now finally open the workflow again and wrap the webservice call around an App Step.

  1. Open the workflow with SPD 2013
  2. Add an App Step

    Add an app step by pushing the button in the ribbion UI menue
    Add an app step by pushing the button in the ribbion UI menue
  3. Move the Webservice call into that app step

    Final workflow with app step
    Final workflow with app step
  4. Republish the workflow

Now go to the document library an test the workflow, the workflow should break the inheritance of that document on which you run it.

Further reading

2 thoughts on “SharePoint 2013 Workflow: Break permission inheritance

  • adamson surname meaning

    When someone writes an piece of writing he/she maintains the plan of a user in his/her mind that how a user can understand
    it. Thus that’s why this post is great. Thanks!

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    Reply
  • Abhijeet Chavan

    I want to assign item level permission on list using REST API in SPD 2013

    Reply

Leave a comment

Your email address will not be published. Required fields are marked *