SharePoint 2013 REST API – How to set Unique Permissions (Item Level Permissions)

Oct 09
SharePoint 2013 REST API – How to set Unique Permissions (Item Level Permissions)

​​Recently we were developing a SharePoint 2013 style workflow and faced an issue of assigning unique permissions to a list item. In Server Side Object Model we initially break role inheritance and then assign required permissions to a securable object. We tried to use the same approach and faced issues with both steps (though it’s plain how to achieve the required functionality in JavaScript CSOM)

  1. There are no activities to break inheritance/assign permissions in SP2013 Workflows. It’s possible to invoke 2010 Workflow with this activities but it’s complicated and not possible in Apps. Thus the only way is REST API.
  2. There is no documented BreakRoleInheritance method in REST API (
  3. Documented method Add of RoleAssignmentCollection doesn’t exist in REST API (

After a deep investigation using reflector and trial and error approach we’ve found that it’s possible :)


BreakRoleInheritance is just not documented and can be used using POST request:'Test')/breakroleinheritance(copyRoleAssignments=true, clearSubscopes=true)

           copyRoleAssignments – “if true, this method copies the role assignments of the parent securable object when breaking inheritance; otherwise, this method adds the current user to the permission level that is required to manage the list item.”
– “Indicates whether subscopes should be cleared or not.”


Instead of the Add there is AddRoleAssignment method that also can be called using POST request (NOTE: this method works incorrectly in RTM release of SharePoint 2013!!!! It checks user within current item and if user is  not found (usually as we’ve just broken inheritance) throws an exception.  In SharePoint Online and March CU it works as expected):'Test')/roleassignments/addroleassignment(principalid=20,roleDefId=1073741828) 
          principalid is id of user or group within current site collection. You can get a list of users by executing using GET:

          roleDefId is internal id of Role Definition (Read, Contribute, Full Control and so on). You can get a list of available role definitions using GET:

Making POST request from JavaScript (can be done from Firebug console)

function makePostRequest(hostUrl, restCommand) {
    var executor = new SP.RequestExecutor(hostUrl);
    var info = {
      url: restCommand,
      method: "POST",
      success: success

function success() {
    alert('Request has been executed successfully.')

makePostRequest("", "_api/web/lists/getByTitle('Test')/breakroleinheritance");            
makePostRequest("", "_api/web/lists/getByTitle('Test')/roleassignments/addroleassignment(principalid=20,roleDefId=1073741828)");

Referencing script files from JavaScript

Please don’t forget to reference SP.RequestExecutor.js file to make a request. It can be achieve from Firebug console using a the following snippet:
function loadScript(scriptUrl) {
    var el = document.createElement('script');
    el.async = false;
    el.src = scriptUrl;
    el.type = 'text/javascript';



© Investigated together with Artur Kukharevich. 

Web Part Error: Activation of solutions with sandboxed code has been disabled. Correlation ID: 2c21559e-40e5-5000-71a6-4a0eab899a57.