Recently we were developing a SharePoint 2013 style workflow
and faced an issue of assigning unique permissions to a list item. In Server
Side Object Model we initially break role inheritance and then assign required
permissions to a securable object. We tried to use the same approach and faced
issues with both steps (though it’s plain how to achieve the required
- There are no activities to break
inheritance/assign permissions in SP2013 Workflows. It’s possible to invoke
2010 Workflow with this activities but it’s complicated and not possible in Apps.
Thus the only way is REST API.
- There is no documented BreakRoleInheritance method in REST API (http://msdn.microsoft.com/EN-US/library/office/jj245826.aspx#methods).
- Documented method Add of RoleAssignmentCollection
doesn’t exist in REST API (http://msdn.microsoft.com/EN-US/library/office/jj245278.aspx)
After a deep investigation using reflector and trial and error approach we’ve
found that it’s possible :)
BreakRoleInheritance is just not documented and
can be used using POST request:
– “if true
, this method copies the
role assignments of the parent securable object when breaking inheritance;
otherwise, this method adds the current user to the permission level that is
required to manage the list item.”
– “Indicates whether subscopes should be cleared or not.”
Instead of the Add there is AddRoleAssignment
method that also can be called using POST request (NOTE: this method works incorrectly in RTM release of SharePoint 2013!!!!
It checks user within current item and if user is not found (usually as we’ve just
broken inheritance) throws an exception.
In SharePoint Online and March CU it works as expected):
is id of user or group within current site collection. You can get a list of
users by executing using GET:
roleDefId is internal id of Role Definition (Read, Contribute, Full Control and so on). You can get a list of available role definitions using GET:
Please don’t forget to reference SP.RequestExecutor.js file
to make a request. It can be achieve from Firebug console using a the following
© Investigated together with Artur Kukharevich.