'Power Automate - Restrict who can approve Power Automate Approval Request

I hope I'm over thinking this one and there is indeed an easy solution for this, but we'd like the ability to restrict who can approve requests that are created in Power Automate.

start and wait for an approval

In SharePoint 2013, workflows achieved this because approvals were restricted to whoever had Edit/approval permissions on the workflow task list. Our testing with Power Automate shows that users who don't have any permissions to the site, let alone the document library can approve the request even though they can't even access the document they are approving.

I'm working on a document control approval flow for our organisation using a sharepoint document library. The flow allows users to kick off an approval flow which sends sequential approval requests to anyone entered by the user into the 'email' input field on the initial trigger for the flow.

trigger

So I had two ideas, one doesn't seem possible and I can't get the other one working:

  1. Restrict the 'email' input field on the trigger to a certain group only

  2. When the flow starts, check that the people entered in the trigger 'email' input field have 'Approve' rights on the Sharepoint library where the document they need to approve resides

My findings so far:

  1. The 'email' field on a trigger seems very limited and it just allows anyone within the organisation to be input

  2. So far I haven't got this one working using a HTTP GET getusereffectivepermissions call to the SharePoint library in question.

     _api/web/lists(guid'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/getusereffectivepermissions(@user)?@user='[email protected]'

I keep getting the error that 'The user does not exist or is not unique'. I'm testing using several users within our organisation. I also don't know how to parse the High/low values in Power automate that I should be getting once this works.

I've tried the following which works but that doesn't help as it's only giving permissions of the user running the HTTP get request.

    _api/web/lists(guid'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/EffectiveBasePermissions

While writing this I've thought of another way I could tackling my restriction problem: check the people entered in the trigger 'email' input field against a SharePoint list of approvers.

Any thoughts and feedback would be really appreciated, I would have thought that restricting who could approve a Power Automate approval request would be a common thing.

power-automate


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Trying to create powerautomate flow that will lock a weekly excel workbook every week

Move files to BLOB using Automate

Flow: Dynamics 365 and Azure SQL Server

Power Automate: Run a child flow by GUID

Sharepoint Online/365 - Remove 'View Entries' from list view for multi append column and show entries

Save SharePoint list data from root site to subsite list

Sharepoint online Flow how to create a sharepoint List

Flow will Create File in Sharepoint from an Outlook attachment but will not complete Update Files Property action

Extract Keywords from Office Documents with Sharepoint Flow

Power Automate reminders to be send on number of days from initial day

Creating File to sharepoint based on content type

PowerApps Data Source Changed to Stored Procedure

PowerApps Data Source Changed to Stored Procedure

Power Apps - Send Email To the List of Users from Collection Using Flow

How to update row in Excel using MS Form=>MS Flow=>Excel sheet