Build action to set permissions based on column value

I have a multi-choice column Country. I have a Sharepoint-Group for each Country. Fx the Country column can be Denmark, Norway or Sweden. And I have three Groups: Denmark, Norway and Sweden.
I want to make a workflow that gives read permission to the current item for the Sharepoint Groups that correspond to the Country field.
I tried to build the action, but I simply don’t know how to do. Do I need to use conditions and check for any possible value of Country column? How do I put in the names of the Sharepoint Groups using the builder in Sharepoint designer? Would it be possible to give a detailed description on how to set up this Work flow that should trigger when an item is changed?

Hello Peter, Please see example in the figures below:


In this case workflow starts on an item and grants Read permission to groups which is stored in Country field of current item. Our workflow action supports defining multiple groups divided by ‘;’ (semicolon), for converting string to right format I add replace string action.

It looks like it is working!!! This is like magic.
However, one thing I am concerned about is: the admin credentials are entered in clear text in the workflow action. Is this not a security issue? Will end users not be able to see this, maybe by looking into the workflow, using Sharepoint Designer, or otherwise?

One thing more: is there an action that will make the item stop inheriting permissions (use unique permissions)? If this is not done, the workflow doesn’t seem to have an effect.

Sorry – please disregard the latest post. Indeed this action DOES imply breaking the inheritance.
It looks like you’ve created a wonderful peace of software! Now I just need to ensure that the admin credentials cannot be retrieved by end users.

If you’re worried about security, you can create your own permissions level that will contain only the desired action. For example if you revoke “Use Remote Interfaces”, users won’t be allowed to open site via SharePoint Designer.

Good idea, Roman. Thanks.

I have several custom permission levels. I don’t see a way to select my custom levels in the Grant Permission on Item action. I’m using O365 (i.e. Not On-Prem).

Also, If I want to replace all permission, must I do a remove all permission then grant permissions or do I have to remove permissions individually (I’m working with groups not individuals).

Hi Robert,

Currently Grant Permission on Item doesn’t support custom permission levels. If it’s required for your project you can write to [email protected] we can evaluate it as new feature.

To remove permission you can use Remove Permissions from Item, it supports group name.

After reviewing my design, I think that being able to set custom permissions may not be necessary. I can use remove permissions then set read/contribute. This should allow me to fulfill my requirements.

Thank you for the clarification and quick response.

-RGM