Introduction

The Update Permissions flow action can be used to set owner/read/write permissions of a resource — whether a Site, Drive, Folder, or File — in external storage for specific Salesforce User Ids or Group Ids.

Additionally, the Salesforce Only field, when set to True, enables you to enforce permissions strictly at the Salesforce level without modifying the actual permissions in external storage platforms such as SharePoint or Google Drive. This is particularly useful for restricting actions (like upload, rename, or delete) within Salesforce, while leaving external access unchanged.

The image below gives an overview of the input parameters and what this action looks like. Detailed description of these input parameters and it's outputs are provided in the following sections.

What this action does

The Update Permissions flow action is used to set permissions of a file/folder at either external level or salesforce level. For an instance, this flow action can be combined with Share With Community User flow action which shares a specific file/folder with a community user and the read level access is given by default. The Update Permissions flow action can now be used to update the permissions to give write access to the shared file/folder. In the image given below the flow action is used to grant write access to particular file/folder whenever a new user gets created.

Input Parameters

Let us discuss each of the input parameters in detail in the sections below.

Access Level (owner/read/write)

This parameter used to specify the access level to grant/revoke. This has to be one of read or write. This parameter is used to specify the access level to grant or revoke. For standard usage, this must be one of read or write. For site and driveresource types, any custom SharePoint role name (e.g. Contribute, Design) is also accepted in addition to the built-in owner (full control), read, and write roles.

Note

Access Levels are inherited but can be overridden. E.g. If a user has READ access level for a parent folder they have READ access level on all child folders by default. If they are then granted a different access level explicitly then the explicitly granted permission will take precedence

Note

Precedence order of access levels in order of high to low is NONE, READ, WRITE. This means that if a user is grant WRITE access level to a folder but their profile is granted NONE , the user will not have access to the folder.

Note

Standard roles (owner, read, write) automatically add users to the built-in SharePoint site groups (Owners, Members, and Visitors respectively). Custom roles (e.g. Contribute,Design) use direct role assignments on the site rather than site group membership.

Incase of Sharepoint Groups they always get direct role assigments.

Action (grant/revoke)

This parameters specify the type of action. This has to be one of grant or revoke. The following are permutations of access level and action that are handled.

action: revoke, accessLevel: read - Impacted users will lose complete access to the file/folder - i.e. Access Level NONE

action: revoke, accessLevel: write or action: grant, accessLevel: read- Impacted users will lose access to update actions like upload, replace, delete, rename, move, new folder - i.e. Access Level READ

action: grant, accessLevel: write - Impacted users will have full access (As much as their permission level in SharePoint/Google Drive allows), i.e. Access Level WRITE

Resource Parameters

These parameters are needed to specfiy the Resource (site/drive/folder/file) whose permissions are going to be updated. You can get these parameters by viewing metadata details for a folder in the “Content Library” tab of CloudFiles app in Salesforce or can be fetched through other flow actions or elements like “Get Connected Folder”, "Create SharePoint Site" etc.

Drive Id

This is important for Google Drive & Sharepoint libraries only. The Drive ID is a unique identifier for a storage location in both SharePoint and Google Drive. In SharePoint, it represents a document library within a site, while in Google Drive, it identifies a user's drive or shared drive.

Library

Input the destination Library. Possible values are sharepoint, google, azure,onedrive, dropbox, box, s3, sftp or cloudfiles.

Resource Id

This is the unique identifier of the resource (file, folder, site, or drive) whose permissions are being updated.

Accepts only one Id.

If you need to update multiple resources at once, use Resource Ids instead.

Examples:

Files → FileId as ResourceId

Folders → FolderId as ResourceId

SharePoint Sites → SiteId as ResourceId

SharePoint Document Libraries (Drives) → DriveId as ResourceId

Resource Ids

This field accepts collection variable of multiple Resource Ids (sites, drives, files, or folders) whose permissions are being updated.

Note

The Resource Id field should be populated when there is one resource Id for which you are updating permissions while Resource Ids field should be populated when there is a collection of resource Ids whom permissions are being updated, hence, it is mandatory to fill either of the field but not both based on the use case.

Resource Type

This defines the type of resource for which permissions are being updated.

Possible values:

file → For files

folder → For folders

site → For SharePoint sites

drive → For SharePoint document libraries (drives)

Emails or Site Group Names

List of email Ids of users for whom permissions are being updated.

Salesforce Only

This field enables to set permissions for files/folders at salesforce level but not at the external storage level. When set True, actions (create folder, upload file, rename, move, etc.) can be disabled for specific groups, users or profiles without changing the permissions in SharePoint/Google Drive. This field is not mandatory and should be included or not included based on the use case.

Note

This feature needs to be enabled by the CloudFiles team for your org. Please contact support@cloudfiles.io

Salesforce User or Group Ids

This is a collection variable which accepts collection of Salesforce User Ids/ Group Ids for whom permissions are being updated.