Introduction
The Update Permissions flow action can be used to set owner/read/write permissions of a resource — whether a Site, Drive, Folder, or File — in external storage for specific Salesforce User Ids or Group Ids.
Additionally, the Salesforce Only field, when set to True, enables you to enforce permissions strictly at the Salesforce level without modifying the actual permissions in external storage platforms such as SharePoint or Google Drive. This is particularly useful for restricting actions (like upload, rename, or delete) within Salesforce, while leaving external access unchanged.
The image below gives an overview of the input parameters and what this action looks like. Detailed description of these input parameters and it's outputs are provided in the following sections.

What this action does
The Update Permissions flow action is used to set permissions of a file/folder at either external level or salesforce level. For an instance, this flow action can be combined with Share With Community User flow action which shares a specific file/folder with a community user and the read level access is given by default. The Update Permissions flow action can now be used to update the permissions to give write access to the shared file/folder. In the image given below the flow action is used to grant write access to particular file/folder whenever a new user gets created.

Input Parameters
Let us discuss each of the input parameters in detail in the sections below.
Access Level (owner/read/write)
This parameter used to specify the access level to grant/revoke. This has to be one of read or write. This parameter is used to specify the access level to grant or revoke. For standard usage, this must be one of read or write. For site and driveresource types, any custom SharePoint role name (e.g. Contribute, Design) is also accepted in addition to the built-in owner (full control), read, and write roles.
Access Levels are inherited but can be overridden. E.g. If a user has READ access level for a parent folder they have READ access level on all child folders by default. If they are then granted a different access level explicitly then the explicitly granted permission will take precedence
Precedence order of access levels in order of high to low is NONE, READ, WRITE. This means that if a user is grant WRITE access level to a folder but their profile is granted NONE , the user will not have access to the folder.
Standard roles (owner, read, write) automatically add users to the built-in SharePoint site groups (Owners, Members, and Visitors respectively). Custom roles (e.g. Contribute,Design) use direct role assignments on the site rather than site group membership.
Incase of Sharepoint Groups they always get direct role assigments.
Action (grant/revoke)
This parameters specify the type of action. This has to be one of grant or revoke. The following are permutations of access level and action that are handled.
action: revoke, accessLevel: read - Impacted users will lose complete access to the file/folder - i.e. Access Level NONE
action: revoke, accessLevel: write or action: grant, accessLevel: read- Impacted users will lose access to update actions like upload, replace, delete, rename, move, new folder - i.e. Access Level READ
action: grant, accessLevel: write - Impacted users will have full access (As much as their permission level in SharePoint/Google Drive allows), i.e. Access Level WRITE
Resource Parameters
These parameters are needed to specfiy the Resource (site/drive/folder/file) whose permissions are going to be updated. You can get these parameters by viewing metadata details for a folder in the “Content Library” tab of CloudFiles app in Salesforce or can be fetched through other flow actions or elements like “Get Connected Folder”, "Create SharePoint Site" etc.
Drive Id
This is important for Google Drive & Sharepoint libraries only. The Drive ID is a unique identifier for a storage location in both SharePoint and Google Drive. In SharePoint, it represents a document library within a site, while in Google Drive, it identifies a user's drive or shared drive.

Library
Input the destination Library. Possible values are sharepoint, google, azure,onedrive, dropbox, box, s3, sftp or cloudfiles.
Resource Id
This is the unique identifier of the resource (file, folder, site, or drive) whose permissions are being updated.
Accepts only one Id.
If you need to update multiple resources at once, use Resource Ids instead.
Examples:
Files → FileId as ResourceId
Folders → FolderId as ResourceId
SharePoint Sites → SiteId as ResourceId
SharePoint Document Libraries (Drives) → DriveId as ResourceId
Resource Ids
This field accepts collection variable of multiple Resource Ids (sites, drives, files, or folders) whose permissions are being updated.
The Resource Id field should be populated when there is one resource Id for which you are updating permissions while Resource Ids field should be populated when there is a collection of resource Ids whom permissions are being updated, hence, it is mandatory to fill either of the field but not both based on the use case.
Resource Type
This defines the type of resource for which permissions are being updated.
Possible values:
file → For files
folder → For folders
site → For SharePoint sites
drive → For SharePoint document libraries (drives)
Emails or Site Group Names
List of email Ids of users for whom permissions are being updated.
Salesforce Only
This field enables to set permissions for files/folders at salesforce level but not at the external storage level. When set True, actions (create folder, upload file, rename, move, etc.) can be disabled for specific groups, users or profiles without changing the permissions in SharePoint/Google Drive. This field is not mandatory and should be included or not included based on the use case.
This feature needs to be enabled by the CloudFiles team for your org. Please contact support@cloudfiles.io
Salesforce User or Group Ids
This is a collection variable which accepts collection of Salesforce User Ids/ Group Ids for whom permissions are being updated.