hello everyone approvals in power automate is one of the most popular actions that is used a lot specifically with SharePoint lists or libraries however what's the point of the approval if users can edit the item under approval or even delete that item imagine a scenario in which you as the maker of the approval workflow can Define item level security for the creator of the item and for the approvers this video covers a lot from setting permissions to dynamically defining your approvers to logging the approval history to allowing the user to resubmit the item for approval and a lot more so let's check it out in action foreign [Music] site I will create a new list I will pick the expense tracker list template to create a new list and to track the approval process I will add two columns one would be a choice column I will call this status new approved under review and rejected would be my four options by default I will set the status to new and click save and I will add a multi-line of text column I will call this approval info under more options I will turn on append changes to existing text also make sure that we set enhance Rich text as yes click new which opens the new form experience here under edit columns I will remove status since I do not want the user to update the status it would be done through the approval workflow and I will click save to create my approval workflow in power automate I will create an automated Cloud flow and select when an item is created in a SharePoint list give my flow a name and click create here I'll connect to my SharePoint site which is contoso and in this site the list that I created was expense tracker and the first step I would like to take is to update SharePoint item in my contoso sites expense tracker list the ID of the item will be the dynamic Content ID coming from the trigger any other mandatory Fields I would need to refill my goal here is to change the status to under review since the approval process would be starting off and approval info is where I can keep a track of the approval process here I can mention that the approval started by Modified by display name so that will put the user's name who started this process and the next step would be to start the approval I will pick the start and wait for an approval action the approval type I will pick everyone must approve title I'll plug in some static text and dynamic content give the link to the item give the item link description I can enter additional details here assigned to is where I need to plug in email addresses of my approvers semicolon separated I can either hard code them or I can bring in my approvers dynamically in this scenario I have a security group which has two members Reza and Sarah this group is called expense approvers right before the approval action I will search for Azure ad and use the get group members action here I need to plug in the group ID I'll plug that in to get an array of only the email addresses coming in from this get group members action I will use the select data operation from group members Dynamic content which is the array of users and for the mapping I will switch to text mode and pick the group members mail Dynamic Property under assigned to this needs to be a string that's semicolon separated so I will leverage an expression join to join data coming from the dynamic content output of the select action and I will join these by semicolon the action here is everyone must approve so every approver has to say approve if even one says reject the process is rejected so next step we will add a condition to check the outcome of the approval if this does not contain reject meaning every approver did say approve in that case we will update the SharePoint item where we would be updating the item status to approved I have picked my site my list I'll pick the ID and I will need to ensure any mandatory fields are filled in the status I will change to approved and similar steps is what I need in the no branch of my condition so I will copy this and paste it from the clipboard I will rename this action to highlight the fact that I will be updating the status here to reject it now approval info is where I would like to plug in details about the decisions that the approvers have taken we start and wait for an approval action will output an array of all of those responses so I will add a new step to create an HTML table from that array of responses and in here I will create my own custom table I'll add a column approver and the value would be the name of the approver response time this will be in our minutes and seconds to calculate the time that the approver took to respond we will use an expression date difference item of request date comma item of response date this expression I will make it available in the description of the video I will add a column decision and search for the approval response Dynamic content a column called commands I will pick the dynamic content responses commands and to add some styling to this HTML table I will add a compose action and plugin an expression which you can grab from the description of this video all it does is it picks the output of that HTML table action and apply some styling like border padding Etc this I will rename to style the HTML table and this I can directly now leverage in the approval info column so I'll pick the output of styled HTML table and I will do the same thing for the reject status this completes my approval workflow so I'll click save and the flow is now listening to any new item that is being created in this SharePoint list signing in with a user Alice Alice creates a new expense item and Save the status by default is set to new and once the approval process begins the status will change to under review my approvers who are dynamically selected would have received the approval task here is the approval task for Reza and here is the approval task for Sarah a different angle that you should be thinking about security if I was to go to list settings and head over to permissions for this list by default the standard three SharePoint groups which are owners members and visitors have been granted these following permissions owners have full control over this list members have added access now edit permission grants the users a lot of extra permissions on the list Alice who created this item is a member of this SharePoint site Alice can actually head over to the list settings because Alice has added permissions and can delete this list Alice can make changes to the column can delete columns can add columns change the schema of the list James can look at the entries that Alice has entered plus James can make modifications to it or even delete it even if we take this from Alice's perspective if Alice makes a change to this item the approval process is already running so the approver has been notified with the details of the approval however Nothing Stops a member of a SharePoint site to edit this item while the approval process is ongoing so the idea here should be for us to lock down the item to ensure that when an item is under review the person who created this request should not be allowed to make modifications to it members should not be able to edit information about other users so for that as an owner of this SharePoint site first step I would take on the list for mission is to stop inheriting the permissions select the members edit the permission and just grant them contribute access so that they can view add update and delete list items but they cannot change the schema of the list the moment I do this this time if Alice tries to go to list settings she doesn't have that specific access Plus Alice does not have the ability to change the schema of the list the moment the item got created I would like to go and set the security for the item and for that back to my flow once the flow is triggered the first step that I would like to take is to stop sharing that item or file this concept works with both lists and libraries for my expense tracker SharePoint item ID I would like to stop sharing that item it will break the permissions for that specific item and the only users who will have access to that item would be the owners group right before this approval action I will leverage the grant access to an item or a folder action for my expense tracker item which users do I want to give permission to I will switch to advanced mode here I will pick created by email semicolon for the start and wait for an approval action I already have my approvers which I got by leveraging this join expression so I'll simply copy this expression and for the recipients after semicolon I will plug in that expression so these are the users whoever like to grant them access and which access do you want to give them to this item only editing access or viewing access in this case both my Creator and my approvers will have view access let's save this and this time I will create a second item Alice has created a new expense entry the status is new the moment the approval workflow kicks in the status changes to under review however now you will notice that there is no edit access available for the person who created the item Alice can only view the details if another member views that same list James does not even see the new record that Alice created purely because that item is secured Sarah gets that approval action Sarah can click the link to the item it will take Sarah to that specific item notice Sarah cannot make any modifications as well and Sarah can take her decision Saras has approved Raza is also the approver Reza approves it as well and submits his response now that the approval is complete the status has changed to approved the item is still locked down so no one can make changes to it and if the user tries to view the details of that item and here is the approval info which has the full trace of the approval process the approval was started by Alice the approvers were Raza and Sarah we can see their response times we can see their decisions and the commands that they entered now let's take this approval process one step further now let's say if it is rejected I would like to give the creator of the item the ability to make changes and submit it now for that I would need to make changes to my flow first thing is the Trigger action which is when an item is created is now no longer valid since I need to also call the flow if the item is modified so for that I will delete the trigger and search for when an item is created or modified in a SharePoint site I'll pick my site I'll pick my list and all of the actions that were dependent upon properties from my Trigger action for example here I needed the ID I will just need to make sure that I have those values plugged in again notice the flow Checker immediately gives me certain warnings it states that wherever I am updating the item there is a chance that this might result in an infinite Loop which is accurate because the flow triggers when an item is created or modified I am modifying that item so this will in turn initiate another run of the flow and this could lead to an infinite Loop so I need to handle this so I need to ensure my flow is triggering whenever an item is created or modified and the status is either new or rejected for that I need to get those expressions so I'll add a compose action go to expression and use the equals function to compare from the Trigger action status is a choice column so I'll pick status value to get its value put a comma the value I'm tracking is either new or rejected for this expression I'll use new and click ok this expression is what I will copy for the Trigger action go to settings trigger conditions I will paste the expression there trigger conditions always begin with at here I would like to trigger the flow if the status is either new or rejected so after at I'll put the or function I'll plug in a comma paste that same expression but this time track the status rejected close the bracket that completes my trigger condition I'll click done when an item gets created status is new this update item action changes the status to under review so the trigger condition will guarantee that this will not re-trigger the flow so there will not be a race condition when the approval decision is taken if it is approved the status is approved approved also is not something that will trigger the flow so I'm good there as well however if it is rejected my flow would re-trigger but I do not want to do that when it is rejected I would like to give an opportunity to the person who created the item to make a modification to the item status I am changing to rejected but Raza is changing it to rejected since this connection is running under us as account so one extra thing that I can add in the Trigger action is this time the expression would be if the created by email address is equal to the Modified by email address so I'll copy this go back to trigger conditions click add this new expression here and right at the start I'll add the add symbol I'll click done when it is rejected I would like to take one extra step which is granting the creator of that item edit access here I can even send a notification I'll also enter a message that says make updates and resubmit the item for approval I will save the flow James who is in the members group will create a new expense item James will only see the items that he has created once the approval process begins the status changes to under review James cannot make any modifications to the item Sarah as the approver says approved plugs in our commands and submits her response Reza also is one of the approvers Reza rejects this plugs them as commands and submits his response now at this moment the status of the item is rejected James gets a notification that your expense item has been rejected and you're free to make updates to it James can click on the link which would directly take him to the expense item so he can make modifications and you can see the entire approval information that was plugged in so you can see that Raza asked for attachments James uploads the receipt basically James modifies the item once again the process goes under review the item is locked down the approval process begins again and this can keep going back and forth until all of the approvers approve the expense item and finally when it's approved the item is in read-only state and view entries will list out the entire approval chain if you enjoyed this video then do like comment and subscribe to my YouTube channel and thank you so much for watching