Security Role assignments?

Question

Hallo @All,

I have a special question.
I think I have tonns of unassigned Security Role assignments and I want to Identify this objects to delete them.

I wrote a script to automatically add these assignments to a Role and this script runs for some weeks and add tonns of assignments that I cant see and the script gives me no errors. At this time Adaxes is so slow, when I click in web interface to create a new user I wait one minute and eleven secounds. :-(

Do anybody know how to identify the zombie assignments?

Thanks
Arne

Comments

Hello Arne,

Did you receive our reply by e-mail? We've replied to you on this matter. Check your inbox and, probably, SPAM folder.

We've assigned the task to our script guys. They will both find a way to remove the duplicating assignments and fix your script. Your issue has been assigned top priority.

Answer 1

Arne,

The scripts are ready. The below script will clean up Security Role Assignments created by your script. To run it:

1. Save the script to a file with the .ps1 extension on the computer where Adaxes service is installed. For example, you can name it fixassignments.ps1.

2. Log on to the computer with credentials of Adaxes default service administrator (the user that you specified when installing the service).

3. Launch Windows PowerShell. To do this:

   • Press Win+R.
   • Type powershell.exe
   • Press Enter.

4. In the PowerShell Console, navigate to the folder where you saved the script file. For example, if you saved the file to C:\Scripts, type:

    cd C:\Scripts
   

5. Run the script by executing the following line:

    .\fixassignments.ps1 'My Role'
   

   where:

   • fixassignments.ps1 - is the name of the script file that you've created on step 1.
   • My Role - is the name of the Security Role that you are having issues with.

The script:

param(
    [Parameter(Mandatory=$true)]
    [String]$roleName
)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=$roleName")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Get all Assignments
$assignments = $role.Assignments
for ($i = 0; $i -lt $assignments.Count; $i++)
{
    $assignment = $assignments.GetObject($i)
    for ($j = $assignments.Count - 1; $j -gt $i; $j--)
    {
        # Check Trustee
        $assignmentToCheck = $assignments.GetObject($j)
        if ($assignmentToCheck.Trustee -ne $assignment.Trustee)
        {
            continue
        }

        # Compare Activity Scope Items
        foreach ($itemToCheck in $assignmentToCheck.ActivityScopeItems)
        {
            $baseObjectGuidToCheck = [Guid]$itemToCheck.Get("adm-ScopeBaseObjectGuid")
            $addNewItem = $True
            foreach ($item in $assignment.ActivityScopeItems)
            {
                $baseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
                if (($baseObjectGuidToCheck -eq $baseObjectGuid) -and ($itemToCheck.Inheritance -eq $item.Inheritance) -and ($itemToCheck.Exclude -eq $item.Exclude))
                {
                    $addNewItem = $False
                    break
                }
            }
            if (!($addNewItem))
            {
                continue
            }

            # Create Activity Scope Item
            $scopeItem = $assignment.ActivityScopeItems.Create()
            $scopeItem.BaseObject = $itemToCheck.BaseObject
            $scopeItem.Type = $itemToCheck.Type
            $scopeItem.Inheritance = $itemToCheck.Inheritance

            $scopeItem.Exclude = $itemToCheck.Exclude
            $scopeItem.SetInfo()

            $assignment.ActivityScopeItems.Add($scopeItem)
        }
        $assignments.Remove($assignmentToCheck)
    }
}

Write-Host "Operation completed"

Also, we've fixed your script file that created the mess, however, since it contains sensitive information, we won't publish it on the form. We've sent it over to you by e-mail. Check your inbox.

Comments

many thanks for that reply.
Everything work as designed now.

Tahnks
Arne