Copy Security Role Permission with Powershell

Question

Hello Forum,

in our Adaxes environment we have a lot of security roles (one Security Role per Department). This allows the management of the Department to modify their Users / Groups / Businessunits ...

So i will implement a new Task "creating new Team". This task includes to create a new Security Role with a bunch of rights.

How can i get the Permissions of an existing Role and copy it to my newly created Role in powershell?

Thanks a lot for your help.

Answer 1

Hello,

Here is a PowerShell script that copies the Security Roles specified in $sourceRoleNames. The resulting Security Roles will have a name according to the pattern specified by $roleNamePattern. In the pattern, {0} stands for the source role name.

The script does not copy the assignments of the Security Roles, because obviously you'll have different assignments for different teams. For information on how to define the assignments of Security Roles, see section Assigning a Role in the following SDK article: http://www.adaxes.com/sdk/?ManagingSecu ... curityRole.

$sourceRoleNames = @("Account Manager", "Blind User", "Computer Manager") # TODO: modify me
$roleNamePattern = "{0} ('%name%' department)" # TODO: modify me

function GetRolePath($name, $securityRolesPath)
{
    # Search Security Roles
    $searcher = $Context.BindToObject($securityRolesPath)
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("name", $name)
    $searcher.SearchFilter = "(&(objectCategory=adm-Role)$filterPart)"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        if ($objects.Count -eq 0)
        {
            $Context.LogMessage("Role '$name' could not be found", "Warning")
            return $NULL
        }
        elseif($objects.Count -gt 1)
        {
            $Context.LogMessage("Found more than one Security Role with name '$name'", "Warning")
            return $NULL
        }

        return $objects[0].AdsPath
    }
    finally
    {
        $searchResult.Dispose()
    }
}

$securityRolesPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$securityRolesContainer = $Context.BindToObject($securityRolesPath)
foreach ($name in $sourceRoleNames)
{
    # Get source role path
    $sourceRolePath = GetRolePath $name $securityRolesPath
    if ($sourceRolePath -eq $NULL)
    {
        continue
    }

    # Build name for a new role
    $sourceRole = $Context.BindToObject($sourceRolePath)
    $name = [System.String]::Format($roleNamePattern, $sourceRole.Get("name"))
    $name = [Softerra.Adaxes.Ldap.Rdn]::EscapeAttributeValue($name)

    # Create new role
    $targetRole = $securityRolesContainer.Create("adm-Role", "CN=$name")
    $targetRole.Disabled = $False
    try
    {
        $targetRole.SetInfo()
    }
    catch
    {
        $Context.LogMessage("Cann't create role '$name'. Error:" + $_.Exception.Message, "Warning")
        continue
    }

    # Copy permissions
    $sourcePermissions = $sourceRole.Permissions
    for ($i = 0; $i -lt $sourcePermissions.Count; $i++)
    {
        $sourceEntry = $sourcePermissions.GetObject($i)
        $targetEntry = $targetRole.Permissions.Create()

        $targetEntry.AccessType = $sourceEntry.AccessType
        $targetEntry.AccessMask = $sourceEntry.AccessMask
        $targetEntry.ObjectType = $sourceEntry.ObjectType
        $targetEntry.InheritedObjectType = $sourceEntry.InheritedObjectType

        $targetEntry.SetInfo() # save the permission entry
        $targetRole.Permissions.Add($targetEntry) # add the permission to the target role
    }
}

Comments

Hi Adaxes Support,

Sorry for the late answer. Thanks a lot for that code. That's exactly what i'm looking for.

Thanks
Cheers