0 votes

Hello,

We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU structure. We have implemented this by using multiple Security Roles to assign Trustees over various OUs that contain groups or users.

We now have a need to introduce a new group with a lesser level of rights. To do this we have created new security roles with the appropriate rights. Given the size and complexity of the environment it would be time consuming and unreliable to create the assignments by hand. We would like to use PowerShell to copy every Scope (Assigned Over) in a given Security Role for our original Help Desk group into a NEW role with the NEW group as the Trustee.

I've made a few passes at the code but I cannot seem to pull the assignments for a role in a way that will let me loop over them and to filter for the appropriate group and then create the new assignment in the new Role for the new AD group.

Any assistance with this would be greatly appreciated.

Thanks

by (90 points)
0

Hello,

If the new Security Roles for the group with lesser permissions are somehow linked to the Security Roles assigned to the Help Desk group (for example, they have the same name, but have a certain suffix / prefix or they have the Help Desk's Roles as Parent Roles), it will be possible to automatically find the roles that the restricted group needs to be assigned to and assign them with the same Assignment Scopes. This will need a PowerShell script to accomplish.

If you can extend in more detail on how we can establish the relationship between the Security Roles of the help desk group and those of the restricted group programmatically, we can come up with a script that would allow you to assign the roles automatically.

0

Thanks for the response.

Ideally the script would be run against a given role and Trustee combination. This would provide flexibility further down the road and let me copy specific Trustee/Assignment combinations to certain roles. Here is an example of where I was headed.

# My 'TEMPLATE'  role and group
$sourceRole    = "Help Desk - User Control"
$sourceGroupDN = "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"

# My destination role ( already created and rights provisioned ) and group
$destRole      = "Help Desk - Limited - Unlock/Reset"
$destGroupDN   = "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"

Function GrantRights { $targetGroup, $targetRole, $targetOU, ... }   # I already have this

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the user
$user = $admService.OpenObject("Adaxes://$sourceGroupDN", $NULL, $NULL, 0)

# Get DNs of the role assigmnents for the user
$roleAssignmentDNs = $user.Get("adm-AssignedRoleAssignments")

foreach($roleAssignmentDN in $roleAssignmentDNs) {

  # Bind to the assignment object
  $assignment = $admService.OpenObject("Adaxes://$roleAssignmentDN", $NULL, $NULL, 0)

  # Pseudocode-ish - Trustee isn't right here
  If $assignment.Trustee =  $sourceGroupDN {

    Get assignment BaseObject
    Get assignment Exclude
    Get assignment Inheriticance
    Get assignment Type

    GrantRights { appropriate data }

  }
}

Thanks

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Our script guys have come up with the following script. It is based upon 3 functions:

  1. GetRolePath - resolves a Security Role name into the ADS path of the directory object that represents the role;
  2. GetGroupSid - resolves a Distinguished Name (DN) of a group into the group SID;
  3. CopyRoleAssignment - the core function that Copies the Assignment Scope of an AD group specified by $sourceGroupDN over Security Role $sourceRoleName and assigns the Security Role specified by $destinationRoleName to a security group specified by $destinationGroupDN within the copied Assignment Scope.

At the very end you can find an example of how to use the function.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

function GetRolePath($name, $securityRolesPath)
{
    # Search Security Roles
    $searcher = $admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("name", $name)
    $searcher.SearchFilter = "(&(objectCategory=adm-Role)$filterPart)"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        if ($objects.Count -eq 0)
        {
            Write-Warning "Role $name could not be found"
            return $NULL
        }
        elseif($objects.Count -gt 1)
        {
            Write-Warning "Found more than one Security Role with name '$name'."
            return $NULL
        }

        return $objects[0].AdsPath
    }
    finally
    {
        $searchResult.Dispose()
    }
}

function GetGroupSid ($dn)
{
    $group = $admService.OpenObject("Adaxes://$dn", $NULL, $NULL, 0)
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($group.Get("objectSID"), 0)

    return $sid
}

function CopyRoleAssignment($sourceRoleName, $sourceGroupDN, $destinationRoleName, $destinationGroupDN)
{
    # Connect to Adaxes service
    $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
    $admService = $admNS.GetServiceDirectly("localhost")

    # Get source role and destination role paths
    $securityRolesPath = $admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
    $sourceRolePath = GetRolePath $sourceRoleName $securityRolesPath
    $destinationRolePath = GetRolePath $destinationRoleName $securityRolesPath
    if (($sourceRolePath -eq $NULL) -or ($destinationRolePath -eq $NULL))
    {
        return
    }

    # Copy source Security Role Assignment

    # Bind to the source Security Role
    $sourceRole = $admService.OpenObject($sourceRolePath, $NULL, $NULL, 0)
    # Bind to the destination Security Role
    $destinationRole = $admService.OpenObject($destinationRolePath, $NULL, $NULL, 0)

    # Get the source and destination group SIDs
    $sourceGroupSid = GetGroupSid $sourceGroupDN
    $destinationGroupSid = GetGroupSid $destinationGroupDN

    foreach ($sourceAssignment in $sourceRole.Assignments)
    {
        if ($sourceAssignment.Trustee -ne $sourceGroupSid)
        {
            continue
        }

        $assignment = $destinationRole.Assignments.Create()
        $assignment.Trustee = $destinationGroupSid
        $assignment.SetInfo()
        $destinationRole.Assignments.Add($assignment)

        foreach ($item in $sourceAssignment.ActivityScopeItems)
        {
            $scopeItem = $assignment.ActivityScopeItems.Create()
            $scopeItem.BaseObject = $item.BaseObject
            $scopeItem.Type = $item.Type
            $scopeItem.Inheritance = $item.Inheritance

            $scopeItem.Exclude = $item.Exclude
            $scopeItem.SetInfo()

            $assignment.ActivityScopeItems.Add($scopeItem)
        }
    }
}

CopyRoleAssignment "Help Desk - User Control" "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com" "Help Desk - Limited - Unlock/Reset" "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"
0

The code worked perfectly. Thank you very much for your help.

Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer

Hello Forum, in our Adaxes environment we have a lot of security roles (one Security Role per Department). This allows the management of the Department to modify their Users / ... copy it to my newly created Role in powershell? Thanks a lot for your help.

asked Apr 30, 2015 by esoAdxAdmin (650 points)
0 votes
1 answer

Hi We're running 2018.1 (3.9.15631.0) and I am modifying our security role assignments to use new AD groups. When looking at the role assignments, some are displaying the ... the information. Is there another way to get the full path to the OU? Thanks Matt

asked Aug 28, 2018 by chappers77 (2.0k points)
0 votes
1 answer

Hallo @All, I have a special question. I think I have tonns of unassigned Security Role assignments and I want to Identify this objects to delete them. I wrote a ... eleven secounds. :-( Do anybody know how to identify the zombie assignments? Thanks Arne

asked Sep 17, 2015 by ATiedemann (360 points)
0 votes
1 answer

I need to replace one Active Directory security group that has been given rights over many OUs within several Security Roles. There are likely ~300 entries that need ... in the SDK documentation appears to be broken - http://adaxes.com/scriptrepository

asked May 1, 2013 by SomeUser (90 points)
3,588 questions
3,277 answers
8,303 comments
548,080 users