We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Assign Security Role

March 14, 2023 Views: 3011

The following function can be used in PowerShell scripts to assign a security role to a user or group with a certain Assignment Scope.

To avoid creating duplicates, when assigning a security role, you need to check whether the security role is already assigned to a user within the scope that you want to assign. The below function eliminates the need to check existing assignments.

Parameters:

  • $trusteeSid - Specifies the SID of the user or group that you want to assign the security role to (in the SDDL form).
  • $baseObjectDN - Specifies the distinguished name (DN) of the base directory object that defines the scope of activity.
  • $scopeItemType - Specifies the type of the base object. For a list of possible values, see ADM_SCOPEBASEOBJECTTYPE_ENUM.
  • $inheritance - Specifies whether all descendants or only immediate children of the base directory object should be included into or excluded from the scope of activity. For a list of values, see ADS_SCOPEENUM.
  • $exclude - Specifies whether the scope item will be excluded from or included into the scope of activity.
  • $rolePath - Specifies the ADS path of the security role that you want to assign to the user.
    How to get the ADS path of a role:
    1. Launch Adaxes Administration Console.
    2. In the Console Tree, locate the security role you need.
    3. Right-click the role and click Properties.
    4. On the General tab, click Advanced.
    5. The ADS path is displayed in the ADS path field.

Sample Usage:

Edit Remove
PowerShell
UpdateRoleAssignments -TrusteeSid "S-1-5-21-573937-2149998-410785" `
                      -BaseObjectDN "OU=Sales,DC=example,DC=com" `
                      -ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
                      -Inheritance "ADS_SCOPE_SUBTREE" `
                      -Exclude $False `
                      -RolePath "Adaxes://adaxesserver.example.com:12345/CN=My Role,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"

Function:

Edit Remove
PowerShell
function UpdateRoleAssignments
{
    Param(
        $trusteeSid,
        $baseObjectDN,
        $scopeItemType,
        $inheritance,
        $exclude,
        $rolePath
    )

    $role = $Context.BindToObject($rolePath)

    # Get assignments
    $assignments = $role.Assignments
    $scopeItems = $NULL

    foreach ($assignment in $assignments)
    {
        # Check whether the Trustee is already assigned to the role
        if ($assignment.Trustee -ine $trusteeSid)
        {
            continue
        }
        
        # Get the Assignment Scope for the Trustee
        $scopeItems = $assignment.ActivityScopeItems
        break
    }

    if ($scopeItems -eq $NULL)
    {
        # Trustee is not yet assigned to the role, add new Trustee
        $assignment = $role.Assignments.Create()
        $assignment.Trustee = $trusteeSid
        $assignment.SetInfo()
        $assignments.Add($assignment)
        $scopeItems = $assignment.ActivityScopeItems
    }

    # Define the Assignment Scope
    # Get the base object GUID
    if ([System.String]::IsNullOrEmpty($baseObjectDN))
    {
        # All objects
	$baseObject = $NULL
        $baseObjectGuid = [Guid]::Empty
    }
    else
    {
        $baseObject = $Context.BindToObjectByDN($baseObjectDN)
        $baseObjectGuid = [Guid]$baseObject.Get("objectGuid")
    }

    # Check whether the scope item already exists in the Assignment Scope
    $removeExistingItem = $False
    foreach ($item in $scopeItems)
    {
        # Compare base object GUID, Inheritance, Include / Exclude
        $scopeBaseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")

        if ($scopeBaseObjectGuid -ine $baseObjectGuid)
        {
            continue
        }

        if ($item.Type -ne $scopeItemType)
        {
            continue
        }

        if ($item.Inheritance -ne $inheritance)
        {
            continue
        }

        if ($item.Exclude -eq $exclude)
        {
            # The scope item already exists in the Assignment Scope of the Trustee, exit
            return
        }
        
        # Remove the item
        $removeExistingItem = $True
        break
    }
    
    if ($removeExistingItem)
    {
        $scopeItems.Remove($item)
    }

    # Add a new item to the Assignment Scope
    $scopeItem = $scopeItems.Create()
    $scopeItem.BaseObject = $baseObject
    $scopeItem.Type = $scopeItemType
    $scopeItem.Inheritance = $inheritance
    $scopeItem.Exclude = $exclude
    $scopeItem.SetInfo()
    
    $scopeItems.Add($scopeItem)
}

Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers