The following function can be used in PowerShell scripts to assign a security role to a user or group with a certain Assignment Scope.
To avoid creating duplicates, when assigning a security role, you need to check whether the security role is already assigned to a user within the scope that you want to assign. The below function eliminates the need to check existing assignments.
Parameters:
- $trusteeSid - Specifies the SID of the user or group that you want to assign the security role to (in the SDDL form).
- $baseObjectDN - Specifies the distinguished name (DN) of the base directory object that defines the scope of activity.
- $scopeItemType - Specifies the type of the base object. For a list of possible values, see ADM_SCOPEBASEOBJECTTYPE_ENUM.
- $inheritance - Specifies whether all descendants or only immediate children of the base directory object should be included into or excluded from the scope of activity. For a list of values, see ADS_SCOPEENUM.
- $exclude - Specifies whether the scope item will be excluded from or included into the scope of activity.
- $rolePath - Specifies the ADS path of the security role that you want to assign to the user.
How to get the ADS path of a role:
- Launch Adaxes Administration Console.
- In the Console Tree, locate the security role you need.
- Right-click the role and click Properties.
- On the General tab, click Advanced.
- The ADS path is displayed in the ADS path field.
Sample Usage:
PowerShell
UpdateRoleAssignments -TrusteeSid "S-1-5-21-573937-2149998-410785" `
-BaseObjectDN "OU=Sales,DC=example,DC=com" `
-ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
-Inheritance "ADS_SCOPE_SUBTREE" `
-Exclude $False `
-RolePath "Adaxes://adaxesserver.example.com:12345/CN=My Role,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"Function:
PowerShell
function UpdateRoleAssignments
{
Param(
$trusteeSid,
$baseObjectDN,
$scopeItemType,
$inheritance,
$exclude,
$rolePath
)
$role = $Context.BindToObject($rolePath)
# Get assignments
$assignments = $role.Assignments
$scopeItems = $NULL
foreach ($assignment in $assignments)
{
# Check whether the Trustee is already assigned to the role
if ($assignment.Trustee -ine $trusteeSid)
{
continue
}
# Get the Assignment Scope for the Trustee
$scopeItems = $assignment.ActivityScopeItems
break
}
if ($scopeItems -eq $NULL)
{
# Trustee is not yet assigned to the role, add new Trustee
$assignment = $role.Assignments.Create()
$assignment.Trustee = $trusteeSid
$assignment.SetInfo()
$assignments.Add($assignment)
$scopeItems = $assignment.ActivityScopeItems
}
# Define the Assignment Scope
# Get the base object GUID
if ([System.String]::IsNullOrEmpty($baseObjectDN))
{
# All objects
$baseObject = $NULL
$baseObjectGuid = [Guid]::Empty
}
else
{
$baseObject = $Context.BindToObjectByDN($baseObjectDN)
$baseObjectGuid = [Guid]$baseObject.Get("objectGuid")
}
# Check whether the scope item already exists in the Assignment Scope
$removeExistingItem = $False
foreach ($item in $scopeItems)
{
# Compare base object GUID, Inheritance, Include / Exclude
$scopeBaseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
if ($scopeBaseObjectGuid -ine $baseObjectGuid)
{
continue
}
if ($item.Type -ne $scopeItemType)
{
continue
}
if ($item.Inheritance -ne $inheritance)
{
continue
}
if ($item.Exclude -eq $exclude)
{
# The scope item already exists in the Assignment Scope of the Trustee, exit
return
}
# Remove the item
$removeExistingItem = $True
break
}
if ($removeExistingItem)
{
$scopeItems.Remove($item)
}
# Add a new item to the Assignment Scope
$scopeItem = $scopeItems.Create()
$scopeItem.BaseObject = $baseObject
$scopeItem.Type = $scopeItemType
$scopeItem.Inheritance = $inheritance
$scopeItem.Exclude = $exclude
$scopeItem.SetInfo()
$scopeItems.Add($scopeItem)
}