IAdmRoleAssignment
The IAdmRoleAssignment interface represents a security role assignment.
Inheritance: IAdmTop
Properties
-
Property
-
Description
-
ActivityScopeItems
-
Gets a collection of scope items that determine the scope, within which the trustee will be able to apply the permissions of the security role.
-
Trustee
-
Gets or sets the user or group the security role is assigned to.
-
TrusteeDomain
-
Gets or sets the name of the domain that the trustee belongs to.
Details
ActivityScopeItems
Gets a collection of scope items that determine the scope, within which the trustee will be able to apply the permissions of the security role. Each scope item is represented by the IAdmActivityScopeItem interface.
- Type:
- IAdmCollection
- Access:
- Read-only
Trustee
Gets or sets the user or group the security role is assigned to.
- Type:
- string
- Access:
- Read/Write
Remarks
The property must be set to a string that contains either the trustee's SID in the SDDL format (e.g. S-1-5-1-123-456-789), or the user's logon name (e.g. DOMAIN\username, username@domain.com), or the group name.
Examples
The following code sample assigns a security role to a user including All Objects in the Assignment Scope.
- PowerShell
-
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi") $userDN = "CN=John Smith,CN=Users,DC=domain,DC=com" # Connect to the Adaxes service $ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace") $service = $ns.GetServiceDirectly("localhost") # Bind to the security role $securityRolesPath = $service.Backend.GetConfigurationContainerPath(` "AccessControlRoles") $securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" ` $securityRolesPath $myRoleAdsPath = $securityRolesPathObj.CreateChildPath(` "CN=My Role") $role = $service.OpenObject($myRoleAdsPath, $null, $null, 0) # Assign the security role to the user # Bind to the user $user = $service.OpenObject("Adaxes://$userDN", $null, $null, 0) # Get the user's SID in the SDDL form $userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($user.Get("ObjectSid"), 0) $sidSddlForm = $userSid.Value $assignment = $role.Assignments.Create() $assignment.Trustee = $sidSddlForm $assignment.SetInfo() $role.Assignments.Add($assignment) # Include 'All Objects' in the Assignment Scope $scopeItem = $assignment.ActivityScopeItems.Create() $scopeItem.BaseObject = $null $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY" $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $false $scopeItem.SetInfo() $assignment.ActivityScopeItems.Add($scopeItem) - C#
-
using System; using Softerra.Adaxes.Adsi; using Softerra.Adaxes.Interop.Adsi; using Softerra.Adaxes.Interop.Adsi.AccessControl; using Softerra.Adaxes.Interop.Adsi.PersistentObjects; class Program { static void Main(string[] args) { const string userPath = "Adaxes://CN=John Smith,CN=Users,DC=domain,DC=com"; // Connect to the Adaxes service AdmNamespace ns = new AdmNamespace(); IAdmService service = ns.GetServiceDirectly("localhost"); // Bind to the security role string securityRolesPath = service.Backend.GetConfigurationContainerPath( "AccessControlRoles"); AdsPath securityRolesPathObj = new AdsPath(securityRolesPath); AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role"); IAdmRole role = (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0); // Assign the security role to the user // Bind to the user IADs user = (IADs)service.OpenObject(userPath, null, null, 0); // Get the user's SID in the SDDL form byte[] sidBytes = (byte[])user.Get("objectSID"); Sid sid = new Sid(sidBytes, 0); string sidSddlForm = sid.Value; IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create(); assignment.Trustee = sidSddlForm; assignment.SetInfo(); role.Assignments.Add(assignment); // Include 'All Objects' in the Assignment Scope IAdmActivityScopeItem scopeItem = (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create(); scopeItem.BaseObject = null; scopeItem.Type = ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY; scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE; scopeItem.Exclude = false; scopeItem.SetInfo(); assignment.ActivityScopeItems.Add(scopeItem); } }
TrusteeDomain
Gets or sets the name of the domain that the trustee belongs to.
- Type:
- string
- Access:
- Read/Write
Remarks
The property must be used only for those trustees whose SIDs do not contain any information about the domain (e.g. any built-in Active Directory group, such as 'BUILTIN\Users'). The property must be assigned a string that contains the domain DNS name or domain SID in the SSDL format.
Examples
The following code sample assigns a security role to the built-in domain local group Users including All Objects in the Assignment Scope.
- PowerShell
-
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi") $domainDN = "DC=Example,DC=com" # Connect to the Adaxes service $ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace") $service = $ns.GetServiceDirectly("localhost") # Bind to the security role $securityRolesPath = $service.Backend.GetConfigurationContainerPath(` "AccessControlRoles") $securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" ` $securityRolesPath $myRoleAdsPath = $securityRolesPathObj.CreateChildPath(` "CN=My Role") $role = $service.OpenObject($myRoleAdsPath, $null, $null, 0) # Assign the role to the 'Users' group $assignment = $role.Assignments.Create() $assignment.Trustee = "BUILTIN\Users" # Specify the domain SID in the SDDL form $domain = $service.OpenObject("Adaxes://$domainDN", $null, $null, 0) $domainSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($domain.Get("ObjectSid"), 0) $sidSddlForm = $domainSid.Value $assignment.TrusteeDomain = $sidSddlForm $assignment.SetInfo() $role.Assignments.Add($assignment) # Include 'All Objects' in the Assignment Scope $scopeItem = $assignment.ActivityScopeItems.Create() $scopeItem.BaseObject = $null $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY" $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $false $scopeItem.SetInfo() $assignment.ActivityScopeItems.Add($scopeItem) - C#
-
using System; using Softerra.Adaxes.Adsi; using Softerra.Adaxes.Interop.Adsi; using Softerra.Adaxes.Interop.Adsi.AccessControl; using Softerra.Adaxes.Interop.Adsi.PersistentObjects; class Program { static void Main(string[] args) { const string domainPath = "Adaxes://DC=Example,DC=com"; // Connect to the Adaxes service AdmNamespace ns = new AdmNamespace(); IAdmService service = ns.GetServiceDirectly("localhost"); // Bind to the security role string securityRolesPath = service.Backend.GetConfigurationContainerPath( "AccessControlRoles"); AdsPath securityRolesPathObj = new AdsPath(securityRolesPath); AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role"); IAdmRole role = (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0); // Assign the role to the 'Users' group IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create(); assignment.Trustee = @"BUILTIN\Users"; // Specify the domain SID in the SDDL form IADs domain = (IADs)service.OpenObject(domainPath, null, null, 0); Byte[] sidBytes = (Byte[])domain.Get("objectSID"); Sid sid = new Sid(sidBytes, 0); string sidSddlForm = sid.Value; assignment.TrusteeDomain = sidSddlForm; assignment.SetInfo(); role.Assignments.Add(assignment); // Include 'All Objects' in the Assignment Scope IAdmActivityScopeItem scopeItem = (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create(); scopeItem.BaseObject = null; scopeItem.Type = ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY; scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE; scopeItem.Exclude = false; scopeItem.SetInfo(); assignment.ActivityScopeItems.Add(scopeItem); } }
Requirements
Minimum required version: 2009.1