IAdmRoleAssignment
The IAdmRoleAssignment interface represents a security role assignment.
Inheritance: IAdmTop
Properties
-
Property
-
Description
-
ActivityScopeItems
-
Gets a collection of scope items that determine the role scope.
-
Trustee
-
Gets or sets the user or group the security role is assigned to.
-
TrusteeDomain
-
Gets or sets the name of the domain that the trustee belongs to.
Details
ActivityScopeItems
Gets a collection of scope items that determine the role scope. Role trustees will be able to exercise their permissions only on objects within the scope. Each scope item is represented by the IAdmActivityScopeItem interface.
- Type:
- IAdmCollection
- Access:
- Read-only
Examples
For examples on how to assign security roles, see Managing security roles.
Trustee
Gets or sets the user or group the security role is assigned to.
- Type:
- string
- Access:
- Read/Write
Remarks
The property must be set to a string that contains either the trustee's SID in the SDDL format (e.g. S-1-5-1-123-456-789), or the user's logon name (DOMAIN\username, username@domain.com), or the group name.
Examples
The following code sample assigns a security role to a user over all objects.
- PowerShell
-
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi") $userDN = "CN=John Smith,CN=Users,DC=domain,DC=com" # Connect to the Adaxes service. $ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace") $service = $ns.GetServiceDirectly("localhost") # Bind to the security role. $securityRolesPath = $service.Backend.GetConfigurationContainerPath("AccessControlRoles") $securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $securityRolesPath $myRoleAdsPath = $securityRolesPathObj.CreateChildPath("CN=My Role") $role = $service.OpenObject($myRoleAdsPath, $null, $null, 0) # Bind to the user. $user = $service.OpenObject("Adaxes://$userDN", $null, $null, 0) # Get the user's SID in the SDDL format. $userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($user.Get("ObjectSid"), 0) $sidSddlForm = $userSid.Value # Assign the security role to the user. $assignment = $role.Assignments.Create() $assignment.Trustee = $sidSddlForm $assignment.SetInfo() $role.Assignments.Add($assignment) # Include all objects in the assignment scope. $scopeItem = $assignment.ActivityScopeItems.Create() $scopeItem.BaseObject = $null $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY" $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $false $scopeItem.SetInfo() $assignment.ActivityScopeItems.Add($scopeItem) - C#
-
using System; using Softerra.Adaxes.Adsi; using Softerra.Adaxes.Interop.Adsi; using Softerra.Adaxes.Interop.Adsi.AccessControl; using Softerra.Adaxes.Interop.Adsi.PersistentObjects; class Program { static void Main(string[] args) { const string userPath = "Adaxes://CN=John Smith,CN=Users,DC=domain,DC=com"; // Connect to the Adaxes service. AdmNamespace ns = new AdmNamespace(); IAdmService service = ns.GetServiceDirectly("localhost"); // Bind to the security role. string securityRolesPath = service.Backend.GetConfigurationContainerPath("AccessControlRoles"); AdsPath securityRolesPathObj = new AdsPath(securityRolesPath); AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role"); IAdmRole role = (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0); // Bind to the user. IADs user = (IADs)service.OpenObject(userPath, null, null, 0); // Get the user's SID in the SDDL format. byte[] sidBytes = (byte[])user.Get("objectSID"); Sid sid = new Sid(sidBytes, 0); string sidSddlForm = sid.Value; // Assign the security role to the user. IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create(); assignment.Trustee = sidSddlForm; assignment.SetInfo(); role.Assignments.Add(assignment); // Include all objects in the assignment scope. IAdmActivityScopeItem scopeItem = (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create(); scopeItem.BaseObject = null; scopeItem.Type = ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY; scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE; scopeItem.Exclude = false; scopeItem.SetInfo(); assignment.ActivityScopeItems.Add(scopeItem); } }
TrusteeDomain
Gets or sets the name of the domain that the trustee belongs to.
- Type:
- string
- Access:
- Read/Write
Remarks
The property must be used only for those trustees whose SIDs do not contain any information about the domain (e.g. built-in Active Directory groups, such as BUILTIN\Users). The property must be assigned a string that contains the domain DNS name or domain SID in the SSDL format.
Examples
The following code sample assigns a security role to the built-in domain local group Users over all objects.
- PowerShell
-
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi") $domainDN = "DC=Example,DC=com" # Connect to the Adaxes service. $ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace") $service = $ns.GetServiceDirectly("localhost") # Bind to the security role. $securityRolesPath = $service.Backend.GetConfigurationContainerPath("AccessControlRoles") $securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $securityRolesPath $myRoleAdsPath = $securityRolesPathObj.CreateChildPath("CN=My Role") $role = $service.OpenObject($myRoleAdsPath, $null, $null, 0) # Assign the role to the Users group. $assignment = $role.Assignments.Create() $assignment.Trustee = "BUILTIN\Users" # Specify the domain SID in the SDDL format. $domain = $service.OpenObject("Adaxes://$domainDN", $null, $null, 0) $domainSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($domain.Get("ObjectSid"), 0) $sidSddlForm = $domainSid.Value $assignment.TrusteeDomain = $sidSddlForm $assignment.SetInfo() $role.Assignments.Add($assignment) # Include all objects in the assignment scope. $scopeItem = $assignment.ActivityScopeItems.Create() $scopeItem.BaseObject = $null $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY" $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $false $scopeItem.SetInfo() $assignment.ActivityScopeItems.Add($scopeItem) - C#
-
using System; using Softerra.Adaxes.Adsi; using Softerra.Adaxes.Interop.Adsi; using Softerra.Adaxes.Interop.Adsi.AccessControl; using Softerra.Adaxes.Interop.Adsi.PersistentObjects; class Program { static void Main(string[] args) { const string domainPath = "Adaxes://DC=Example,DC=com"; // Connect to the Adaxes service. AdmNamespace ns = new AdmNamespace(); IAdmService service = ns.GetServiceDirectly("localhost"); // Bind to the security role. string securityRolesPath = service.Backend.GetConfigurationContainerPath("AccessControlRoles"); AdsPath securityRolesPathObj = new AdsPath(securityRolesPath); AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role"); IAdmRole role = (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0); // Assign the role to the Users group. IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create(); assignment.Trustee = @"BUILTIN\Users"; // Specify the domain SID in the SDDL format. IADs domain = (IADs)service.OpenObject(domainPath, null, null, 0); Byte[] sidBytes = (Byte[])domain.Get("objectSID"); Sid sid = new Sid(sidBytes, 0); string sidSddlForm = sid.Value; assignment.TrusteeDomain = sidSddlForm; assignment.SetInfo(); role.Assignments.Add(assignment); // Include all objects in the assignment scope. IAdmActivityScopeItem scopeItem = (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create(); scopeItem.BaseObject = null; scopeItem.Type = ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY; scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE; scopeItem.Exclude = false; scopeItem.SetInfo(); assignment.ActivityScopeItems.Add(scopeItem); } }
Requirements
Minimum required version: 2009.1