IAdmRoleAssignment

The IAdmRoleAssignment interface represents a security role assignment.

Inheritance: IAdmTop

Properties

  • Property

  • Description

  • ActivityScopeItems

  • Gets a collection of scope items that determine the scope, within which the trustee will be able to apply the permissions of the security role.

  • Trustee

  • Gets or sets the user or group the security role is assigned to.

  • TrusteeDomain

  • Gets or sets the name of the domain that the trustee belongs to.

Details

ActivityScopeItems

Gets a collection of scope items that determine the scope, within which the trustee will be able to apply the permissions of the security role. Each scope item is represented by the IAdmActivityScopeItem interface.


Trustee

Gets or sets the user or group the security role is assigned to.

  • Type:
  • string
  • Access:
  • Read/Write

Remarks

The property must be set to a string that contains either the trustee's SID in the SDDL format (e.g. S-1-5-1-123-456-789), or the user's logon name (e.g. DOMAIN\username, username@domain.com), or the group name.

Examples

The following code sample assigns a security role to a user including All Objects in the Assignment Scope.

PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$userDN = "CN=John Smith,CN=Users,DC=domain,DC=com"

# Connect to the Adaxes service
$ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath(`
"AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
$securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath(`
"CN=My Role")

$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the security role to the user

# Bind to the user
$user = $service.OpenObject("Adaxes://$userDN", $null, $null, 0)

# Get the user's SID in the SDDL form
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($user.Get("ObjectSid"), 0)
$sidSddlForm = $userSid.Value

$assignment = $role.Assignments.Create()
$assignment.Trustee = $sidSddlForm
$assignment.SetInfo()
$role.Assignments.Add($assignment)

# Include 'All Objects' in the Assignment Scope
$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $null
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)
C#
using System;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.AccessControl;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;

class Program
{
    static void Main(string[] args)
    {
        const string userPath = "Adaxes://CN=John Smith,CN=Users,DC=domain,DC=com";

        // Connect to the Adaxes service
        AdmNamespace ns = new AdmNamespace();
        IAdmService service = ns.GetServiceDirectly("localhost");

        // Bind to the security role
        string securityRolesPath = service.Backend.GetConfigurationContainerPath(
            "AccessControlRoles");
        AdsPath securityRolesPathObj = new AdsPath(securityRolesPath);
        AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role");

        IAdmRole role =
            (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0);

        // Assign the security role to the user

        // Bind to the user
        IADs user = (IADs)service.OpenObject(userPath, null, null, 0);

        // Get the user's SID in the SDDL form
        byte[] sidBytes = (byte[])user.Get("objectSID");
        Sid sid = new Sid(sidBytes, 0);
        string sidSddlForm = sid.Value;

        IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create();
        assignment.Trustee = sidSddlForm;
        assignment.SetInfo();
        role.Assignments.Add(assignment);

        // Include 'All Objects' in the Assignment Scope
        IAdmActivityScopeItem scopeItem =
            (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create();
        scopeItem.BaseObject = null;
        scopeItem.Type =
            ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY;
        scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
        scopeItem.Exclude = false;
        scopeItem.SetInfo();

        assignment.ActivityScopeItems.Add(scopeItem);
    }
}

TrusteeDomain

Gets or sets the name of the domain that the trustee belongs to.

  • Type:
  • string
  • Access:
  • Read/Write

Remarks

The property must be used only for those trustees whose SIDs do not contain any information about the domain (e.g. any built-in Active Directory group, such as 'BUILTIN\Users'). The property must be assigned a string that contains the domain DNS name or domain SID in the SSDL format.

Examples

The following code sample assigns a security role to the built-in domain local group Users including All Objects in the Assignment Scope.

PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$domainDN = "DC=Example,DC=com"

# Connect to the Adaxes service
$ns = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath(`
"AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
$securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath(`
"CN=My Role")

$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to the 'Users' group
$assignment = $role.Assignments.Create()
$assignment.Trustee = "BUILTIN\Users"

# Specify the domain SID in the SDDL form
$domain = $service.OpenObject("Adaxes://$domainDN", $null, $null, 0)
$domainSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($domain.Get("ObjectSid"), 0)
$sidSddlForm = $domainSid.Value
$assignment.TrusteeDomain = $sidSddlForm

$assignment.SetInfo()
$role.Assignments.Add($assignment)

# Include 'All Objects' in the Assignment Scope
$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $null
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)
C#
using System;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.AccessControl;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;

class Program
{
    static void Main(string[] args)
    {
        const string domainPath = "Adaxes://DC=Example,DC=com";

        // Connect to the Adaxes service
        AdmNamespace ns = new AdmNamespace();
        IAdmService service = ns.GetServiceDirectly("localhost");

        // Bind to the security role
        string securityRolesPath = service.Backend.GetConfigurationContainerPath(
            "AccessControlRoles");
        AdsPath securityRolesPathObj = new AdsPath(securityRolesPath);
        AdsPath myRoleAdsPath = securityRolesPathObj.CreateChildPath("CN=My Role");

        IAdmRole role =
        (IAdmRole)service.OpenObject(myRoleAdsPath.ToString(), null, null, 0);

        // Assign the role to the 'Users' group
        IAdmRoleAssignment assignment = (IAdmRoleAssignment)role.Assignments.Create();
        assignment.Trustee = @"BUILTIN\Users";

        // Specify the domain SID in the SDDL form
        IADs domain = (IADs)service.OpenObject(domainPath, null, null, 0);
        Byte[] sidBytes = (Byte[])domain.Get("objectSID");
        Sid sid = new Sid(sidBytes, 0);
        string sidSddlForm = sid.Value;
        assignment.TrusteeDomain = sidSddlForm;

        assignment.SetInfo();
        role.Assignments.Add(assignment);

        // Include 'All Objects' in the Assignment Scope
        IAdmActivityScopeItem scopeItem =
            (IAdmActivityScopeItem)assignment.ActivityScopeItems.Create();
        scopeItem.BaseObject = null;
        scopeItem.Type =
            ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY;
        scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
        scopeItem.Exclude = false;
        scopeItem.SetInfo();

        assignment.ActivityScopeItems.Add(scopeItem);
    }
}

Requirements

Minimum required version: 2009.1

See also