Script Repository

Modify Web interface access rules using scripts

March 17, 2021 Views: 1932
Security

The below function demonstrates how to use PowerShell code to specify users and groups that are allowed or denied access to the Web interface.

Note: A script that uses the function must be run on the same computer where the Web interface is installed.

Parameters:

  • ApplicationName - specifies the name of the IIS web application for the Web Interface you want to modify. Default names for the built-in Web interfaces are AdaxesAdmin, AdaxesHelpDesk, and AdaxesSelfService.
  • Allow - specifies that specific users and/or groups will be allowed access to the Web interface. If this parameter is not specified, the users and/or groups will be denied the access.
  • Users - specifies the users that will be allowed or denied the access. The users must be specified using the username@example.com format.
  • Groups - specifies the groups that will be allowed or denied the access. The groups must be specified using the DOMAIN\Groupname format.
  • ReplaceExisting - specifies that the access rule added via the script replaces the current access rule set for the Web interface. If this parameter is not specified, the script attempts to apppend the specified users and/or groups to the current rule.
    Note: If the specified rule type does not match the type of the current rule, the ReplaceExisting parameter is ignored, and the script replaces the existing rule in any case. For example, the parameter is ignored if the current Web interface rules deny access to certain users and/or groups, and you are trying to add a rule with the Allow parameter enabled.

Example Usage:

Example 1: Allow access to the Web interface for administrators to users jdoe@example.com and psmith@example.com, and also to members of the EXAMPLE\HelpDesk group. Preserve access for the users and/or groups who are already allowed the access.
Edit Remove
PowerShell
UpdateWebUIAccessRules -ApplicationName "AdaxesAdmin" `
    -Allow `
    -Users "jdoe@example.com", "psmith@example.com" `
    -Groups "EXAMPLE\HelpDesk"

Example 2: Deny access to the Web interface for Help Desk to members of the EXAMPLE\Contractors group. Replace any access rules already specified for that Web interface.

Edit Remove
PowerShell
UpdateWebUIAccessRules -ApplicationName "AdaxesHelpDesk" `
    -Groups "EXAMPLE\Contractors"
    -ReplaceExisting

Edit Remove
PowerShell
function UpdateWebUIAccessRules
{
    Param(
        $applicationName,
        [switch]$allow,
        [switch]$replaceExisting,
        [System.String[]]$users = @(),
        [System.String[]]$groups = @()
    )
    
    if ($allow -and 
       ($users.Length -eq 0) -and 
       ($groups.Length -eq 0))
    {
        $Context.LogMessage("Please specify users or groups", "Warning")
        return
    }
    
    [Reflection.Assembly]::LoadWithPartialName("System.Web")

    # Define constants
    $denyAllUsers = "*"
    $anonymousUsers = "?"
        
    # Get the current access rules
    $config = [System.Web.Configuration.WebConfigurationManager]::OpenWebConfiguration("/$applicationName")
    $authorizationSection = $config.GetSection("system.web/authorization")
    
    # Get rule action
    if ($allow)
    {
        $action = [System.Web.Configuration.AuthorizationRuleAction]::Allow
    }
    else
    {
        $action = [System.Web.Configuration.AuthorizationRuleAction]::Deny
    }
    
    $rules = $authorizationSection.Rules
    $userList = New-Object "System.Collections.Generic.HashSet[System.String]"
    $groupList = New-Object "System.Collections.Generic.HashSet[System.String]"
    foreach ($rule in $rules)
    {
        if (-not($rule.ElementInformation.IsPresent))
        {
            continue
        }
        
        if (($rule.Action -ne $action) -or
            ($rule.Users[0] -eq $anonymousUsers) -or 
            ($rule.Users[0] -eq $denyAllUsers))
        {
            continue
        }
    
        if (!$replaceExisting)
        {
            # Get current values
            $rule.Users | %%{[void]$userList.Add($_)}
            $rule.Roles | %%{[void]$groupList.Add($_)}
        }
    }
    
    # Get new value
    $users | %%{[void]$userList.Add($_)}
    $groups | %%{[void]$groupList.Add($_)}

    # Clear rules
    $rules.Clear()
    
    # Add new rule
    if (($userList.Count -ne 0) -or
        ($groupList.Count -ne 0))
    {
        $rule = New-Object "System.Web.Configuration.AuthorizationRule" $action
        $rule.Users.AddRange(@($userList))
        $rule.Roles.AddRange(@($groupList))
        $rules.Add($rule)
    }
    
    # If allow, always add deny for all users rule
    if ($allow)
    {
        $rule = New-Object "System.Web.Configuration.AuthorizationRule" ([System.Web.Configuration.AuthorizationRuleAction]::Deny)
        $rule.Users.Add($denyAllUsers)
        $rules.Add($rule)
    }
    
    # Add deny rule for Anonymous users
    $rule = New-Object "System.Web.Configuration.AuthorizationRule" ([System.Web.Configuration.AuthorizationRuleAction]::Deny)
    $rule.Users.Add($anonymousUsers)
    $rules.Add($rule)

    $config.Save()
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers