Assigning security roles

The following code sample assigns a security role to a group over all objects from all the domains managed by Adaxes.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over All Objects
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $null
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a security role to a group over all objects from a specific domain.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over domain 'example.com'
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$domain = "example.com"
$domainObj = $service.OpenObject("Adaxes://$domain", $null, $null, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $domainObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a security role to a user over all objects located in a specific organizational unit.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to user 'EXAMPLE\jsmith' over objects located under 'Sales' OU
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$ouDN = "OU=Sales,DC=example,DC=com"
$ou = $service.OpenObject("Adaxes://$ouDN", $null, $null, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $ou
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a security role to a user over members of a specific group.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to user 'EXAMPLE\jsmith' over members of the 'My Group' group
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$groupDN = "CN=My Group,DC=example,DC=com"
$group = $service.OpenObject("Adaxes://$groupDN" ,$null, $null, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $group
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_GROUP"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a security role to a user over the members of a specific business unit.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to user 'EXAMPLE\jsmith' over members of the 'My Unit' business unit
$assignment = $role.Assignments.Create()
$assignment.Trustee = "domain\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$businessUnitsPath = $service.Backend.GetConfigurationContainerPath( `
    "BusinessUnits")
$businessUnitsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $businessUnitsPath
$myBusinessUnitPath = $businessUnitsPathObj.CreateChildPath( `
    "CN=My Unit")

$businessUnitObj = $service.OpenObject($myBusinessUnitPath, $null, $null, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $businessUnitObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_BUSINESSUNIT"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a security role to a group over a specific directory object.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the security role
$securityRolesPath = $service.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $service.OpenObject($myRoleAdsPath, $null, $null, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over OU 'Sales' (not its children)
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$ouDN = "OU=Sales,DC=example,DC=com"
$ouObj = $service.OpenObject("Adaxes://$ouDN", $null, $null, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $ouObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_BASE"
$scopeItem.Exclude = $false
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

See also