0 votes

Is it possible to create a human readable report for Security Roles, Business Rules, etc?

Scenario: Our audit department wants to save a readable definition of a particular Security Role, then be able to analyze and compare this going forward for any changes made to it from the last review.

If not a report, is it possible to export the role to XML, etc?

Thanks!

by (950 points)

1 Answer

0 votes
by (18k points)

Hello,

Unfortunately currently it is impossible. In September we are planning to release SDK for Adaxes. With the help of the SDK it will be possible generate reports you need using PowerShell scripts.

0

Hi,

It's been a while since I've visited this area - ADAxes is still working great for us.

We are on version 2013.1. I'm wondering:

1. Does the latest version have the capability of exporting Security Roles?
2. Would you be able to provide an example Powershell that simply enumerates security roles and the trustees and "assigned over" attributes?

Thanks,

0

Hello,

1. Yes, with the help of PowerShell scripts you can export your Security Roles in a human-readable format, such as CSV sheets, for example. For more details on handling Security Roles using scripts, have a look at the following SDK article: http://www.adaxes.com/sdk/?ManagingSecurityRoles.html.
2. We've assigned our script guys with a task to run a sample for you. We'll update you as soon as they come up with something.

0

Hello,

Here's a script that exports all Security Roles and role assignments to a CSV file specified by $csvFilePath. The CSV file will have the report generation date and time appended to the end of the file name. The date format is specified by $dateFormat.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$csvFilePath = "\\Server\share\SecurityRolesReport-{0}.csv" # TODO: modify me
$dateFormat = "MM.dd.yyyy-HH.mm.ss" # TODO: modify me

function GetTrusteeName($trustee)
{
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee))
    {
        $wellknownPrincipal = [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::GetInfo($trustee)
        return $wellknownPrincipal.DisplayName
    }

    if ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -eq $trustee)
    {
        return "Owner (ManagedBy)"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -eq $trustee)
    {
        return "Manager"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -eq $trustee)
    {
        return "Secretary"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -eq $trustee)
    {
        return "Assistant"
    }

    # Get object name
    $objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee
    $object = $global:admService.OpenObject("Adaxes://<SID=$objectSid>", $NULL, $NULL, 0)
    return $object.Get("name")
}

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$global:admService = $admNS.GetServiceDirectly("localhost")

# Find all Security Roles
$securityRolesPath = $global:admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$searcher = $global:admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
$searcher.SearchFilter = "(objectCategory=adm-Role)"
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"

try
{
    # Execute search
    $searchResult = $searcher.ExecuteSearch()
    $roles = $searchResult.FetchAll()

    $report = @()
    foreach ($roleId in $roles)
    {
        # Bind to the Security Role
        $role = $global:admService.OpenObject($roleId.AdsPath, $NULL, $NULL, 0)
        $roleName = $role.Get("name")

        # Add Security Role to the report
        $reportRecordTemplate = New-Object PSObject
        $reportRecordTemplate | Add-Member -Name RoleName -Value $roleName -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name Trustee -Value "None" -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name AssignedOver -Value "None" -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name Exclude -Value "None" -MemberType NoteProperty 
        $reportRecordTemplate | Add-Member -Name Inheritance -Value "None" -MemberType NoteProperty

        if ($role.Assignments.Count -eq 0)
        {
            $reportRecord = $reportRecordTemplate.PSObject.Copy()
            $report += $reportRecord
            continue
        }

        # Get Role Assignments
        foreach ($assignment in $role.Assignments)
        {
            $trusteeName = GetTrusteeName $assignment.Trustee
            foreach ($item in $assignment.ActivityScopeItems)
            {
                switch ($item.Type)
                {
                    "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
                    {
                        $itemName = "All objects"
                    }
                    "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION"
                    {
                        $itemName = "Configuration objects"
                    }
                    default
                    {

                        $itemName = $item.BaseObject.Get("name")
                    }
                }

                switch ($item.Inheritance)
                {
                    "ADS_SCOPE_BASE"
                    {
                        $inheritance = "This object only"
                    }
                    "ADS_SCOPE_ONELEVEL"
                    {
                        $inheritance = "One level"
                    }
                    "ADS_SCOPE_SUBTREE"
                    {
                        $inheritance = "Subtree"
                    }
                }

                $reportRecord = $reportRecordTemplate.PSObject.Copy()
                $reportRecord.Trustee = $trusteeName
                $reportRecord.AssignedOver = $itemName
                $reportRecord.Exclude = $item.Exclude
                $reportRecord.Inheritance = $inheritance
                $report += $reportRecord
            }
        }
    }
}
finally
{
    $searchResult.Dispose()
}

$report | Export-Csv -NoTypeInformation -Path ($csvFilePath -f (get-date).tostring($dateFormat))

Related questions

0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
0 votes
0 answers

Followed this tutorial https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm, when logged into webpage cannot change any properties.

asked Jan 10, 2020 by Derek.Axe (440 points)
0 votes
1 answer

Hi We're running 2018.1 (3.9.15631.0) and I am modifying our security role assignments to use new AD groups. When looking at the role assignments, some are displaying the ... the information. Is there another way to get the full path to the OU? Thanks Matt

asked Aug 28, 2018 by chappers77 (1.1k points)
0 votes
1 answer

Hello all, I'm sure this is possible, but I'm confused on a few points. I'm trying to set up the security role and matching homepage action that will allow a user ... I'd like to use the least amount of permissions possible, just for security's sake. Thanks!

asked Jan 18, 2017 by ctdhelpdesk (190 points)
0 votes
0 answers

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (420 points)
2,740 questions
2,474 answers
6,475 comments
1,372,119 users