0 votes

Is it possible to create a human readable report for Security Roles, Business Rules, etc?

Scenario: Our audit department wants to save a readable definition of a particular Security Role, then be able to analyze and compare this going forward for any changes made to it from the last review.

If not a report, is it possible to export the role to XML, etc?

Thanks!

by (6.6k points)

1 Answer

0 votes
by (19k points)

Hello,

Unfortunately currently it is impossible. In September we are planning to release SDK for Adaxes. With the help of the SDK it will be possible generate reports you need using PowerShell scripts.

0

Hi,

It's been a while since I've visited this area - ADAxes is still working great for us.

We are on version 2013.1. I'm wondering:

1. Does the latest version have the capability of exporting Security Roles?
2. Would you be able to provide an example Powershell that simply enumerates security roles and the trustees and "assigned over" attributes?

Thanks,

0

Hello,

1. Yes, with the help of PowerShell scripts you can export your Security Roles in a human-readable format, such as CSV sheets, for example. For more details on handling Security Roles using scripts, have a look at the following SDK article: http://www.adaxes.com/sdk/?ManagingSecurityRoles.html.
2. We've assigned our script guys with a task to run a sample for you. We'll update you as soon as they come up with something.

0

Hello,

Here's a script that exports all Security Roles and role assignments to a CSV file specified by $csvFilePath. The CSV file will have the report generation date and time appended to the end of the file name. The date format is specified by $dateFormat.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$csvFilePath = "\\Server\share\SecurityRolesReport-{0}.csv" # TODO: modify me
$dateFormat = "MM.dd.yyyy-HH.mm.ss" # TODO: modify me

function GetTrusteeName($trustee)
{
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee))
    {
        $wellknownPrincipal = [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::GetInfo($trustee)
        return $wellknownPrincipal.DisplayName
    }

    if ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -eq $trustee)
    {
        return "Owner (ManagedBy)"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -eq $trustee)
    {
        return "Manager"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -eq $trustee)
    {
        return "Secretary"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -eq $trustee)
    {
        return "Assistant"
    }

    # Get object name
    $objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee
    $object = $global:admService.OpenObject("Adaxes://<SID=$objectSid>", $NULL, $NULL, 0)
    return $object.Get("name")
}

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$global:admService = $admNS.GetServiceDirectly("localhost")

# Find all Security Roles
$securityRolesPath = $global:admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$searcher = $global:admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
$searcher.SearchFilter = "(objectCategory=adm-Role)"
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"

try
{
    # Execute search
    $searchResult = $searcher.ExecuteSearch()
    $roles = $searchResult.FetchAll()

    $report = @()
    foreach ($roleId in $roles)
    {
        # Bind to the Security Role
        $role = $global:admService.OpenObject($roleId.AdsPath, $NULL, $NULL, 0)
        $roleName = $role.Get("name")

        # Add Security Role to the report
        $reportRecordTemplate = New-Object PSObject
        $reportRecordTemplate | Add-Member -Name RoleName -Value $roleName -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name Trustee -Value "None" -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name AssignedOver -Value "None" -MemberType NoteProperty
        $reportRecordTemplate | Add-Member -Name Exclude -Value "None" -MemberType NoteProperty 
        $reportRecordTemplate | Add-Member -Name Inheritance -Value "None" -MemberType NoteProperty

        if ($role.Assignments.Count -eq 0)
        {
            $reportRecord = $reportRecordTemplate.PSObject.Copy()
            $report += $reportRecord
            continue
        }

        # Get Role Assignments
        foreach ($assignment in $role.Assignments)
        {
            $trusteeName = GetTrusteeName $assignment.Trustee
            foreach ($item in $assignment.ActivityScopeItems)
            {
                switch ($item.Type)
                {
                    "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
                    {
                        $itemName = "All objects"
                    }
                    "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION"
                    {
                        $itemName = "Configuration objects"
                    }
                    default
                    {

                        $itemName = $item.BaseObject.Get("name")
                    }
                }

                switch ($item.Inheritance)
                {
                    "ADS_SCOPE_BASE"
                    {
                        $inheritance = "This object only"
                    }
                    "ADS_SCOPE_ONELEVEL"
                    {
                        $inheritance = "One level"
                    }
                    "ADS_SCOPE_SUBTREE"
                    {
                        $inheritance = "Subtree"
                    }
                }

                $reportRecord = $reportRecordTemplate.PSObject.Copy()
                $reportRecord.Trustee = $trusteeName
                $reportRecord.AssignedOver = $itemName
                $reportRecord.Exclude = $item.Exclude
                $reportRecord.Inheritance = $inheritance
                $report += $reportRecord
            }
        }
    }
}
finally
{
    $searchResult.Dispose()
}

$report | Export-Csv -NoTypeInformation -Path ($csvFilePath -f (get-date).tostring($dateFormat))

Related questions

0 votes
0 answers

Followed this tutorial https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm, when logged into webpage cannot change any properties.

asked Jan 10 by Derek.Axe (1.3k points)
0 votes
1 answer

Hi We're running 2018.1 (3.9.15631.0) and I am modifying our security role assignments to use new AD groups. When looking at the role assignments, some are displaying the ... the information. Is there another way to get the full path to the OU? Thanks Matt

asked Aug 28, 2018 by chappers77 (3.7k points)
0 votes
1 answer

Hello all, I'm sure this is possible, but I'm confused on a few points. I'm trying to set up the security role and matching homepage action that will allow a user ... I'd like to use the least amount of permissions possible, just for security's sake. Thanks!

asked Jan 18, 2017 by ctdhelpdesk (1.1k points)
0 votes
0 answers

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (2.1k points)
0 votes
1 answer

Morning, I have an issue with self service users being able to modify the properties of other users, my permissions look like this: I assume it's my assignments: entry that needs to be set to "self" not my user group is that correct? Thanks, John.

asked Mar 7, 2016 by bistromath (4.3k points)
2,245 questions
2,007 answers
5,494 comments
19,940 users