0 votes

Hello Forum,

in our Adaxes environment we have a lot of security roles (one Security Role per Department). This allows the management of the Department to modify their Users / Groups / Businessunits ...

So i will implement a new Task "creating new Team". This task includes to create a new Security Role with a bunch of rights.

How can i get the Permissions of an existing Role and copy it to my newly created Role in powershell?

Thanks a lot for your help.

by (650 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

Here is a PowerShell script that copies the Security Roles specified in $sourceRoleNames. The resulting Security Roles will have a name according to the pattern specified by $roleNamePattern. In the pattern, {0} stands for the source role name.

The script does not copy the assignments of the Security Roles, because obviously you'll have different assignments for different teams. For information on how to define the assignments of Security Roles, see section Assigning a Role in the following SDK article: http://www.adaxes.com/sdk/?ManagingSecu ... curityRole.

$sourceRoleNames = @("Account Manager", "Blind User", "Computer Manager") # TODO: modify me
$roleNamePattern = "{0} ('%name%' department)" # TODO: modify me

function GetRolePath($name, $securityRolesPath)
{
    # Search Security Roles
    $searcher = $Context.BindToObject($securityRolesPath)
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("name", $name)
    $searcher.SearchFilter = "(&(objectCategory=adm-Role)$filterPart)"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        if ($objects.Count -eq 0)
        {
            $Context.LogMessage("Role '$name' could not be found", "Warning")
            return $NULL
        }
        elseif($objects.Count -gt 1)
        {
            $Context.LogMessage("Found more than one Security Role with name '$name'", "Warning")
            return $NULL
        }

        return $objects[0].AdsPath
    }
    finally
    {
        $searchResult.Dispose()
    }
}

$securityRolesPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$securityRolesContainer = $Context.BindToObject($securityRolesPath)
foreach ($name in $sourceRoleNames)
{
    # Get source role path
    $sourceRolePath = GetRolePath $name $securityRolesPath
    if ($sourceRolePath -eq $NULL)
    {
        continue
    }

    # Build name for a new role
    $sourceRole = $Context.BindToObject($sourceRolePath)
    $name = [System.String]::Format($roleNamePattern, $sourceRole.Get("name"))
    $name = [Softerra.Adaxes.Ldap.Rdn]::EscapeAttributeValue($name)

    # Create new role
    $targetRole = $securityRolesContainer.Create("adm-Role", "CN=$name")
    $targetRole.Disabled = $False
    try
    {
        $targetRole.SetInfo()
    }
    catch
    {
        $Context.LogMessage("Cann't create role '$name'. Error:" + $_.Exception.Message, "Warning")
        continue
    }

    # Copy permissions
    $sourcePermissions = $sourceRole.Permissions
    for ($i = 0; $i -lt $sourcePermissions.Count; $i++)
    {
        $sourceEntry = $sourcePermissions.GetObject($i)
        $targetEntry = $targetRole.Permissions.Create()

        $targetEntry.AccessType = $sourceEntry.AccessType
        $targetEntry.AccessMask = $sourceEntry.AccessMask
        $targetEntry.ObjectType = $sourceEntry.ObjectType
        $targetEntry.InheritedObjectType = $sourceEntry.InheritedObjectType

        $targetEntry.SetInfo() # save the permission entry
        $targetRole.Permissions.Add($targetEntry) # add the permission to the target role
    }
}
0

Hi Adaxes Support,

Sorry for the late answer. Thanks a lot for that code. That's exactly what i'm looking for.

Thanks
Cheers

Related questions

0 votes
1 answer

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
0 votes
1 answer

Hello again! I've built a script to make a few Security Roles. I need to set the read permission to OUs in the script and I think I'm having an issue. I went into ... . Did I get the wrong GUID or am I doing something wrong in the script? Thanks again!

asked Nov 18, 2015 by drew.tittle (810 points)
0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6 by cfrazier (20 points)
0 votes
1 answer

I'm using the example from the following SDK page: http://www.adaxes.com/sdk/ManagingSecurityRoles.html # Allow: Reset Password -> User $entry = $role.Permissions.Create() ... from the example. What am I missing here? Thanks for any help you can provide

asked Nov 16, 2015 by drew.tittle (810 points)
0 votes
0 answers

Followed this tutorial https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm, when logged into webpage cannot change any properties.

asked Jan 10, 2020 by Derek.Axe (400 points)
2,572 questions
2,315 answers
6,171 comments
742,388 users