Script Repository


Allow management of Adaxes configuration objects located in specific container

March 24, 2017
911

Using Adaxes UI, you can delegate management of Adaxes configuration objects of a certain type, but you cannot specify which objects exactly can be modified. For example, you can create a Security Role that allows managing all Business Rules, but you cannot allow management of only Business Rules located in a certain container. This gap can be filled with the help of PowerShell scripts.

The following script sample assigns a Security Role to user a group with the scope of assignment of a container with configuration objects. For example, you can assign a role to group Acme Administrators and include only container Adaxes Service / Configuration / Property Patterns / Acme Patterns in the assignment scope. In other words, members of the group will be able to create, delete and modify only Property Patterns located in the Acme Patterns container and won't be able to manage Property Patterns in other containers.

To create a Security Role that allows managing configuration objects of a certain type, do the following:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes Service and select New \ Security Role.
  3. On Step 2 of the Create Security Role Wizard, click the arrow button embedded in the Add button and select Manage <Configuration Object Type>. For example, if you want to create a role that allows managing Business Rules, select Manage Business Rules.

To use the script, save it to a file with the PS1 extension, for example, AssignRoleForConfContainer.ps1, and call it with the below parameters.

Parameters:

  • roleName - specifies the name of the Security Role you want to assign;
  • containerName - specifies the name of the container with configuration objects that must be included in the Assignment Scope;
  • objectType - specifies the type of objects contained in the container specified by $containerName. The type must be specified by the appropriate container alias, for example, BusinessRules. For a complete list of aliases, see Aliases for containers that store Adaxes configuration objects;
  • trusteeDN - specifies the Distinguished Name (DN) of the user or group to whom the Security Role will be assigned.

Sample Usage:

Edit Remove
PowerShell
.\allowModifyConfigurationContainer.ps1 `
    -roleName "Acme Configuration Objects" `
    -containerName "Acme Patterns" `
    -objectType "PropertyPatterns" `
    -trusteeDN "CN=Acme Administrators,CN=Groups,DC=example,DC=com"

Script:

Edit Remove
PowerShell
param(
    [Parameter(Mandatory=$true)]
    $roleName, 
    [Parameter(Mandatory=$true)]
    $containerName,
    [Parameter(Mandatory=$true)]
    $objectType,
    [Parameter(Mandatory=$true)]
    $trusteeDN
)

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")


function GetConfigurationObjectPath($configurationObjectName, $containerAlias)
{
    $searcherPath = $admService.Backend.GetConfigurationContainerPath(
        $containerAlias)
    $searcher = $admService.OpenObject($searcherPath, $NULL, $NULL, 0)
    $searcher.SearchFilter = "(name=$configurationObjectName)"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()
    
        if ($objects.Count -eq 0)
        {
            Write-Warning "Object '$configurationObjectName' could not be found"
            return $NULL
        }
        elseif($objects.Count -gt 1)
        {
            Write-Warning "Found more than one object with name '$configurationObjectName'"
            return $NULL
        }
        else
        {
            return $objects[0].AdsPath
        }
    }
    finally
    {
        # Release resources
        $searchResult.Dispose()
    }
}

# Bind to the Security Role
$rolePath = GetConfigurationObjectPath $roleName "AccessControlRoles"
if ($rolePath)
{
    $role = $admService.OpenObject($rolePath, $null, $null, 0)
}
else
{
    return
}

# Bind to the container with configuration objects
$containerPath = GetConfigurationObjectPath $containerName $objectType
if ($containerPath)
{
    $container = $admService.OpenObject($containerPath, $null, $null, 0)
}
else
{
    return
}

# Get trustee SID
try
{
    $trustee = $admService.OpenObject("Adaxes://" + $trusteeDN, $null, $null, 0)
    $trusteeSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($trustee.Get("ObjectSid"), 0)
    $sidSddlForm = $trusteeSid.Value
}
catch
{
    Write-Warning "Could not find the trustee"
    return
}

# Assign the role
$assignment = $role.Assignments.Create()
$assignment.Trustee = $sidSddlForm
$assignment.SetInfo()
$role.Assignments.Add($assignment)

# Include the container in the Assignment Scope
$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $container
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$assignment.ActivityScopeItems.Add($scopeItem)

Comments ( 0 )
No results found.
Leave a comment