Script Repository


Assign Security Role

September 18, 2015
1302

The following function can be used in PowerShell scripts to assign a Security Role to a user or group with a certain Assignment Scope.

To avoid creating duplicates, when assigning a Security Role, you need to check whether the Security Role is already assigned to a user within the scope that you want to assign. The below function eliminates the need to check existing assignments.

Parameters:

  • $trusteeSid - specifies the SID of the user or group that you want to assign the Security Role to (in the SDDL form);
  • $baseObjectDN - specifies the Distinguished Name (DN) of the base directory object that defines the scope of activity;
  • $scopeItemType - specifies the type of the base object. For a list of possible values, see ADM_SCOPEBASEOBJECTTYPE_ENUM;
  • $inheritance - specifies whether all descendants or only immediate children of the base directory object should be included into or excluded from the scope of activity. For a list of values, see ADS_SCOPEENUM;
  • $exclude - specifies whether the scope item will be excluded from or included into the scope of activity;
  • $rolePath - specifies the ADS path of the Security Role that you want to assign to the user.
    How to get the ADS path of a role:
    1. Launch Adaxes Administration Console.
    2. In the Console Tree, locate the Security Role you need.
    3. Right-click the role and click Properties.
    4. On the General tab, click Advanced.
    5. The ADS path is displayed in the ADS path field.

Sample Usage:

Edit Remove
PowerShell
UpdateRoleAssignments -TrusteeSid "S-1-5-21-573937-2149998-410785" `
                      -BaseObjectDN "OU=Sales,DC=example,DC=com" `
                      -ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
                      -Inheritance "ADS_SCOPE_SUBTREE" `
                      -Exclude $False `
                      -RolePath "Adaxes://adaxesserver.example.com:12345/CN=My Role,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"

Function:

Edit Remove
PowerShell
function UpdateRoleAssignments
{
    Param(
        $trusteeSid,
        $baseObjectDN,
        $scopeItemType,
        $inheritance,
        $exclude,
        $rolePath
    )

    $role = $Context.BindToObject($rolePath)

    # Get assignments
    $assignments = $role.Assignments
    $scopeItems = $NULL

    foreach ($assignment in $assignments)
    {
        # Check whether the Trustee is already assigned to the role
        if ($assignment.Trustee -ine $trusteeSid)
        {
            continue
        }
        
        # Get the Assignment Scope for the Trustee
        $scopeItems = $assignment.ActivityScopeItems
        break
    }

    if ($scopeItems -eq $NULL)
    {
        # Trustee is not yet assigned to the role, add new Trustee
        $assignment = $role.Assignments.Create()
        $assignment.Trustee = $trusteeSid
        $assignment.SetInfo()
        $assignments.Add($assignment)
        $scopeItems = $assignment.ActivityScopeItems
    }

    # Define the Assignment Scope
    # Get the base object GUID
    if ([System.String]::IsNullOrEmpty($baseObjectDN))
    {
        # All objects
		$baseObject = $NULL
        $baseObjectGuid = [Guid]::Empty
    }
    else
    {
        $baseObject = $Context.BindToObjectByDN($baseObjectDN)
        $baseObjectGuid = [Guid]$baseObject.Get("objectGuid")
    }

    # Check whether the scope item already exists in the Assignment Scope
    $removeExistingItem = $False
    foreach ($item in $scopeItems)
    {
        # Compare base object GUID, Inheritance, Include / Exclude
        $scopeBaseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")

        if ($scopeBaseObjectGuid -ine $baseObjectGuid)
        {
            continue
        }

        if ($item.Type -ne $scopeItemType)
        {
            continue
        }

        if ($item.Inheritance -ne $inheritance)
        {
            continue
        }

        if ($item.Exclude -eq $exclude)
        {
            # The scope item already exists in the Assignment Scope of the Trustee, exit
            return
        }
        
        # Remove the item
        $removeExistingItem = $True
        break
    }
    
    if ($removeExistingItem)
    {
        $scopeItems.Remove($item)
    }

    # Add a new item to the Assignment Scope
    $scopeItem = $scopeItems.Create()
    $scopeItem.BaseObject = $baseObject
    $scopeItem.Type = $scopeItemType
    $scopeItem.Inheritance = $inheritance
    $scopeItem.Exclude = $exclude
    $scopeItem.SetInfo()
    
    $scopeItems.Add($scopeItem)
}


Comments ( 0 )
No results found.
Leave a comment