Skip to content

Assigning Security Roles

The following code sample assigns a Security Role to a group over all objects from all AD domains managed by Adaxes.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over All Objects
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $NULL
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a Security Role to a group over all objects from a specific AD domain.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over domain 'example.com'
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$domain = "example.com"
$domainObj = $admService.OpenObject("Adaxes://$domain", $NULL, $NULL, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $domainObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a Security Role to a user over all objects located in a specific Organizational Unit.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to user 'EXAMPLE\jsmith' over objects located under 'Sales' OU
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$ouDN = "OU=Sales,DC=example,DC=com"
$ou = $admService.OpenObject("Adaxes://$ouDN", $NULL, $NULL, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $ou
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a Security Role to a user over members of a specific group.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to user 'EXAMPLE\jsmith' over members of the 'My Group' group
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$groupDN = "CN=My Group,DC=example,DC=com"
$group = $admService.OpenObject("Adaxes://$groupDN" ,$NULL, $NULL, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $group
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_GROUP"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a Security Role to a user over the members of a specific Business Unit.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to user 'EXAMPLE\jsmith' over members of the 'My Unit' Business Unit
$assignment = $role.Assignments.Create()
$assignment.Trustee = "domain\jsmith"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$businessUnitsPath = $admService.Backend.GetConfigurationContainerPath( `
    "BusinessUnits")
$businessUnitsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $businessUnitsPath
$myBusinessUnitPath = $businessUnitsPathObj.CreateChildPath( `
    "CN=My Unit")

$businessUnitObj = $admService.OpenObject($myBusinessUnitPath, $NULL, $NULL, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $businessUnitObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_BUSINESSUNIT"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

The following code sample assigns a Security Role to a group over a specific AD object.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
    "AccessControlRoles")
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
    $securityRolesPath
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
    "CN=My Role")
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Assign the role to group 'EXAMPLE\MyGroup' over OU 'Sales' (not its children)
$assignment = $role.Assignments.Create()
$assignment.Trustee = "EXAMPLE\MyGroup"
$assignment.SetInfo()
$role.Assignments.Add($assignment)

$ouDN = "OU=Sales,DC=example,DC=com"
$ouObj = $admService.OpenObject("Adaxes://$ouDN", $NULL, $NULL, 0)

$scopeItem = $assignment.ActivityScopeItems.Create()
$scopeItem.BaseObject = $ouObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_BASE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$assignment.ActivityScopeItems.Add($scopeItem)

See also