Roles

Role-based access controls

Download this Lecture Docs

In this lecture, we go through roles and how to use them to limit what features users have access to when using PowerShell Universal. We'll assign roles based on Windows group membership via Claim to Role mapping as well as Policy scripts. Next, we'll go through the various features like APIs, dashboards, and pages to see how users with different roles are affected. Finally, we'll assign an Execute role and see how it affects a user viewing the admin console.

Policy script to check claims

param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

$User.HasClaim("claimType", "claimValue")

roles.ps1

New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -ClaimValue "S-1-5-21-3266693409-3616515432-668607786-1006" 
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

$false
} 
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

$true
} 
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

$true
} 
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

$true
}

Dashboard that users $Roles

New-UDDashboard -Title 'PowerShell Universal' -Content {
    $Roles | ForEach-Object { Show-UDToast $_ }
}