Role-based access controls
In this lecture, we go through roles and how to use them to limit what features users have access to when using PowerShell Universal. We'll assign roles based on Windows group membership via Claim to Role mapping as well as Policy scripts. Next, we'll go through the various features like APIs, dashboards, and pages to see how users with different roles are affected. Finally, we'll assign an Execute role and see how it affects a user viewing the admin console.
param( [Security.ClaimsPrincipal]$User ) <# Policies should return $true or $false to determine whether the user has the particular claim that require them for that role. #> $User.HasClaim("claimType", "claimValue")
New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -ClaimValue "S-1-5-21-3266693409-3616515432-668607786-1006" New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy { param( [Security.ClaimsPrincipal]$User ) <# Policies should return $true or $false to determine whether the user has the particular claim that require them for that role. #> $false } New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy { param( [Security.ClaimsPrincipal]$User ) <# Policies should return $true or $false to determine whether the user has the particular claim that require them for that role. #> $true } New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy { param( [Security.ClaimsPrincipal]$User ) <# Policies should return $true or $false to determine whether the user has the particular claim that require them for that role. #> $true } New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy { param( [Security.ClaimsPrincipal]$User ) <# Policies should return $true or $false to determine whether the user has the particular claim that require them for that role. #> $true }
New-UDDashboard -Title 'PowerShell Universal' -Content { $Roles | ForEach-Object { Show-UDToast $_ } }