New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -Policy {
param(
    [Security.ClaimsPrincipal]$User
  )
          
  <# 
    Policies should return $true or $false to determine whether the user has the particular 
    claim that require them for that role.
  #>
  
  #$false
  
  <#
    $UserName = ($User.Identity.Name)
    $UserName = $UserName.Substring($UserName.IndexOf('\') + 1, ($UserName.Length - ($UserName.IndexOf('\') + 1)))
  
    $IsMember = $false;
  
    # Perform LDAP Group Member Lookup
    $Searcher = New-Object DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = 'LDAP://OU=USERS, OU=ITD, DC=nd, DC=gov' # INSERT ROOT LDAP HERE
    $Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=ITD-PSUniversal-Admin,OU=ITDGROUPS,OU=GROUPS,OU=ITD,DC=nd,DC=gov))" #GROUP INSERT DN TO CHECK HERE
    $Users = $Searcher.FindAll()
    $Users | ForEach-Object {
      If ($_.Properties.samaccountname -eq $UserName) {
        $IsMember = $true;
        "$UserName is a member of admin group!" | Out-File "C:\test\adgroup.txt"
      }
      else {
        "$UserName is NOT member of admin group!" | Out-File "C:\test\adgroup.txt"
      }
    }
  
    return $IsMember
    #>
  
  param($User)
  
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains 'ITD-PSUniversal-Admin'
} 
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
param(
    [Security.ClaimsPrincipal]$User
  )
          
  <# 
    Policies should return $true or $false to determine whether the user has the particular 
    claim that require them for that role.
  #>
  
  #$false

   $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains 'ITD-PSUniversal-Operator'
} 
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
param(
    [Security.ClaimsPrincipal]
    $User
  )
          
  <# 
    Policies should return $true or $false to determine whether the user has the particular 
    claim that require them for that role.
  #>
  $User | ConvertTo-Json | Set-Content ("C:\temp\user-" + $User.Identity.Name + ".json")
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -match "ITD-PSUniversal-*"
} 
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
param(
    [Security.ClaimsPrincipal]$User
  )
          
  <# 
    Policies should return $true or $false to determine whether the user has the particular 
    claim that require them for that role.
  #>
  
  $false
} 
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
param(
    [Security.ClaimsPrincipal]$User
  )
          
  <# 
    Policies should return $true or $false to determine whether the user has the particular 
    claim that require them for that role.
  #>
  
  $false
} 
New-PSURole -Name "Team-Windows" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Windows"
} 
New-PSURole -Name "Team-Linux" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Linux"
} 
New-PSURole -Name "Team-ConnectND" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-ConnectND"
} 
New-PSURole -Name "Team-Network" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Network"
} 
New-PSURole -Name "Team-Tier2" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Tier2"
} 
New-PSURole -Name "Team-Mgmt" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Mgmt"
} 
New-PSURole -Name "App-Infra-VMware" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-App-Infra-VMware"
} 
New-PSURole -Name "App-ITD-WindowsServer" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-App-ITD-WindowsServer"
} 
New-PSURole -Name "App-Shared-Powerschool" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-App-Shared-PowerSchool"
} 
New-PSURole -Name "Team-Collaboration" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-Team-Collaboration"
} 
New-PSURole -Name "App-Infra-Certificate" -Policy {
param($User)
  $Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
  $Roles -contains "ITD-PSUniversal-App-Infra-Certificate"
}