zmeier/Backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1d304511b8a4cd520926348bf10fc34c4490f7c3
Backup/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Test/.universal/roles.ps1
T
Zack Meier 1d304511b8 update
2026-04-15 15:45:50 -05:00

160 lines
5.5 KiB
PowerShell
Raw Blame History

New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
#$false
<#
$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf('\') + 1, ($UserName.Length - ($UserName.IndexOf('\') + 1)))
$IsMember = $false;
# Perform LDAP Group Member Lookup
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://OU=USERS, OU=ITD, DC=nd, DC=gov' # INSERT ROOT LDAP HERE
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=ITD-PSUniversal-Admin,OU=ITDGROUPS,OU=GROUPS,OU=ITD,DC=nd,DC=gov))" #GROUP INSERT DN TO CHECK HERE
$Users = $Searcher.FindAll()
$Users | ForEach-Object {
If ($_.Properties.samaccountname -eq $UserName) {
$IsMember = $true;
"$UserName is a member of admin group!" | Out-File "C:\test\adgroup.txt"
}
else {
"$UserName is NOT member of admin group!" | Out-File "C:\test\adgroup.txt"
}
}
return $IsMember
#>
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains 'ITD-PSUniversal-Admin'
}
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$false
}
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
param(
[Security.ClaimsPrincipal]
$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$User | ConvertTo-Json | Set-Content ("C:\temp\user-" + $User.Identity.Name + ".json")
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -match "ITD-PSUniversal-*"
}
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$false
}
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$false
}
###### Team-TeamName nd.gov Active Directory groups
New-PSURole -Name "Team-Windows" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-Windows"
}
New-PSURole -Name "Team-Linux" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-Linux"
}
New-PSURole -Name "Team-ConnectND" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-ConnectND"
}
New-PSURole -Name "Team-Network" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-Network"
}
New-PSURole -Name "Team-Tier2" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-Tier2"
}
New-PSURole -Name "Team-Mgmt" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-Team-Mgmt"
}
###### ITD App-AppName nd.gov Active Directory Groups
<# New Role for Apps example
New-PSURole -Name "App-Infra-XXXXX" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-App-Infra-XXXXX"
}
#>
New-PSURole -Name "App-Infra-VMware" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-App-Infra-VMware"
}
New-PSURole -Name "App-ITD-WindowsServer" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-App-ITD-WindowsServer"
}
New-PSURole -Name "App-Shared-Powerschool" -Policy {
param($User)
$Roles = $User.Claims | Where-Object Type -eq Group | Select-Object -ExpandProperty Value
$Roles -contains "ITD-PSUniversal-App-Shared-PowerSchool"
}
Reference in New Issue View Git Blame Copy Permalink