AccessControl Issues

I am currently working through setting up a trial of PowerShell Universal and am working through some of the nuances of OpenID Auth, Roles and Access Controls.

I have been able to get OpenID configures and also the Roles portion based on Group Claims, but I cannot seem to get the Access Control portion of this configured.

When I set the AccessControl for any of the roles I have created, (I have tried by Global and by Tag), i get an error after processing.
My Access Control looks like this:

$Type = ([PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role ‘GSD-Tier1’ -ObjectType ‘Script’ -Type $Type

I have also tried:
$Type = ([PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role ‘GSD-Tier1’ -Tag ‘GSD-Tier1’ -Type $Type
(There is a tag of GSD-Tier1 also created and assigned to one of the Scripts)

I signin through SSO, it redirects from /admin/ to /admin/automation/scripts/ and errors with:

(I have redacted the subdomain and domain as I am a new user and only permitted to post 2 links)

TypeError: Cannot read properties of undefined (reading ‘length’)
at Ce (
at div
at f (
at div
at t.b (/admin/static/js/12.f12e3444.chunk.js:2:1406928)
at header
at p (/admin/static/js/12.f12e3444.chunk.js:2:865225)
at a (/admin/static/js/12.f12e3444.chunk.js:2:865055)
at ze (/admin/static/js/main.d71f12a9.chunk.js:1:119157)
at section
at /admin/static/js/12.f12e3444.chunk.js:2:865485
at a (/admin/static/js/12.f12e3444.chunk.js:2:865055)
at tt (/admin/static/js/main.d71f12a9.chunk.js:1:128372)
at d (/admin/static/js/12.f12e3444.chunk.js:2:361381)
at p (/admin/static/js/12.f12e3444.chunk.js:2:361709)
at h (/admin/static/js/12.f12e3444.chunk.js:2:361446)
at l (/admin/static/js/12.f12e3444.chunk.js:2:358796)
at n (/admin/static/js/12.f12e3444.chunk.js:2:2985607)
at Suspense
at u (/admin/static/js/main.d71f12a9.chunk.js:1:7833)
at h (/admin/static/js/main.d71f12a9.chunk.js:1:109977)
at s (/admin/static/js/12.f12e3444.chunk.js:2:910399)
at c (/admin/static/js/12.f12e3444.chunk.js:2:580721)
at Va

Did I miss something?

I tried reproducing this myself and did not see this behavior.

This is what I see when I login as ‘adam’.

This is what I see when I login as ‘admin’

This is my configuration.


New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
$User.Identity.Name -ne 'adam'

New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within UA but cannot manage UA itself." -Policy {

New-PSURole -Name "Reader" -Description "Readers have read-only access to UA. They cannot make changes to any entity within the system." -Policy {

New-PSURole -Name "Execute" -Description "Execute scripts within Universal Automation." -Policy {


New-PSURole -Name "Custom" -Policy {

$User.Identity.Name -eq 'adam'


$Type = ([PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role "Custom" -Tag "Scripts" -Type $Type


New-PSUTag -Name "Scripts" -Color "#10239e"


New-PSUScript -Name "Random.ps1" -Description "Returns a random number. " -Tag @("Scripts") -Path "Random.ps1" -InformationAction "Continue" 
# redacted

My guess would be that the user you are testing with may not be receiving the custom role and then they end up with no roles and that error is shown (which we should resolve…)

Thanks Adam, I’ve put some more work into this to try and come back with a solution or at least more information to provide to you.

I did a bunch of testing, changing groups and the likes (Manually assigning roles to users and new AccessControls etc), and then I suspected the issue may have been related to an older install I had of Universal from about a year ago that I uninstalled. I uninstalled uninversal, and deleted the Programdata folders for it.
Reinstalled and set it all back up.

I set up my OpenID connection again and got it all working. Tested with another user and was able to login with any of the 4 BuiltIn roles.

Created 2 scripts for testing, one with a tag, one without. Assigned the role manually to a new user and got the same issue as above. Did some more testing like above and still had the same results every time.
I disabled the OpenID Authentication, opting just for Forms authentication and replicated similar to what you have above. Everything worked as expected.
I took the same setup, and made an adjustment to hard code my OpenID user ID to the same role that worked for Forms Based and then re-enabled OpenID. It failed again.

There seems to be an issue here when trying to do with With OpenID enabled. Even though everything seems to be working for built in, even manually assigning a custom role results in an the TypeError.

Also, this is a fresh install using the 2.6.2 download. My previous installation was a 2.6.1.


Ok. Thanks for the info. I’ll get my lab switch over to OIDC and see if I can replicate this and provide some next steps.

Hi Adam,

Just wanted to confirm this is still an issue in version 2.9.2.

TypeError: Cannot read properties of undefined (reading ‘length’)

I am signing in via OIDC and my role has the ‘Claim Type’ and ‘Claim Value’ set. When I use tags to assign permissions to that role I get the above when trying to sign-in.


Thanks. I’ve opened this issue to resolve this in 2.10: Access Control Issues with Tags and OIDC · Issue #1054 · ironmansoftware/issues · GitHub

1 Like

Hey Adam,
Just wanted to let you know I updated last night and this issue seems to be resolved in the 2.10.1 release that I just applied.
Thanks for the hard work!