Product: PowerShell Universal
Version: 5.6.13
Hello! I am trying to integrate/use AD Groups for Authentication and Setting Roles. I have found the claims that are passed in for the user, so I can get the SID’s of the groups that the user is a member of. I have a Dev and a Prod PSUniversal server, and I am using different AD Groups for each one as I am being much stricter on who has access to my prod installation. I am hoping to re-use as much code as I can, so I don’t want to hardcode the SID’s into the Role checking code, so I was hoping to load the SID information into a HashTable and then store that as a variable (or a secret) that I could then use in the Role script to check against. Ideally I would like to do something like this:
foreach ($Claim in $User.Claims) {
if ($Claim.Value -eq $Roles.Administrator) {
return $true
}
}
The idea is that I can have that same code block in the Administrator Role Script for both environments, but I could just update the $Roles.Administrator value to the SID of the AD Group for Prod or Dev. I tried creating a variable, but it doesn’t seem to be accessible from the Security functions. I thought about setting up Windows Environment Variables, but that would require Admin Rights on the box and I was hoping to do this all through the app. I did see one thread about configuring security to run in a separate PowerShell environment that I could then inject the variables in to, but I feel like that would add a lot of overhead if we had to wait for a PowerShell environment to spin up every time someone logged in?
Hopefully that makes sense.
Let me know if you have any questions on what I wrote and if you have any thoughts on how to accomplish what I am trying to accomplish efficiently! I can also provide some more code for clarity, but didn’t want to bog the thread down too much.
Thanks in advanced!
-Jeff
