Dynamically add Roles and Tags?

Editing this post to make more sense.

I have an external source of “Customers”, when making automations and dashboards etc for these groups of customers, id like them to be able to see data/logs/status of stuff we make for them.

To acomplish this they need to be assigned a role and tag as far as i know.

There doesn’t seem to be built in functions for this - Adding logic to Roles.ps1 and Tags.ps1 will eventually be replaced by PSU.

Right now it seems that simply appending string to the conf files is the only solution, any other solution are welcome - I also need ideas to how I would go about removing the Roles and tags related to a costumer if needed.

My current idea is to grab the database of customers, and check if a role exist with the same name (CustomerID_0001 fx)
If they exist, use Set-PSUTag or set-PSURole to update their description if neede

If they do not exist run something like

$RoleName = "CustomerTest"
$RoleDescription = "Test Description"
$NewRole = @"

New-PSURole -Name "$($RoleName)" -Description "$($RoleDescription)" -Policy {
param(
[Security.ClaimsPrincipal]`$User
)
        

#`$true
}

"@

Add-Content -Path $env:ProgramData\UniversalAutomation\Repository\.universal\roles.ps1 -Value $NewRole

of course with logic to check if they are a member of a group based on a group ID inside the database.

I don’t know if PSU supported " Nested Roles" hmm

New-PSURole -Name "CustomerRoles" -Description "DoNotDelete" -Policy {
param(
[Security.ClaimsPrincipal]$User
)
  Foreach ($CustomerID in $Customers){
    New-PSURole -Name "$CustomerID" -Description "" -Policy {
  
      IF ($User.ismemberofGroup) {
          return $True
      }
    }
  }
}

I don’t see any way of doing something similar for Tags tho

image

For Roles

$Customers = Invoke-SqlCmd2 -Query $Query -ServerInstance $server -Database $Database -as PSObject
Foreach($Customer in $Customers ){
    if(Get-PSURole -Name $Customer.CustomerID){
        Write-Host "The Role $($Customer.CustomerID) already exist"
    } else {

        $RoleName = $Customer.CustomerID
        $RoleDescription = $Customers.Customer_Description
        $NewRole = @"

        New-PSURole -Name "$($RoleName)" -Description "$($RoleDescription)" -Policy {
        param(
        [Security.ClaimsPrincipal]`$User
        )
                

        #`$true
        }

"@

        Add-Content -Path $env:ProgramData\UniversalAutomation\Repository\.universal\roles.ps1 -Value $NewRole -Force
        Write-Host "The Role $($Customer.CustomerID) has been created"
        Start-Sleep -Seconds 1
    }
}

For Tags

$Customers = Invoke-SqlCmd2 -Query $Query -ServerInstance $server -Database $Database -as PSObject
Foreach($Customer in $Customers ){
    if(Get-PSUTag -Name $Customer.CustomerID){
        Write-Host "The Tag $($Customer.CustomerID) already exist"
    } else {

        $TagName = $Customer.CustomerID
        $TagDescription = $Customers.Customer_Description
        $NewRole = @"
New-PSUTag -Name "$($TagName)" -Color "#d4380d" -Description "$($TagDescription)"
"@

        Add-Content -Path $env:ProgramData\UniversalAutomation\Repository\.universal\tags.ps1 -Value $NewRole -Force
        Start-Sleep -Seconds 1
        Write-Host "The Tag $($Customer.CustomerID) has been created"
    }
}

Next up AccessControl :sweat_smile:

Feel free to jump in at any point @adam and tell me that there is an easier way, and if this will explode up in my face at some point.

You could include this logic in read-only regions within role.ps1 and tags.ps1. Then PSU won’t replace it when you make updates in the console. The roles and tags you generate should also be readonly in the console.

#region PSUHeader

$Customers = Invoke-SqlCmd2 -Query $Query -ServerInstance $server -Database $Database -as PSObject
Foreach($Customer in $Customers ){
     $TagName = $Customer.CustomerID
     $TagDescription = $Customers.Customer_Description
     New-PSUTag -Name "$($TagName)" -Color "#d4380d" -Description "$($TagDescription)"
}

#endregion

New-PSUTag -Name 'I am a static tag!'

well there you go, thanks!

Well, almost.

If I try to delete one of the tags from the Admin panel - It wont succeed, but it will create a new static entry for all other tags.

Same for roles :frowning:
I may be misunderstanding something. I’m unable to edit tags outside the region as well, and trying to will create entries for all “dynamic” roles.