Example of creating a custom role in PSU and assign it to apps only as read

wsl2001 · September 24, 2024, 12:58pm

@Adam can you provide an example code and where you run it of creating a custom role and assign it to apps as read please and thank you.

Product: PowerShell Universal
Version: 5.0.8

parzog · September 24, 2024, 1:21pm

This can just be done within the GUI!

Head to Security → Roles
Add a new role - in this example, I’m using “Test Role” as the name:

image771×450 12.6 KB
See the role created in your list of roles now.
From here, the role can be assigned to users manually, through policy authentication, or through claims mapping. Relevant guides can be found in the documentation [1].
Now, find a resource you would like to allow access for this role to. In my example, I’ll be using a test app, so I’ll go to Apps → Apps.
Now, I’ll assign my role to the resource in the Security section.

image757×333 6.18 KB

From here, you’re done! Anyone with “Test Role” can now access this resource on their portal. This does not allow them to edit the code for the app, it only allows them to use it (similar to Read & Execute).

The same process can be applied to API tokens - you can assign them to custom roles, allowing an app token to be scoped completely to a set of resources - endpoints, apps, etc.

Let me know if you have any other questions! Hope this helps!
ZG

wsl2001 · September 24, 2024, 1:50pm

Thank you for your example but in this case you cannot modify what people with this role can do if let say you want them just to have read.
i was playing with some code cause i found that using GUI you cannot accomplish what you want and wanted to know if below code is the correct approach or not of what am looking for.

Define the role properties

$roleName = “MyRole”
$roleDescription = “A custom role for specific permissions”

Define permissions

$permissions = @(
@{
ResourceType = “Apps”
Actions = @(“Read”)
}
) | ConvertTo-Json

Create the custom role

New-PSURole -Name $roleName -Description $roleDescription -Permissions $permissions

parzog · September 24, 2024, 2:10pm

Per the current documentation, there’s also this (unfortunately):

Roles can only be scoped to resources at the current moment. Use of built-in roles with their global scope is, to my knowledge, the only way to provide that level of access control. That being said, if you’re able to get that role to work with the permissions map, please reply here as that would be incredible information to have!

wsl2001 · September 24, 2024, 2:56pm

i was able to get it work with permissions map.

Topic		Replies	Views
In the weeds with custom roles and Azure AD PowerShell Universal	1	190	February 15, 2024
Assign Roles without natively "Authenticating" in PSU. Is that possible? PowerShell Universal	6	593	November 2, 2023
UA Roles - Add or Modify? PowerShell Universal	5	511	November 19, 2020
Invoke-RestMethod with -usedefaultcredentials will execute API and ignore Roles security PowerShell Universal	6	629	February 7, 2022
Issues with PSU 1.5.0 - API Authentication configuration Universal API	1	711	November 20, 2020

Example of creating a custom role in PSU and assign it to apps only as read

Define the role properties

Define permissions

Create the custom role

Related Topics