Execute-only role?

For a long time, I’ve been looking for a good way to let people run PowerShell scripts that do things they would not be able to with their own accounts. PS Universal seems like a great solution. I can get input from users, and execute commands in a controlled fashion with elevated permissions.

However, there’s a big issue at this point. If I make them Operators in PS Universal, they can execute scripts but also change them. Which means I’ve given them rights not only to perform specific tasks as an elevated user, but anything they want to change the code to do.

Are there any ideas about how I can work around this limitation?

I don’t think there is a good way to work around this at the moment without doing some custom work in a UD dashboard that then runs the jobs. You could use an operator app token in the dashboard but limit access via the $Roles variable so users would only have access to run particular scripts. It’s certainly not a one-click deploy.

I think what I’ll do is get an execute-only role added to the platform in 1.5 because I agree that the operator role is a little too powerful for what you, and likely others, are looking for. We are also planning on allowing for more fine-grained control over roles and scripts (e.g. only certain custom roles could run a particular script etc) but that will likely fall into the 1.6 time frame.

1.5 is scheduled to be out later next month.

Thanks Adam! An execute-only role sounds great. So does fine-grained control of roles/scripts, which I could see us also using. I look forward to seeing those feature in the future.