Multiple idenities/roles

PowerShell Universal
1

Hello,

I know that through the GUI, there is no way to assign multiple roles to a user.
Can this be done via script through the roles.ps1 to attach on another role to it or the login script? if so, an example would be great. I would like the users who have the role ‘x’ to be granted role ‘y’ as well.

Product: PowerShell Universal
Version: 2.10.2
2

Yes. I use AD for group memberships and have an account in two different groups. Roles based on the groups are assigned when I connect to the dashboard.

Here’s a snippet of my roles.ps1:

New-PSURole -Name 'Administrator' -Description 'Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA.' -Policy {
    param(
        $User
    )

    $UserName = ($User.Identity.Name)
    $UserName = $UserName.Substring($UserName.IndexOf('\') + 1, ($UserName.Length - ($UserName.IndexOf('\') + 1)))

    $IsMember = $false;

    # Perform LDAP Group Member Lookup
    $Searcher = New-Object DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = 'LDAP://DC=domain,DC=com'
    $Searcher.Filter = '(&(objectCategory=person)(memberOf=CN=SEC_PowerShellUniversalAdmins,OU=Groups,DC=domain,DC=com))'
    $Users = $Searcher.FindAll()
    $Users | ForEach-Object {
        If ($_.Properties.samaccountname -eq $UserName -or $_.Properties.userprincipalname -eq $Username) { $IsMember = $true }
    }

    return $IsMember
}

New-PSURole -Name 'Operator' -Description 'Operators have access to manage and execute scripts, create other entities within UA but cannot manage UA itself.' -Policy {
    param(
        $User
    )

    $UserName = ($User.Identity.Name)
    $UserName = $UserName.Substring($UserName.IndexOf('\') + 1, ($UserName.Length - ($UserName.IndexOf('\') + 1)))

    $IsMember = $false;

    # Perform LDAP Group Member Lookup
    $Searcher = New-Object DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = 'LDAP://DC=domain,DC=com'
    $Searcher.Filter = '(&(objectCategory=person)(memberOf=CN=SEC_PowerShellUniversalOperator,OU=Groups,DC=domain,DC=com))'
    $Users = $Searcher.FindAll()
    $Users | ForEach-Object {
        If ($_.Properties.samaccountname -eq $UserName -or $_.Properties.userprincipalname -eq $Username) { $IsMember = $true }
    }
    
    return $IsMember
}

$Roles in the dashboard will have both. You can verify with something like this in your dashboard: $Roles | Out-File C:\Temp\Roles.txt

1 Like