Multiple Roles for RBAC for Dashboards

PowerShell Universal Universal Dashboard
1 
Product: PowerShell Universal
Version: 1.5.10

Wondering if there is a way to assign multiple roles to a dashboard for access:

currently:
$Pages += New-UDPage -Name ‘Test’ -Content {
New-UDTypography -Text “This is what displays”
} -NavigationLayout permanent -Role ‘PageAccess’

Wondering about the following (which doesn’t seem to work, but i’m wondering if it’s possible or needs to be addressed differently):
$Pages += New-UDPage -Name ‘Test’ -Content {
New-UDTypography -Text “This is what displays”
} -NavigationLayout permanent -Role ‘PageAccess’,‘Administrator’,‘AdditionalRole’

2

We just added support for multiple roles on a dashboard level:

New-PSUDashboard -Name xyz -Role @("Admin", "PageAccess")

But we have not implemented it on a page level. I will open an issue for this and get it added in our next version.

1 Like
3

Thanks as always Adam… much appreciated

4

@adam was this ever addressed? I am looking into a better way to handle RBA down to the page level where it’s a bit easier to manage.

Currently, I’m doing something like this but I also have to grant those same roles in the dashboard as well. Kind of weird that I have to grant the admin access to things as well.

image

Let me know if you would like more information.

5

What you are using is what we implemented in based on this discussion. The problem was that you could only assign a single role to a page but now can assign multiple.

I guess I’d like to better understand what you’re after and then can make some suggestions.

6

Ahh my mistake.

What I was trying to do was simplify the RBA for a dashboard that has many pages.

  • My environment has a few custom roles

    • Boarding
    • request

  • This dashboard has all of the roles (minus reader) since all of those roles are used within a page somewhere.
    image

After going over the documentation and reading what a few others were doing is this best practice to control roles per page?


$UDScriptRoot = $PSScriptRoot

<# RBA for pages #>
$InherRoles    = @('Administrator', 'Operator', 'Execute')
$ReqestRoles   = $InherRoles + 'Request'
$BoardingRoles = $InherRoles + 'Boarding'
$ToolsRoles    = $InherRoles + 'Boarding' + 'Request'

$RootNavigation = {  
    New-UDListItem -Label "Welcome! $User" -Icon (New-UDIcon -Icon user)
    New-UDListItem -Label "Boarding" -Icon (New-UDIcon -Icon Users) -OnClick {
        Invoke-UDRedirect -Url '/boarding'
    }
    New-UDListItem -Label "Request" -Icon (New-UDIcon -Icon AddressBook) -OnClick {
        Invoke-UDRedirect -Url '/request'
    }
    New-UDListItem -Label "Tools" -Icon (New-UDIcon -Icon  Toolbox) -Children {
        New-UDListItem -Label "Lookup AD User" -Href '/ADUser'  
    }

}

$Pages = @()

$Pages += New-UDPage -Name "Boarding" -Content { 
    New-UDTabs -Tabs {
        New-UDTab -Text 'AD User Lookup' -Content { . "$UDScriptRoot\boarding\ADUserLookup.ps1" }
        New-UDTab -Text 'Offboard' -Content { . "$UDScriptRoot\boarding\Offboard.ps1" }
    }
} -Role $BoardingRoles

$Pages += New-UDPage -Name 'Request' -Content { . "$UDScriptRoot\Request\Printer.ps1" } -Role $ReqestRoles 
$Pages += New-UDPage -Name 'ADUser' -Content { .  "$UDScriptRoot\boarding\ADUserLookup.ps1" } -Role $ToolsRoles 
$Pages += New-UDPage -Name 'Home' -Content { . "$UDScriptRoot\Home.ps1" } -Role $InherRoles

New-UDDashboard -Title 'Service Delivery' -Pages $Pages -LoadNavigation $RootNavigation
  • Also in this case I have navigation items showing up for a user that might not have access to that page. Is there an easy way to hide that?

Was this built in a way that you have to grant Admin access to everything even if that page might have reader access or something?

Hope this makes sense.
Thanks

7

After doing some more research I found the following https://github.com/ironmansoftware/universal-active-directory/blob/main/dashboards/ActiveDirectory/ActiveDirectory.ps1#L27

Protect-UDSection -Role @("Administrator", "OtherRole") -Children {
        New-UDListItem -Label "Tools" -Icon (New-UDIcon -Icon Users) -OnClick {
            Invoke-UDRedirect -Url '/tools'
        }
    }
8

I think you’re going about this as designed. I’d be open to hear some ideas for making it easier. As for granting administrator to everything, I think that makes sense and we should probably just implement that internally.