Awesome! It does include the fix and I’m glad it’s much faster.
1 Like
Hey @adam
I am trying to update the roles script above to utilize Get/Set-PSUCache, but am receiving this error when the policy script runs:
2022-02-24 15:07:02.257 -05:00 [ERR] The method or operation is not implemented.
I created a test script to verify it is working normally and it did set the cache correctly. If I set the policy script to use the cache: scope, it does work.
Update:
Looks like you cannot use server-wide cache in the management api…
This cmdlet can only be called within APIs, dashboards and scripts. You cannot access the server-wide cache through the PowerShell Universal Management API.
The other way I came up with is to store the groupobject id in the $env:UAPath location and then remove them nightly, something like that.
New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
param(
$User
)
if ($User.Claims.type -eq '_claim_names') {
Try {
$CacheKey = "$($User.Identity.Name)_Claims"
$Path = Join-Path -Path $env:UAPath -ChildPath "Logins\$($CacheKey).txt"
if (Test-Path -Path $Path) {
$GroupObjectId = Get-Content -Path $Path
$GroupObjectId -eq '<objectid>'
return
}
$AppSettings = Get-Content -Path "$env:UAPath\appsettings.json" |ConvertFrom-Json
$ClientId = $AppSettings.Authentication.OIDC.ClientID
$ClientSecret = $AppSettings.Authentication.OIDC.ClientSecret
$TenantId = ($User.Claims |Where-Object type -eq 'http://schemas.microsoft.com/identity/claims/tenantid').value
$UserId = ($User.Claims |Where-Object type -eq 'http://schemas.microsoft.com/identity/claims/objectidentifier').value
$Params = @{
Uri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
Body = @{
'client_id' = $ClientId
'client_secret' = $ClientSecret
'scope' = 'https://graph.microsoft.com/.default'
'grant_type' = 'client_credentials'
}
Method = 'Post'
ContentType = 'application/x-www-form-urlencoded'
ErrorAction = 'Stop'
}
$Token = Invoke-RestMethod @Params |Select-Object -ExpandProperty access_token
$Params = @{
Uri = "https://graph.microsoft.com/v1.0/$TenantId/users/$UserId/getMemberObjects"
Headers = @{
Authorization = "Bearer $Token"
}
Method = 'Post'
ContentType = 'application/json'
Body = (@{
securityEnabledOnly = $false
} |ConvertTo-Json)
}
$GroupObjectId = (Invoke-RestMethod @Params).value
($GroupObjectId |Out-String) |New-Item -Path $Path -Force
$GroupObjectId -eq '<objectid>'
}
Catch {
throw $_
}
Finally {
Get-ChildItem -Path $Path -ErrorAction Stop |Remove-Item
}
}
else {
$User.HasClaim('groups', '<objectid>')
}
}
I’ll open an issue for this. We should be able to support the cache in role scripts.
1 Like