Product: PowerShell Universal
Just got PS Universal and excited to get everything moved to it. I am messing around with pages and permissions and am not getting the expected behavior( I am probably doing something wrong).
I created a new role ( Service-Desk) and manually added 2 accounts to it(by going to the accounts and selecting the role from the drop down, Windows Auth is setup).
I then create a page and add the Service-desk role and also the Administrator role.
When I go to the page with the admin account I see the logo on the top left along with navigation and the page description below.
When I go to the page via the account with the service-desk role nothing is displayed just a white screen. If I remove the account from the new role I get the Unauthorized so I know permissions are working. I added a button to the page and the admin sees the button but the Service-Desk does not see it. Is this expected behavior or am I doing something wrong?
This should work. I’ll test it out in my lab and report back.
Hey Adam, It looks like this was fixed in 2.7.0. It looks like it gets further but still have problems.
The user can now see the page and the form on it but if they click any button they get an Error! page.
I have tested on a few different pages.
Can you grab me a log from that machine and send it my way? I’m curious what the 500 error is.
Sure, are you talking about the log for PSU or something else and how would you like me to send it over?
I’m looking for the PSU logs. You can download them from Settings \ General \ Diagnostics.
I dont see a way to send them through the form. How do you want me to get them to you? do you want me to enable debugging and re-produce before exporting them also?
You can email me at email@example.com to get them to me.
Please reproduce and then export. It may have a previous error in there but if you reproduce first, it’ll be easy to correlate.
I can reproduce this. The issue happens when the user does not have the permissions to execute the script. We need to improve the user experience here.
Here’s how I worked around it. I have a custom role page that is assigned to my custom role.
I have created a script that I want to execute from the page.
I setup my form to call the script.
The final step is to setup access controls to allow access to the script from the custom role. In accessControls.ps1, I’ve assigned the role view and execute permissions directly to the script.
$Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'Custom' -ObjectId 'Scripts\AccessControls.ps1' -ObjectType 'Script' -Type $Type
Now my custom role can execute the form.
Giving access to the script would allow them to go into the admin psu and run it right? Will do some more playing around but i figured if they had access to the page that is all they needed and did not have to give individual script access.
This worked, to make it easier I created a tag and assigned the permissions to the tag. This way I just need to take the script and I can see who has access. I do wish the admin side was gated behind a permission so users do not stumble apron it. While it does not show them to much other then jobs ran and by who.
Thank you for your time