Permission Issue - RBAC - Policy not working

Product: PowerShell Universal
Version: 3.9.6

I have an issue with role based access control.
although it is configured, any user that logged in get a full admin permissions.

P.S: I think that the roles.ps1 seems to work on the previous version because I was not able to login while I’m not in the ad group.

Authentication.ps1:

param(
[PSCredential]$Credential
)

$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq ‘Admin’ -or $Credential.UserName -eq “admin”)
{
#Maintain the out of box admin user
$Result.UserName = ‘Default Admin’
$Result.Success = $true
}
else
{
# Get current domain using logged-on user’s credentials - this validates their credential
$CurrentDomain = “LDAP://DC=DOMAIN,DC=LOCAL” # Insert Your Domain Here
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,($Credential.UserName),$Credential.GetNetworkCredential().password)
if ($domain.name -eq $null)
{
#“Authentication failed for $($Credential.UserName)!” | Out-File “C:\Logs\adlogin.txt”
New-PSUAuthenticationResult -ErrorMessage ‘Bad username or password’
$Result.UserName = ($Credential.UserName)
$Result.Success = $false
}
else
{
write-host “Successfully authenticated with domain $($domain.name)”
“Authentication success for $($Credential.UserName)!” | Out-File “C:\Logs\adlogin.txt”
$Result.UserName = ($Credential.UserName)
$Result.Success = $true
}
}

$Result

Roles.ps1:

New-PSURole -Name “Administrator” -Description “Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal.” -Policy {
<#
param(
[Security.ClaimsPrincipal]$User
)

<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.

$false
#>

param(
[Security.ClaimsPrincipal]$User
)

$GroupToCheck = @(“PSU Admins”, “PSU System”)
$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf(‘')+1,($UserName.Length -($UserName.IndexOf(’')+1)))

$UserGroups = (Get-ADUser $UserName –Properties MemberOf).memberof | Get-ADGroup | Select-Object name
$IsMember = $false;

If([bool]($UserGroups -match $GroupToCheck[0]) -or [bool]($UserGroups -match $GroupToCheck[1]))
{
$IsMember = $true;
“$UserName is a member of admin group!” | Out-File C:\Test.txt
}
else {
“$UserName is NOT member of admin group!”
}

$IsMember
} -DefaultRoute “/admin”
New-PSURole -Name “Operator” -Description “Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself.” -Policy {
param(
[Security.ClaimsPrincipal]$User
)

<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>

$false
} -Disabled
New-PSURole -Name “Reader” -Description “Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system.” -Policy {
param(
[Security.ClaimsPrincipal]$User
)

<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>

$false
} -Disabled
New-PSURole -Name “Execute” -Description “Execute scripts within PowerShell Universal.” -Policy {
param(
[Security.ClaimsPrincipal]$User
)

<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>

$false
} -Disabled
New-PSURole -Name “User” -Description “Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages.” -Policy {
<#
param(
[Security.ClaimsPrincipal]$User
)

<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.

$false
#>

param(
[Security.ClaimsPrincipal]$User
)

$GroupToCheck = “PSU Users”
$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf(‘')+1,($UserName.Length -($UserName.IndexOf(’')+1)))

$UserGroups = (Get-ADUser $UserName –Properties MemberOf).memberof | Get-ADGroup | Select-Object name
$IsMember = $false;

If([bool]($UserGroups -match $GroupToCheck))
{
$IsMember = $true;
“$UserName is a member of admin group!” | Out-File C:\Test.txt
}
else {
“$UserName is NOT member of admin group!”
}

$IsMember
} -DefaultRoute “/landing-page”

I just verified that the basics were working. I didn’t validate against AD but just did something like:

$User.Identity.Name -eq 'admin'

I was able to login with admin but not my other users.

Can you verify that you are seeing the “$UserName is a member of admin group!” message in your text file?

Yes I can see in the file “is a member of admin group!”

I just noticed that you aren’t outputting the false case to the file.

“$UserName is a member of admin group!” | Out-File C:\Test.txt
}
else {
“$UserName is NOT member of admin group!”

Can you try changing it to this?

“$UserName is a member of admin group!” | Out-File C:\Test.txt
}
else {
“$UserName is NOT member of admin group!” | Out-File C:\Test.txt

I dont know what happen but I think it seems to work - I changed at the end to return $Ismember
and ADD under Access Controls → Create access control → Access control type: Object
Object Type: Dashboard
Role: Helpdesk
Aceess Type: View & Execute (17).

Another small issue: when I looged in using helpdesk user and navigate to the /admin page
I got this page:

image1888×869 20.8 KB

Instead of access denied screen.