Permissions with roles and Scripts

Product: PowerShell Universal
Version: 5.0.5

Hi everyone,

I’ve just recently updated our Powershell Universal instance from version 3 to version 5. Back in V3, I had tied a set of Entra groups to PSU roles which each had permissions to view and execute scripts with a specific tag. IE, everyone in the NOC Entra group would be able to see all the NOC scripts and execute them on sign in. Those in the service desk group would not see any scripts with the NOC tag (unless it also had the service desk tag).

With the switch to permissions in version 5, this functionality seems to be missing? I can still create new roles, but I can’t tie these to permissions in any way that I can see. There is a button to view permissions, but only the built-in roles have permissions attached. The official documentation is also conflicted on this - at the top it states "Custom roles can have custom permissions set. " but then under “Managing Permissions” it says “Roles currently cannot be assigned permissions.”

Beyond that, even if I could use the new permissions system, it seems I am now limited to all or nothing when it comes to the automation piece. Either users can read/write/execute all scripts, or none.

I do see an option to assign a role to a script, but this doesn’t appear to do anything? A user with “Read” permissions (via the built-in role) and the “NOC” role was able to execute any script I tried in the environment, with or without the NOC role assigned. Furthermore, the “Script Reader” role didn’t seem to work at all, assigning that to my Entra user displayed the role and permissions correctly under “My Identity” on login, but didn’t provide any access to the scripts portion of the dashboard.

I’m somewhere between bug, feature request, and question here but I mostly want to know if I am missing something with regards to how this is supposed to be set up or if this is expected behavior? At the end of the day, all I really want is to categorize my scripts so that certain scripts can’t be seen, modified, or executed by certain team members. The tags and access controls of past versions seemed to do this nicely. If there is a different/better way to do this now, I am open to it, but I don’t see it.

Hopefully that makes sense, thank you for reading my ramblings.

-Connor

Finally someone else is the same situation as me! Updated to 5.07 to see if I would be able to assign Tags to custom roles and have our DBA team permissions to scripts tagged with DBA and allow them to schedule them themselves but this isn’t the case. I’ve completely lost access controls functionality breaking my environment effectively.

While roles can’t have custom permissions at the current moment, they can be used to assign access to certain resources by assigning those scripts to the role. For example, you could create NOC_Script1.ps1 and require authorization from the role NOC Entra within the script metadata. I am doing this for my API tokens and the endpoints they are used to access.

Hopefully that helps!

Does that mean you are able to place a user in multiple roles? I haven’t been able to do that so far.

You should be able to do so using the GUI - what version are you on?

I am on version 5.0.15.

I have written my issue out in more detail in the following post:
https://forums.ironmansoftware.com/t/how-do-you-give-granular-permissions-to-scripts-in-v5/11663/2

Now, when I test with an account that has been created from an external source (in my case Azure), it seems that I can add him/her to an extra role.
Local accounts however, throw me the following error:

image845×443 25.8 KB

Another issue is that with users that have been provisioned form an external source by the use of claims, is that you don’t visually see which roles they have.