Role-Based Access In Admin Console

PowerShell Universal
1

Sorry if I overlooked this in the docs somewhere, but how does role-based access work with respect to the admin console? I have Windows Auth working successfully but am wondering if it’s possible to restrict access to various elements within the admin console to roles other than the default roles.

Additionally, with Windows Auth is there a way to force a role refresh? For example if I move myself from the AD group that is associated with the Administrator role to the AD group associated with the Reader role and clear my browser cache, I still have Administrator access. Restarting the PowerShell Universal service on the app server doesn’t seem to help either. Would I need to reboot my PC to refresh my Kerberos ticket?

Product: PowerShell Universal
Version: 2.3.0
2

hey AlexK, for windowsauth in general, if you add a user to a new AD group, you will need to trigger a logout event (either logoff and log back in, or restart your computer) in order for that permission to refresh. hope that helps!

3

Hi @alexk ,
we somehow got a similar issue.
The AD auth works fine - I create a user, put him to a group called
PowerShellUniversal - Execute and after the first login the user has only the “policy defined” role:

image
image1713×127 7.53 KB

but, the log says the user is also member of the Administrators role…

4

Ok , after some digging I found the solution by myself.
Someone took the sample script

param(
$User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf('\')+1,($UserName.Length -($UserName.IndexOf('\')+1)))

$IsMember = $false;

# Perform LDAP Group Member Lookup
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://CN=Users,DC=berg,DC=com' # INSERT ROOT LDAP HERE
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=PowerShell Universal Admins,OU=Information Technology,DC=berg,DC=com))" #GROUP INSERT DN TO CHECK HERE
$Users = $Searcher.FindAll()
$Users | ForEach-Object{
    If($_.Properties.samaccountname -eq $UserName)
    {
        $IsMember = $true;
        "$UserName is a member of admin group!" | Out-File "C:\test\adgroup.txt"
    }
    else {
        "$UserName is NOT member of admin group!" | Out-File "C:\test\adgroup.txt"
    }
}

return $IsMember

and commented the Out-File out

$User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf('\')+1,($UserName.Length -($UserName.IndexOf('\')+1)))

$IsMember = $false;

# Perform LDAP Group Member Lookup
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://CN=Users,DC=berg,DC=com' # INSERT ROOT LDAP HERE
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=PowerShell Universal Admins,OU=Information Technology,DC=berg,DC=com))" #GROUP INSERT DN TO CHECK HERE
$Users = $Searcher.FindAll()
$Users | ForEach-Object{
    If($_.Properties.samaccountname -eq $UserName)
    {
        $IsMember = $true;
        "$UserName is a member of admin group!" #| Out-File "C:\test\adgroup.txt"
    }
    else {
        "$UserName is NOT member of admin group!" #| Out-File "C:\test\adgroup.txt"
    }
}

return $IsMember

this resulted in the scenario, that as soon as one of the several configured groups got at least one member, the User was evaluated as a member :neutral_face:

1 Like