So far our PU deployment has been pretty simple so we have gotten by with users in only one or 2 roles.
We now however want to start to make more dashboards and give multiple people access to various boards depending on Job role. I tried adding some roles like this.
Role Name: Group-A
param(
$User
)
if ($User.HasClaim("groups","AD-Group-A"))
{
$true
}
else
{
$false
}
and then
Role Name: Group-B
param(
$User
)
if ($User.HasClaim("groups","AD-Group-B"))
{
$true
}
else
{
$false
}
But if I put an AD user into both AD groups they only seem to get matched to one role, not both.
Am I doing this wrong?
So if I am doing this correctly and therefore a user can only have 1 role, is there anybody else that has done more granular access to dashboard? Do i need to look at claims based access?
I have users in multiple roles, but I do the checking differently
New-PSURole -Name "ROLE NAME" -Description "ROLE DESCRIPTION" -Policy {
param(
$User
)
#
# Policies should return $true or $false to determine whether the user has the particular
# claim that require them for that role.
#
$groupMember = Get-ADGroupMember GROUPNAME | Select-Object -ExpandProperty samaccountname
if ($groupmember -contains $User.identity.name.replace("DOMAIN\", "")) {
$true
}
else{
$false
}
}
Each role looks pretty much the same as this.