Scripts - Role based access

Would it be possible to have role bases access for scripts like endpoints and dashboards have? I would like to allow specific custom roles to execute certain scripts.

I saw this post but I wasnt sure if its still on the roadmap? - Permissions on Scripts

You can setup a custom role and give it access to the scripts. What I found easier is to setup a custom role and also a tag. link the role to the tag. Then you can just tag the scripts you want that person to be able to run.


$Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'Service-Desk' -tag 'ServiceDesk' -Type $Type

This gives Execute and view access to anything tagged with ServiceDesk. The Role name is Service-Desk. So anyone I put in that role ( you can set it up so that role works based on ad group) will have view and execute access on whatever script you tag with it.

Here is an example from the documents around just giving access to a script - Access Controls - PowerShell Universal

$Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'ScriptRunner' -ObjectId 'OnBoarding.ps1' -ObjectType 'Script' -Type $Type

Hope this helps.


Interesting approach.

Where do you set those PSUAccessControl at? In the script itself or is that in the role script somewhere?

You add them to the accessControls.ps1 ( you can edit it from gui under settings>configurations)
The other nice thing about tags is you can see them right from the scripts area… example


Just got around to doing this.

Its so nice!!!


I am running into a slight issue with this.

I created a custom role “Boarding” that has the tag “Boarding”

#This gives Execute and view access to anything tagged with ServiceDesk. 
$Type_Execute_View = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)

New-PSUAccessControl -Role "Boarding"-Tag "Boarding" -Type $Type_Execute_View 

This works as expected and the user in the boarding role is able to access dashboards and what not. However I have some dashboards that run scripts under different user context that I would like the boarding team to have access to. It seems like with the current implementation with this users in the boarding role can not access variables?

My dashboard is using -GrantAppToken and in the dashboard I am using: Connect-UAServer -ComputerName $Hostname -AppToken $PSUAppToken

Currently running version 2.7.4. I did see this in the changelog but im not sure if its related.

Any idea @adam?