Scripts - Role based access

Would it be possible to have role bases access for scripts like endpoints and dashboards have? I would like to allow specific custom roles to execute certain scripts.

I saw this post but I wasnt sure if its still on the roadmap? - Permissions on Scripts

You can setup a custom role and give it access to the scripts. What I found easier is to setup a custom role and also a tag. link the role to the tag. Then you can just tag the scripts you want that person to be able to run.

Example

$Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'Service-Desk' -tag 'ServiceDesk' -Type $Type

This gives Execute and view access to anything tagged with ServiceDesk. The Role name is Service-Desk. So anyone I put in that role ( you can set it up so that role works based on ad group) will have view and execute access on whatever script you tag with it.

Here is an example from the documents around just giving access to a script - Access Controls - PowerShell Universal

$Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'ScriptRunner' -ObjectId 'OnBoarding.ps1' -ObjectType 'Script' -Type $Type

Hope this helps.
Mike

2 Likes

Interesting approach.

Where do you set those PSUAccessControl at? In the script itself or is that in the role script somewhere?

You add them to the accessControls.ps1 ( you can edit it from gui under settings>configurations)
The other nice thing about tags is you can see them right from the scripts area… example

Mike