Use UA Variables in API

PowerShell Universal
1

Is this possible? Or are they only available in Automation?

Trying to Plan for using this in the future, and i wasn’t sure.

2

Not right now but we plan to make variables available in APIs and Dashboards.

3

Hi @adam,

Any Idea when this will be available ? :slight_smile:

Many thanks in advance for your feedback !

Cheers

4

This will be part of the 1.4 release. We are going to be implementing a new feature to include variables, modules and other assets in all features of PSU.

5

Hi!

Is that feature already implemented? If so, how can I configure variables/ modules that all endpoints/ role definitions/ you-name-it would share?

Thanks!

6

You can configure this by configuring environments: https://docs.ironmansoftware.com/config/environments

7

Good news is that I went in the right direction, but I guess I’m doing something wrong…?

My environments.ps1:

# Definition of Get-GroupSid function that skip as it is not too relevant here..

$claimsMap = @{
    Bamboo = Get-GroupSid -Name AMS_APP_UD_Bamboo_DLG
    CommVaultAdmin = Get-GroupSid -Name AMS_RemotingPolicy_CommVaultApi_DLG
    Default = Get-GroupSid -Name 'Domain Users'
    DnsAdmin = Get-GroupSid -Name AMS_RemotingEndpoint_DnsApis_DLG
    iDracApi = Get-GroupSid -Name AMS_APP_UD_iDrac_DLG
    InfraTechAppAccounts = Get-GroupSid -Name AMS_Admin_TECH_Infra_DGG
}

New-PSUEnvironment -Name "5.1.14393.3866" -Path "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Variables @('*')

What I’m doing wrong…? :wink:

8

So the variables is referring to PSU variables. In your variables.ps1 file you’ll want to do:

New-PSUVariable -Name 'Bamboo' -Value (Get-GroupSid  -Name AMS_APP_UD_Bamboo_DLG)
New-PSUVariable -Name 'CommVaultAdmin' -Value (Get-GroupSid  -Name AMS_RemotingPolicy_CommVaultApi_DLG)

We don’t support complex values yet. Only strings for these types of variables. Then you can use the same environments.ps1.

New-PSUEnvironment -Name "5.1.14393.3866" -Path "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Variables @('*')

Now, in your API, you’ll be able to do just:

$Bamboo
1 Like
9

Seems to work fine in the APIs, but not so much in roles…
My variables (using cmdlet instead of alias to keep my editor quiet):

New-UAVariable -Name SIDBamboo -Value (Get-GroupSid -Name AMS_APP_UD_Bamboo_DLG)
New-UAVariable -Name SIDCommVaultAdmin -Value (Get-GroupSid -Name AMS_RemotingEndpoint_CommVaultApi_DLG)
New-UAVariable -Name SIDDnsAdmin -Value (Get-GroupSid -Name AMS_RemotingEndpoint_DnsApis_DLG)
New-UAVariable -Name SIDiDracApi -Value (Get-GroupSid -Name AMS_APP_UD_iDrac_DLG)
New-UAVariable -Name SIDDefault -Value (Get-GroupSid -Name 'Domain Users')

Works fine in /vars API defined like this:

New-PSUEndpoint -Url /vars -Endpoint {
    Get-Variable -Name SID* | ConvertTo-Json
}

But I don’t seem to get any of the roles I would expect when my roles.ps1 has a code like this:

New-PSURole -Name DnsAdmin -Description "Access to DNS POST/DELETE/PUT endpoints" -Policy {
    Param (
        [Security.ClaimsPrincipal]$User
    )

    $User.HasClaim(
        'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid',
        $SIDDnsAdmin
    )
}

Is that expected to work, or am I just trying to use functionality that is not there at all…? :slight_smile:

10

Hmmm it should work. Let me open an issue for this and take a look. The security features should use the environment settings as well.

1 Like