When users sign in using OpenID, an “Identity” is created that has the role “Policy Defined”
Where do I go about changing what that is? - I’d like for new Accounts to just be “readers” for example
Product: PowerShell Universal
Version: 2.1.0
You can use the Roles to adjust this. Typically, people will do it based on group membership but you could also check user names.
1 Like
Thanks.
I updated my azure app manifest to "groupMembershipClaims": "ApplicationGroup",
Added two groups with direct members, on the app, and created two roles where the policy editor contains the following
param(
$User
)
$User.HasClaim("groups", "*GroupGUIDGoesHere*")
# Define your policy here
But even so, new Identities get the “Policy assigned” role, and full admin page access
Snip of Roles.ps1:
New-PSURole -Name "Visitors" -Description "A_PSU_SupportDashboard_Visitors" -Policy {
param(
$User
)
$User.HasClaim("groups", "f6e27845-9b23-...")
}
New-PSURole -Name "Admins" -Description "A_PSU_SupportDashboard_Admins" -Policy {
param(
$User
)
$User.HasClaim("groups", "4d9fe6e3-4999-...")
# Define your policy here
}
Did you remove the built in roles or do they have policies defined? Those scripts will dictate the access to the console.
New identities will always have a policy defined role. The only time that changes is if you manually change it for an identity.
Debugging shows that it seems to work. I was just unaware that all identites gets all the roles out of the box, which of course makes sense as all roles return $true. It was maybe a bit unintuitive that you also can assign roles manually.
Learning experience I guess 
Sep 13, 2021 10:42 AM [DBG]Administrator
Sep 13, 2021 10:42 AM [DBG]Operator
Sep 13, 2021 10:42 AM [DBG]Reader
Sep 13, 2021 10:42 AM [DBG]Execute
Sep 13, 2021 10:42 AM [DBG]Norlys Admins
Sep 13, 2021 10:47 AM [DBG]Administrator
Sep 13, 2021 10:47 AM [DBG]Operator
Sep 13, 2021 10:47 AM [DBG]Reader
Sep 13, 2021 10:47 AM [DBG]Execute
Sep 13, 2021 10:47 AM [DBG]Norlys Admins
1 Like