Universal Automation is the automation platform for PowerShell. It provides the ability to run PowerShell scripts, schedule them, view output and, as described in this post, enforce who has access to manage the UA instance, execute scripts and view the results.
About RBAC in Universal Automation
Universal Automation does not provide authentication services directly. You can configure Universal Dashboard to provide authentication and Authorization for end-users trying to access the UA dashboard. Universal Automation uses JSON Web Tokens to validate a user’s privileges when accessing the UA REST API.
Universal Automation tracks users and other applications interacting with the system based on their Identity. This identity can be provided one of three roles.
Identities with the Administrator role can do anything in UA. This means they can do things such as create and run scripts, adjust UA configuration options and delete other identities. They can also grant app tokens for Identities that are not themselves.
Identities with the Operator role can do most day-to-day operations within UA. The can do things such as create and run scripts, setup schedules, respond to feedback and cancel jobs. They can only grant app tokens for their own Identity.
Identities with the Reader role have a read-only view of UA and the UA dashboard. They cannot modify anything within UA and can only view the results of jobs, examine which scripts are created and see some configuration options within UA. They can’t grant app tokens at all.
To enable authentication and authorization in UA, you can use the Enable-UAAuthentication cmdlet. Once authentication is enabled, you cannot disable it.
The Enable-UAAuthentication cmdlet will return the System AppToken. This AppToken has the Administrator role. The only time this AppToken is accessible is when starting the UA server via Start-UAServer. Start-UAServer will return the System AppToken so that the UA dashboard can interact with UA.
Later in this post, we will see how to configure UD to provide AppTokens specific to the user logging in.
Managing Identities and Roles via the Command Line
To create new identities and assign roles to them in UA, you can use the New-UAIdentity and Get-UARole cmdlets. When you create a new Identity with a Role, any app tokens created for that Identity will automatically
Here is an example of creating a new Identity and AppToken for an Reader user.
You can now use this AppToken to interact with the UA API via the UA cmdlets. You’ll notice that the Reader user cannot modify the UA instance in any way.
Configuring Authentication and Authorization in the Dashboard
The UA Dashboard can be configured to use any authentication method that UD supports. Then, we can create an authorization policy that will run and assign an AppToken to the user logging into the UA Dashboard.
In this example, I have a simple form-based authentication method that checks the user name of the user logging in and assigns a role based on that user name. You could use a similar authorization policy to check group membership from something like Active Directory or Azure Active Directory.
The UA Dashboard is already configured to check the user’s role and will hide certain functionality based on which role they are a part of. As you can see, this user is a Reader and does not have the Execute Script buttons in the grid.
In this post, we looked at how to configure authentication and authorization for Universal Automation. As mentioned, you can use any Universal Dashboard authentication method for your UA Dashboard. To learn more about UD authentication and authorization, visit the docs.