Getting Started
What is PowerShell Universal?
Installation
Windows
IIS
Persistent Docker Image
Configuration
Port and HTTPS Certificate
SQL Persistence
Platform
Environments
Variables
Published Folders
Git
Repository
Modules
Secret Management
APIs
Basics
Security
Event Hubs
Automation
Scripts
Scheduling
Triggers
Apps
Basics
Dynamic Regions
Session and Cache
Forms
Navigation
Basic Tables
Designer
Theming
Pages
Forms
Desktop
About
File Associations
Security
Forms
Azure Active Directory and OpenID Connect
Roles
App Tokens
Development
Debugger
Visual Studio Code Extension
PowerShell Module and Management API
Roles
Role-based access controls
Download this Lecture Docs
In this lecture, we go through roles and how to use them to limit what features users have access to when using PowerShell Universal. We'll assign roles based on Windows group membership via Claim to Role mapping as well as Policy scripts. Next, we'll go through the various features like APIs, dashboards, and pages to see how users with different roles are affected. Finally, we'll assign an Execute role and see how it affects a user viewing the admin console.
Policy script to check claims
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$User.HasClaim("claimType", "claimValue")
roles.ps1
New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -ClaimValue "S-1-5-21-3266693409-3616515432-668607786-1006"
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$false
}
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$true
}
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$true
}
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
$true
}
Dashboard that users $Roles
New-UDDashboard -Title 'PowerShell Universal' -Content {
$Roles | ForEach-Object { Show-UDToast $_ }
}