Src/Private/Get-AbrVbrUserRoleAssignment.ps1
function Get-AbrVbrUserRoleAssignment { <# .SYNOPSIS Used by As Built Report to returns Veeam VBR roles assigned to a user or a user group. .DESCRIPTION Documents the configuration of Veeam VBR in Word/HTML/Text formats using PScribo. .NOTES Version: 0.8.12 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux Credits: Iain Brighton (@iainbrighton) - PScribo module .LINK https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VBR #> [CmdletBinding()] param ( ) begin { Write-PScriboMessage "Discovering Veeam VBR Roles information from $System." } process { try { Section -Style Heading3 'Roles and Users' { Paragraph "The following section provides information about roles assigned to users or groups." BlankLine $OutObj = @() try { $RoleAssignments = Get-VBRUserRoleAssignment foreach ($RoleAssignment in $RoleAssignments) { Write-PScriboMessage "Discovered $($RoleAssignment.Name) Server." $inObj = [ordered] @{ 'Name' = $RoleAssignment.Name 'Type' = $RoleAssignment.Type 'Role' = $RoleAssignment.Role } $OutObj += [pscustomobject](ConvertTo-HashToYN $inObj) } } catch { Write-PScriboMessage -IsWarning "Roles and Users Table: $($_.Exception.Message)" } if ($HealthCheck.Infrastructure.Settings) { $OutObj | Where-Object { $_.'Name' -eq 'BUILTIN\Administrators' } | Set-Style -Style Warning -Property 'Name' } $TableParams = @{ Name = "Roles and Users - $VeeamBackupServer" List = $false ColumnWidths = 45, 15, 40 } if ($Report.ShowTableCaptions) { $TableParams['Caption'] = "- $($TableParams.Name)" } $OutObj | Sort-Object -Property 'Name' | Table @TableParams if ($HealthCheck.Infrastructure.BestPractice -and ($OutObj | Where-Object { $_.'Name' -eq 'BUILTIN\Administrators' })) { Paragraph "Health Check:" -Bold -Underline BlankLine Paragraph "Security Best Practice:" -Bold BlankLine if ($OutObj | Where-Object { $_.'Name' -eq 'BUILTIN\Administrators' }) { Paragraph { Text "Veeam recommends to give every Veeam admin his own admin account or add their admin account to the appropriate security group within Veeam and to remove the default 'Veeam Backup Administrator' role from local Administrators group, for traceability and easy adding and removal" } BlankLine Paragraph { Text -Bold "Reference:" } BlankLine Paragraph { Text "https://bp.veeam.com/security/Design-and-implementation/Roles_And_Users.html#roles-and-users" } BlankLine } } if ($VbrVersion -ge 12) { try { Section -ExcludeFromTOC -Style NOTOCHeading4 'Roles and Users Settings' { BlankLine $OutObj = @() try { try { $MFAGlobalSetting = [Veeam.Backup.Core.SBackupOptions]::get_GlobalMFA() } catch { Out-Null } try { $AutoTerminateSession = [Veeam.Backup.Core.SBackupOptions]::get_AutomaticallyTerminateSession() } catch { Out-Null } try { $AutoTerminateSessionMin = [Veeam.Backup.Core.SBackupOptions]::get_AutomaticallyTerminateSessionTimeoutMinutes() } catch { Out-Null } try { $UserActionNotification = [Veeam.Backup.Core.SBackupOptions]::get_UserActionNotification() } catch { Out-Null } try { $UserActionRetention = [Veeam.Backup.Core.SBackupOptions]::get_UserActionRetention() } catch { Out-Null } foreach ($RoleAssignment in $RoleAssignments) { Write-PScriboMessage "Discovered Roles and Users Settings." $inObj = [ordered] @{ 'Is MFA globally enabled?' = $MFAGlobalSetting 'Is auto logoff on inactivity enabled?' = $AutoTerminateSession 'Auto logoff on inactivity after' = "$($AutoTerminateSessionMin) minutes" 'Is Four-eye Authorization enabled?' = $UserActionNotification 'Auto reject pending approvals after' = "$($UserActionRetention) days" } $OutObj = [pscustomobject](ConvertTo-HashToYN $inObj) } } catch { Write-PScriboMessage -IsWarning "Roles and Users Settings Table: $($_.Exception.Message)" } if ($HealthCheck.Infrastructure.Settings) { $OutObj | Where-Object { $_.'Is MFA globally enabled?' -like 'No' } | Set-Style -Style Warning -Property 'Is MFA globally enabled?' foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq 'No' })) { $OBJ.'Is MFA globally enabled?' = "* " + $OBJ.'Is MFA globally enabled?' } $OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -like 'No' } | Set-Style -Style Warning -Property 'Is auto logoff on inactivity enabled?' foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -eq 'No' })) { $OBJ.'Is auto logoff on inactivity enabled?' = "** " + $OBJ.'Is auto logoff on inactivity enabled?' } $OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -like 'No' } | Set-Style -Style Warning -Property 'Is Four-eye Authorization enabled?' foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -eq 'No' })) { $OBJ.'Is Four-eye Authorization enabled?' = "*** " + $OBJ.'Is Four-eye Authorization enabled?' } } $TableParams = @{ Name = "Roles and Users Settings - $VeeamBackupServer" List = $True ColumnWidths = 40, 60 } if ($Report.ShowTableCaptions) { $TableParams['Caption'] = "- $($TableParams.Name)" } $OutObj | Table @TableParams if ($HealthCheck.Infrastructure.BestPractice -and ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq '* No' -or $_.'Is auto logoff on inactivity enabled?' -eq '** No' -or $_.'Is Four-eye Authorization enabled?' -eq '*** No' })) { Paragraph "Health Check:" -Bold -Underline BlankLine Paragraph "Security Best Practice:" -Bold BlankLine if ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq '* No' }) { Paragraph { Text "* To ensure comprehensive security, it's crucial to implement MFA across all user accounts. By using a combination of different authentication factors like passwords, biometrics, and one-time passcodes, you create layers of security that make it harder for attackers to gain unauthorized access." } BlankLine } if ($OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -eq '** No' }) { Paragraph { Text "** Limiting the length of inactive sessions can help protect sensitive information and prevent unauthorized account access." } BlankLine } if ($OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -eq '*** No' }) { Paragraph { Text "*** Veeam recommends configuring Four-eye Authorization to be able to protect against accidental deletion of backup and repositories by requiring an approval from another Backup Administrator." } BlankLine } } } } catch { Write-PScriboMessage -IsWarning "Roles and Users Settings Section: $($_.Exception.Message)" } } } } catch { Write-PScriboMessage -IsWarning "Roles and Users Section: $($_.Exception.Message)" } } end {} } |