Scripts/Principals/Add-CohesityProtectionSourceForPrincipal.ps1

function Add-CohesityProtectionSourceForPrincipal {
    <#
        .SYNOPSIS
        Specify the security identifier (SID) of the principal to grant access permissions for protection source.
        .DESCRIPTION
        Add Protection Sources that the specified principal has permissions to access.
 
        .NOTES
        Published by Cohesity
        .LINK
        https://cohesity.github.io/cohesity-powershell-module/#/README
        .EXAMPLE
        Add-CohesityProtectionSourceForPrincipal -PrincipalType "GROUP" -PrincipalName user-group1 -ProtectionSourceObjectIds 121,344
        Add protection sources ids 121 and 344 to grant access to user-group1
        .EXAMPLE
        Add-CohesityProtectionSourceForPrincipal -PrincipalType "USER" -PrincipalName user1 -ProtectionSourceObjectIds 121,344
        Add protection sources ids 121 and 344 to grant access to user1
        .EXAMPLE
        Get-CohesityProtectionSourceObject -Environments KVMware | Add-CohesityProtectionSourceForPrincipal -PrincipalType USER -PrincipalName user1
        Using pipe add all VMware objects to grant access to user1.
    #>

    [OutputType('System.Collections.Hashtable')]
    [CmdletBinding(DefaultParameterSetName = "DefaultParameters", SupportsShouldProcess = $True, ConfirmImpact = "High")]
    Param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [ValidateSet("USER", "GROUP")]
        # Principal type "USER" or "GROUP" to differentiate between cohesity user and group.
        [string]$PrincipalType,
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        # Principal name of "USER" or "GROUP" type.
        [string]$PrincipalName,
        [Parameter(Mandatory = $true, ParameterSetName = "DefaultParameters")]
        [Parameter(Mandatory = $false, ParameterSetName = "PipedProtectionSourceObject")]
        [ValidateNotNullOrEmpty()]
        # The protection source object ids to grant access for the principal,
        # use Get-CohesityProtectionSourceObject to identify the desired one.
        [long[]]$ProtectionSourceObjectIds,
        [Parameter(Mandatory = $false, ParameterSetName = "PipedProtectionSourceObject", ValueFromPipeline = $true, DontShow = $true)]
        # Piped object for protection source object id.
        [object]$PipedProtectionSourceObject
    )

    Begin {
        $cohesitySession = CohesityUserProfile
        $cohesityCluster = $cohesitySession.ClusterUri
        $cohesityToken = $cohesitySession.Accesstoken.Accesstoken
        $pipedProtectionSourceObjectIds = @()
    }

    Process {
        if ($PipedProtectionSourceObject.Id) {
            $pipedProtectionSourceObjectIds += $PipedProtectionSourceObject.Id
        }
    }

    End {
        if ($PSCmdlet.ShouldProcess($PrincipalName)) {
            switch ($PrincipalType) {
                "USER" {
                    $userDetail = Get-CohesityUser -Names $PrincipalName | where-object { $_.Username -eq $PrincipalName }
                    if (-not $userDetail) {
                        Write-Output "User '$PrincipalName' not found."
                        return
                    }
                    if ($userDetail.restricted -eq $false) {
                        $userDetail.restricted = $true
                        Set-CohesityUser -UserObject $userDetail -Confirm:$false | Out-Null
                    }
                }
                "GROUP" {
                    $userGroupDetail = Get-CohesityUserGroup -Name $PrincipalName | where-object { $_.name -eq $PrincipalName }
                    if (-not $userGroupDetail) {
                        Write-Output "User group '$PrincipalName' not found."
                        return
                    }
                    if ($userGroupDetail.restricted -eq $false) {
                        $userGroupDetail.restricted = $true
                        Update-CohesityUserGroup -UserGroupObject $userGroupDetail -Confirm:$false | Out-Null
                    }
                }
            }
            $principalDetail = Get-CohesityProtectionSourceForPrincipal -PrincipalType $PrincipalType -PrincipalName $PrincipalName
            if (-not $principalDetail.Sid) {
                Write-Output "Not found '$PrincipalName' of principal type '$PrincipalType', please use 'Get-CohesityUser' or 'Get-CohesityUserGroup' to identify the desired one."
                return
            }
            $updatedProtectionSourceObjectIds = @()
            if ($ProtectionSourceObjectIds) {
                $protectionSourceObjects = Get-CohesityProtectionSourceObject
                foreach ($Id in $ProtectionSourceObjectIds) {
                    if ($protectionSourceObjects.Id -notcontains $Id) {
                        Write-Output "Protection source id '$Id' not found"
                        return
                    }
                }
                $updatedProtectionSourceObjectIds += $ProtectionSourceObjectIds
            }
            else {
                # we got the ids in piped object
                if ($pipedProtectionSourceObjectIds.Count -eq 0) {
                    Write-Output "No protection source object ids found through piped object."
                    return
                }
                $updatedProtectionSourceObjectIds += @($pipedProtectionSourceObjectIds)
            }
            if ($principalDetail.ProtectionSources) {
                $updatedProtectionSourceObjectIds += @($principalDetail.ProtectionSources.Id)
            }
            $updatedViewNames = @()
            if ($principalDetail.Views) {
                $updatedViewNames += @($principalDetail.Views.Name)
            }

            $cohesityClusterURL = $cohesityCluster + '/irisservices/api/v1/public/principals/protectionSources'
            $cohesityHeaders = @{'Authorization' = 'Bearer ' + $cohesityToken }

            $sourcesForPrincipalObject = @{
                protectionSourceIds = $updatedProtectionSourceObjectIds
                sid                 = $principalDetail.Sid
                viewNames           = $updatedViewNames
            }
            $payload = @{
                sourcesForPrincipals = @($sourcesForPrincipalObject)
            }
            $payloadJson = $payload | ConvertTo-Json -Depth 100
            Invoke-RestApi -Method Put -Uri $cohesityClusterURL -Headers $cohesityHeaders -Body $payloadJson
            if (204 -eq $Global:CohesityAPIStatus.StatusCode) {
                @{Response = "Success"; Method = "Put"; }
            }
            else {
                $errorMsg = $Global:CohesityAPIStatus.ErrorMessage + ", Protection source and view permission : Failed to add"
                Write-Output $errorMsg
                CSLog -Message $errorMsg
            }
        }
    }
}