Public/Utils/Permissions/Set-DSEntityPermissions.ps1
|
function Set-DSEntityPermissions { <# .SYNOPSIS Sets the permissions on a given entity. .DESCRIPTION Sets the permissions on a given entity (Vault, folder or entry). .EXAMPLE $Permissions = @( [ConnectionPermission]@{ IsEmpty = $false Override = [SecurityRoleOverride]::Custom Right = [SecurityRoleRight]::View Roles = @('User1', 'User2', 'Group1', 'Group2') }, [ConnectionPermission]@{ IsEmpty = $false Override = [SecurityRoleOverride]::Inherited Right = [SecurityRoleRight]::Edit Roles = @('User1', 'User2', 'Group1', 'Group2') } ) > Set-DSEntityPermissions -EntityId $ID -Permissions $Permissions .NOTES - To override already existing permissions, please use the 'OverrideExistingPermissions' switch parameter. - When using this CMDlet, your entity's override mode will default to 'Custom'. Use the 'PermissionOverride' parameter if you wish to set it to anything else. .NOTES #> [CmdletBinding()] param ( [guid]$EntityId = $(throw 'You must provide the ID of the entity for which you want to change the permissions.'), [SecurityRoleOverride]$PermissionOverride = [SecurityRoleOverride]::Custom, [ConnectionPermission[]]$Permissions, [switch]$OverrideExistingPermissions ) begin { Write-Verbose '[Set-DSEntityPermissions] Beginning...' if ([string]::IsNullOrWhiteSpace($Global:DSSessionToken)) { throw 'Session does not seem authenticated, call New-DSSession.' } } process { $Entry = ($res = Get-DSEntry -EntryId $EntityId).isSuccess ? $res.Body.data : $(throw 'Could not find the requested entity.') $EntrySecurity = $Entry.security $Users = ($res = Get-DSUsers -All).isSuccess ? $res.Body.data : $(throw 'Could not fetch your users.') $UserGroups = ($res = Get-DSRole -GetAll).isSuccess ? $res.Body.data : $(throw 'Could not fetch your user groups.') if (!$EntrySecurity.permissions) { $EntrySecurity | Add-Member -NotePropertyName permissions -NotePropertyValue @() } $EntrySecurity | Add-Member -NotePropertyName roleOverride -NotePropertyValue $PermissionOverride -Force foreach ($Permission in $Permissions) { foreach ($Role in $Permission.Roles) { if ($null -ne ($User = $Users.GetEnumerator() | Where-Object { $_.name -eq $Role })) { $Permission.Roles[$Permission.Roles.IndexOf($Role)] = "$Role|u" } elseif ($null -eq ($UserGroup = $UserGroups.GetEnumerator() | Where-Object { $_.name -eq $Role })) { Write-Verbose "[Set-DSEntityPermissions] $Role was removed from $($Permission.Right) permission because it couldn't be located in your users or user groups." $Permission.Roles = $Permission.Roles | Where-Object { $_ -ne $Role } } } $Right = $EntrySecurity.permissions.GetEnumerator() | Where-Object { $_.Right -eq $Permission.right } if ($Right -and !($Permission.Right -eq [SecurityRoleRight]::View)) { if (!$OverrideExistingPermissions) { Write-Verbose "$($Permission.right) permission was ignored because it already exists on entity. If you wish to overrider existing permissions, use OverrideExisitingPermissions switch parameter. " } $Index = $EntrySecurity.permissions.Indexof($Right) $EntrySecurity.permissions[$Index] = $Permission } else { switch ($Permission.Right) { ([SecurityRoleRight]::View) { $EntrySecurity | Add-Member -NotePropertyName viewOverride -NotePropertyValue $Permission.Override -Force $EntrySecurity | Add-Member -NotePropertyName viewRoles -NotePropertyValue $Permission.Roles -Force } Default { $EntrySecurity.permissions += $Permission } } } } if ($Entry.connectionType -eq ([ConnectionType]::Group)) { $Entry.group = $Entry.group -match '\\' ? $Entry.group.Substring(0, $Entry.group.lastIndexOf('\')) : '' } $Entry.data = (Protect-ResourceToHexString (ConvertTo-Json $Entry.data)) $RequestParams = @{ URI = "$Script:DSBaseURI/api/connections/partial/save" Method = 'PUT' Body = (ConvertTo-Json $Entry -Depth 4) } $res = Invoke-DS @RequestParams return $res } end { $res.isSuccess ? (Write-Verbose '[Set-DSEntityPermissions] Completed successfully!') : (Write-Verbose '[Set-DSEntityPermissions] Ended with errors...') } } |