Public/New-LMRole.ps1

<#
.SYNOPSIS
    Creates a new Logic Monitor role with specified privileges.

.DESCRIPTION
    The New-LMRole function creates a new Logic Monitor role with the specified privileges and settings. It allows you to customize various permissions and options for the role.

.PARAMETER Name
    Specifies the name of the role.

.PARAMETER CustomHelpLabel
    Specifies a custom label for the help button in the Logic Monitor UI.

.PARAMETER CustomHelpURL
    Specifies a custom URL for the help button in the Logic Monitor UI.

.PARAMETER Description
    Specifies a description for the role.

.PARAMETER RequireEULA
    Indicates whether the user must accept the End User License Agreement (EULA) before using the role.

.PARAMETER TwoFARequired
    Indicates whether two-factor authentication is required for the role. Default value is $true.

.PARAMETER RoleGroupId
    Specifies the ID of the role group to which the role belongs. Default value is 1.

.PARAMETER DashboardsPermission
    Specifies the permission level for dashboards. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER ResourcePermission
    Specifies the permission level for resources. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER LogsPermission
    Specifies the permission level for logs. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER WebsitesPermission
    Specifies the permission level for websites. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER SavedMapsPermission
    Specifies the permission level for saved maps. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER ReportsPermission
    Specifies the permission level for reports. Valid values are "view", "manage", or "none". Default value is "none".

.PARAMETER LMXToolBoxPermission
    Specifies the permission level for LMX Toolbox. Valid values are "view", "manage", "commit", "publish", or "none". Default value is "none".

.PARAMETER LMXPermission
    Specifies the permission level for LMX. Valid values are "view", "install", or "none". Default value is "none".

.PARAMETER SettingsPermission
    Specifies the permission level for settings. Valid values are "view", "manage", "none", "manage-collectors", or "view-collectors". Default value is "none".

.PARAMETER CreatePrivateDashboards
    Indicates whether the role can create private dashboards.

.PARAMETER AllowWidgetSharing
    Indicates whether the role can share widgets.

.PARAMETER ConfigTabRequiresManagePermission
    Indicates whether the role requires manage permission for the Config tab.

.PARAMETER AllowedToViewMapsTab
    Indicates whether the role can view the Maps tab.

.PARAMETER AllowedToManageResourceDashboards
    Indicates whether the role can manage resource dashboards.

.PARAMETER ViewTraces
    Indicates whether the role can view traces.

.PARAMETER ViewSupport
    Indicates whether the role can view support.

.PARAMETER EnableRemoteSessionForResources
    Indicates whether the role can enable remote session for resources.

.PARAMETER CustomPrivilegesObject
    Specifies a custom privileges object for the role.

.EXAMPLE
    New-LMRole -Name "MyRole" -Description "Custom role with limited permissions" -DashboardsPermission "view" -ResourcePermission "manage"

    This example creates a new Logic Monitor role named "MyRole" with a description and limited permissions for dashboards and resources.

#>

Function New-LMRole {

    [CmdletBinding(DefaultParameterSetName = 'Default')]
    Param (
        [Parameter(Mandatory,ParameterSetName = 'Custom')]
        [Parameter(Mandatory,ParameterSetName = 'Default')]
        [String]$Name,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [String]$CustomHelpLabel,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [String]$CustomHelpURL,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [String]$Description,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [Switch]$RequireEULA,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [Boolean]$TwoFARequired = $true,

        [Parameter(ParameterSetName = 'Default')]
        [Parameter(ParameterSetName = 'Custom')]
        [String]$RoleGroupId = 1,

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$DashboardsPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$ResourcePermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$LogsPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$WebsitesPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$SavedMapsPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none")]
        [String]$ReportsPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view","manage","commit","publish","none")]
        [String]$LMXToolBoxPermission = "none",
        
        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view","install","none")]
        [String]$LMXPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [ValidateSet("view", "manage","none","manage-collectors","view-collectors")]
        [String]$SettingsPermission = "none",

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$CreatePrivateDashboards,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$AllowWidgetSharing,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$ConfigTabRequiresManagePermission,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$AllowedToViewMapsTab,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$AllowedToManageResourceDashboards,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$ViewTraces,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$ViewSupport,

        [Parameter(ParameterSetName = 'Default')]
        [Switch]$EnableRemoteSessionForResources,

        [Parameter(Mandatory,ParameterSetName = 'Custom')]
        [PSCustomObject]$CustomPrivilegesObject

    )
    #Check if we are logged in and have valid api creds
    If ($Script:LMAuth.Valid) {

        
        #Build header and uri
        $ResourcePath = "/setting/roles"
        $Privileges = @()

        If(!$CustomPrivilegesObject){

            If($ViewTraces){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "tracesManageTab"
                    operation = "read"
                    subOperation = ""
                }
            }

            If($EnableRemoteSessionForResources){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "remoteSession"
                    operation = "write"
                    subOperation = ""
                }
            }

            If($AllowedToViewMapsTab){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "resourceMapTab"
                    operation = "read"
                    subOperation = ""
                }
            }

            If($AllowWidgetSharing){
                $Privileges += [PSCustomObject]@{
                    objectId = "sharingwidget"
                    objectName = "sharingwidget"
                    objectType = "dashboard_group"
                    operation = "write"
                    subOperation = ""
                }
            }

            If($CreatePrivateDashboards){
                $Privileges += [PSCustomObject]@{
                    objectId = "private"
                    objectName = "private"
                    objectType = "dashboard_group"
                    operation = "write"
                    subOperation = ""
                }
            }

            If($LMXToolBoxPermission){
                $Privileges += [PSCustomObject]@{
                    objectId = "allinstalledmodules"
                    objectName = "All installed modules"
                    objectType = "module"
                    operation = $LMXToolBoxPermission
                }
            }

            If($LMXPermission){
                $Privileges += [PSCustomObject]@{
                    objectId = "All exchange modules"
                    objectName = "private"
                    objectType = "module"
                    operation = $LMXPermission
                }
            }

            If($ViewSupport){
                $Privileges += [PSCustomObject]@{
                    objectId = "chat"
                    objectName = "help"
                    objectType = "help"
                    operation = "write"
                    subOperation = ""
                }
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "help"
                    objectType = "help"
                    operation = "read"
                    subOperation = ""
                }
            }
            Else{
                $Privileges += [PSCustomObject]@{
                    objectId = "chat"
                    objectName = "help"
                    objectType = "help"
                    operation = "read"
                    subOperation = ""
                }
            }

            $Privileges += [PSCustomObject]@{
                objectId = ""
                objectName = "configNeedDeviceManagePermission"
                objectType = "configNeedDeviceManagePermission"
                operation = If($ConfigTabRequiresManagePermission){"write"}Else{"read"}
                subOperation = ""
            }

            $Privileges += [PSCustomObject]@{
                objectId = ""
                objectName = "deviceDashboard"
                objectType = "deviceDashboard"
                operation = If($AllowedToManageResourceDashboards){"write"}Else{"read"}
                subOperation = ""
            }

            If($DashboardsPermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "dashboard_group"
                    operation = If($DashboardsPermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($ResourcePermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "host_group"
                    operation = If($ResourcePermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($LogsPermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "logs"
                    operation = If($LogsPermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($WebsitesPermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "website_group"
                    operation = If($WebsitesPermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($SavedMapsPermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "map"
                    operation = If($SavedMapsPermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($ReportsPermission -ne "none"){
                $Privileges += [PSCustomObject]@{
                    objectId = "*"
                    objectName = "*"
                    objectType = "report_group"
                    operation = If($ReportsPermission -eq "manage"){"write"}Else{"read"}
                    subOperation = ""
                }
            }

            If($SettingsPermission -ne "none"){
                If($SettingsPermission -ne "manage-collectors" -and $SettingsPermission -ne "view-collectors"){
                    $Privileges += [PSCustomObject]@{
                        objectId = "*"
                        objectName = "*"
                        objectType = "setting"
                        operation = If($SettingsPermission -eq "manage"){"write"}Else{"read"}
                        subOperation = ""
                    }

                    $Privileges += [PSCustomObject]@{
                        objectId = "useraccess.*"
                        objectName = "useraccess.*"
                        objectType = "setting"
                        operation = If($ResourcePermission -eq "manage"){"write"}Else{"read"}
                        subOperation = ""
                    }
                }
                Else{
                    $Privileges += [PSCustomObject]@{
                        objectId = "collectorgroup.*"
                        objectName = "Collectors"
                        objectType = "setting"
                        operation = If($SettingsPermission -eq "manage-collectors"){"write"}Else{"read"}
                    }
                }
            }

        }

        Try {
            $Data = @{
                customHelpLabel = $CustomHelpLabel
                customHelpURL   = $CustomHelpURL
                description     = $Description
                name            = $Name
                requireEULA      = $RequireEULA.IsPresent 
                roleGroupId     = $RoleGroupId
                twoFARequired   = $TwoFARequired
                privileges      = If($CustomPrivilegesObject){$CustomPrivilegesObject}Else{$Privileges}
            }

            #Remove empty keys so we dont overwrite them
            @($Data.keys) | ForEach-Object { if ([string]::IsNullOrEmpty($Data[$_])) { $Data.Remove($_) } }

            $Data = ($Data | ConvertTo-Json)

            $Headers = New-LMHeader -Auth $Script:LMAuth -Method "POST" -ResourcePath $ResourcePath -Data $Data 
            $Uri = "https://$($Script:LMAuth.Portal).logicmonitor.com/santaba/rest" + $ResourcePath

            Resolve-LMDebugInfo -Url $Uri -Headers $Headers[0] -Command $MyInvocation -Payload $Data

                #Issue request
            $Response = Invoke-RestMethod -Uri $Uri -Method "POST" -Headers $Headers[0] -WebSession $Headers[1] -Body $Data

            Return (Add-ObjectTypeInfo -InputObject $Response -TypeName "LogicMonitor.Role" )
        }
        Catch [Exception] {
            $Proceed = Resolve-LMException -LMException $PSItem
            If (!$Proceed) {
                Return
            }
        }
    }
    Else {
        Write-Error "Please ensure you are logged in before running any commands, use Connect-LMAccount to login and try again."
    }
}