functions/secret-permissions/New-TssSecretPermission.ps1
function New-TssSecretPermission { <# .SYNOPSIS Create a new Secret Permission .DESCRIPTION Create a new Secret Permission, use -Force to break inheritance .EXAMPLE $session = New-TssSession -SecretServer https://alpha -Credential $ssCred New-TssSecretPermission -TssSession $session -SecretId 76 -AccessRole View -Username bob.martin Adding user "bob.martin" to Secret 76, granting View rights to the Secret. .EXAMPLE $session = New-TssSession -SecretServer https://alpha -Credential $ssCred $secrets = Search-TssSecret -TssSession $session -SearchText 'Azure' New-TssSecretPermission -TssSession $session -SecretId $secrets.Id -AccessRole View -DomainName corp -GroupName 'IT Support' -Force Adding permission to all Secrets that have "Azure" in their name to the group "corp\IT Support" with View rights, breaking inheritance if enabled. .LINK https://thycotic-ps.github.io/thycotic.secretserver/commands/secret-permissions/New-TssSecretPermission .LINK https://github.com/thycotic-ps/thycotic.secretserver/blob/main/src/functions/secret-permissions/New-TssSecretPermission.ps1 .NOTES Requires TssSession object returned by New-TssSession #> [CmdletBinding(SupportsShouldProcess)] [OutputType('Thycotic.PowerShell.SecretPermissions.Permission')] param ( # TssSession object created by New-TssSession for authentication [Parameter(Mandatory, ValueFromPipeline, Position = 0)] [Thycotic.PowerShell.Authentication.Session] $TssSession, # Secret Id [Parameter(Mandatory, ValueFromPipeline)] [int[]] $SecretId, # Secret Access Role Name [Parameter(Mandatory, ValueFromPipeline)] [ValidateSet('List', 'View', 'Edit', 'Owner')] [string] $AccessRole, # Domain Name (the friendly name), if user or group is an Directory Service domain [Parameter()] [string] $DomainName, # Group Name [Parameter(ValueFromPipeline)] [string] $GroupName, # Username [Parameter(ValueFromPipeline)] [string] $Username, # If provided will break inheritance on the secret and add the permission [Parameter()] [switch] $Force ) begin { $tssNewParams = $PSBoundParameters $invokeParams = . $GetInvokeApiParams $TssSession } process { Write-Verbose "Provided command parameters: $(. $GetInvocation $PSCmdlet.MyInvocation)" if ($tssNewParams.ContainsKey('TssSession') -and $TssSession.IsValidSession()) { . $CheckVersion $TssSession '10.9.000000' $PSCmdlet.MyInvocation foreach ($secret in $SecretId) { $searchSecrets = Search-TssSecret $TssSession $secretInheritsPerm = $searchSecrets.Where({ $_.SecretId -eq $secret}).InheritsPermissions if (-not $secretInheritsPerm -or $tssNewParams.ContainsKey('Force')) { $restResponse = $null $uri = $TssSession.ApiUrl, 'secret-permissions' -join '/' $invokeParams.Uri = $uri $invokeParams.Method = 'POST' $newBody = [ordered]@{ SecretAccessRoleName = $AccessRole SecretId = $secret } switch ($tssNewParams.Keys) { 'DomainName' { $newBody.Add('domainName', $DomainName) } 'Username' { $newBody.Add('Username', $Username) } 'GroupName' { $newBody.Add('GroupName', $GroupName) } } $invokeParams.Body = ($newBody | ConvertTo-Json) Write-Verbose "Performing the operation $($invokeParams.Method) $uri with:`n $newBody" if (-not $PSCmdlet.ShouldProcess("Secret ID: $secret", "$($invokeParams.Method) $uri with $($invokeParams.Body)")) { return } try { $apiResponse = Invoke-TssApi @invokeParams $restResponse = . $ProcessResponse $apiResponse } catch { Write-Warning "Issue creating Secret Permission on secret [$secret]" $err = $_ . $ErrorHandling $err } if ($restResponse) { [Thycotic.PowerShell.SecretPermissions.Permission]$restResponse } } else { Write-Error "Secret [$secret] has InheritPermissions enabled, use -Force parameter to break inheritance." } } } else { Write-Warning 'No valid session found' } } } |