
# Helpers
function Resolve-SafeguardEntitlementId

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($Entitlement.Id -as [int])
        $Entitlement = $Entitlement.Id

    if (-not ($Entitlement -as [int]))
            $local:Entitlements = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Roles `
                                 -Parameters @{ filter = "Name ieq '$Entitlement'" })
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Entitlements = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Roles `
                                 -Parameters @{ q = $Entitlement })
        if (-not $local:Entitlements)
            throw "Unable to find Entitlement matching '$Entitlement'"
        if ($local:Entitlements.Count -ne 1)
            throw "Found $($local:Entitlements.Count) Entitlements matching '$Entitlement'"

Get entitlements in Safeguard via the Web API.
Entitlement is a set of access request policies that restrict system access to authorized users
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER EntitlementToGet
An integer containing the ID or a string containing the name of the entitlement to get.
An array of the entitlement property names to return.
JSON response from Safeguard Web API.
Get-SafeguardEntitlement -AccessToken $token -Appliance -Insecure
Get-SafeguardEntitlement testEntitlement
Get-SafeguardEntitlement 123

function Get-SafeguardEntitlement

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = $null
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

    if ($PSBoundParameters.ContainsKey("EntitlementToGet"))
        $local:EntitlementId = Resolve-SafeguardEntitlementId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $EntitlementToGet
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
            GET "Roles/$($local:EntitlementId)" -Parameters $local:Parameters
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core `
            GET Roles -Parameters $local:Parameters

Create a new Entitlement in Safeguard via the Web API.
Create a new Entitlement in Safeguard. Access policies can be attached
to Entitlements. Users and groups can be created using separate cmdlets
and added as members via this cmdlet.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
The name of the entitlement.
.PARAMETER MemberUsers
Array of IDs or names of the users to be added to the entitlement.
.PARAMETER MemberGroups
Array of IDs or names of the users to be added to the entitlement.
JSON response from Safeguard Web API.
New-SafeguardEntitlement "Lab Administrator"

function New-SafeguardEntitlement

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    [object[]]$Members = $null
    foreach ($local:User in $MemberUsers)
        $local:ResolvedUserId = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -UserToGet $local:User).Id
        $local:Member = @{
            Id = $local:ResolvedUserId;
            PrincipalKind = "User"
        $local:Members += $($local:Member)

    foreach ($local:Group in $MemberGroups)
        $local:ResolvedGroupId = (Get-SafeguardUserGroup -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure -GroupToGet $local:Group).Id
        $local:Member = @{
            Id = $local:ResolvedGroupId;
            PrincipalKind = "Group"
        $local:Members += $($local:Member)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST Roles `
        -Body @{ Name = $Name; Members = $local:Members}

Remove an entitlement in Safeguard via the Web API.
Entitlement is a set of access request policies that restrict system access to authorized users
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER EntitlementToDelete
An integer containing the ID or a string containing the name of the entitlement to delete.
JSON response from Safeguard Web API.
Remove-SafeguardEntitlement -AccessToken $token -Appliance -Insecure
Remove-SafeguardEntitlement testEntitlement
Remove-SafeguardEntitlement 123

function Remove-SafeguardEntitlement

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:EntitlementId = Resolve-SafeguardEntitlementId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $EntitlementToDelete
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "Roles/$($local:EntitlementId)"
