functions/Set-JS7IAMPermission.ps1

function Set-JS7IAMPermission
{
<#
.SYNOPSIS
Stores a permission to a role in the a Cockpit Identity Service
 
.DESCRIPTION
This cmdlet stores a permission for a role in a JOC Cockpit Identity Service.
 
The following REST Web Service API resources are used:
 
* /iam/permissions/store
 
.PARAMETER Service
Specifies the unique name of the Identity Service.
 
.PARAMETER Role
Specifies the unique name of the role that permissions should be assigned.
 
.PARAMETER Permission
Specifies one or more permissions for the role. Permissions are specified by identifiers like this:
 
* sos:products:controller:view
* sos:products:controller:agents:view
* sos:products:controller:deployment:manage
 
If more than one permission is used then they can be specified as an array or separated by comma:
 
* -Permissions @( "sos:products:controller:view", "sos:products:controller:agents:view" )
* -Permissions "sos:products:controller:view","sos:products:controller:agents:view"
 
.PARAMETER Excluded
Specifies if the permissions should be excluded. By default specified permissions are included.
 
.PARAMETER ControllerId
Specifies the unique identifier of the Controller that related permissions are assigned.
 
.PARAMETER AuditComment
Specifies a free text that indicates the reason for the current intervention,
e.g. "business requirement", "maintenance window" etc.
 
The Audit Comment is visible from the Audit Log view of the JOC Cockpit.
This argument is not mandatory, however, JOC Cockpit can be configured
to enforce Audit Log comments for any interventions.
 
.PARAMETER AuditTimeSpent
Specifies the duration in minutes that the current intervention required.
 
This information is shown in the Audit Log view. It can be useful when integrated
with a ticket system that logs the time spent on interventions with JS7.
 
.PARAMETER AuditTicketLink
Specifies a URL to a ticket system that keeps track of any interventions performed for JS7.
 
This information is shown in the Audit Log view of JOC Cockpit.
It can be useful when integrated with a ticket system that logs interventions with JS7.
 
.INPUTS
This cmdlet accepts pipelined input.
 
.OUTPUTS
This cmdlet returns no output.
 
.EXAMPLE
Set-JS7IAMPermission -Service 'JOC' -Role 'application_manager' -Permission @( 'sos:products:controller:view', 'sos:products:controller:agents:view' )
 
Stores the indicated permissions with the role.
 
.EXAMPLE
Set-JS7IAMPermission -Service 'JOC' -Role 'application_manager' -Permission @( 'sos:products:controller:view', 'sos:products:controller:agents:view' ) -ControllerId 'testsuite'
 
Stores the indicated permissions with the role for access to the indicated Controller.
 
.LINK
about_JS7
 
#>

[cmdletbinding(SupportsShouldProcess)]
param
(
    [Alias('IdentityServiceName')]
    [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [string] $Service,
    [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [Alias('RoleName')]
    [string] $Role,
    [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [string[]] $Permission,
    [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [switch] $Excluded,
    [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [string] $ControllerId = 'default',
    [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [string] $AuditComment,
    [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [int] $AuditTimeSpent,
    [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$True)]
    [Uri] $AuditTicketLink
)
    Begin
    {
        Approve-JS7Command $MyInvocation.MyCommand
        $stopWatch = Start-JS7StopWatch
    }

    Process
    {
        $body = New-Object PSObject

        Add-Member -Membertype NoteProperty -Name 'identityServiceName' -value $Service -InputObject $body
        Add-Member -Membertype NoteProperty -Name 'roleName' -value $Role -InputObject $body

        $permissions = @()

        foreach( $item in $Permission )
        {
            $permissionObj = New-Object PSObject
            Add-Member -Membertype NoteProperty -Name 'permissionPath' -value $item -InputObject $permissionObj

            if ( $Excluded )
            {
                Add-Member -Membertype NoteProperty -Name 'excluded' -value ($Excluded -eq $True) -InputObject $permissionObj
            }

            $permissions += $permissionObj
        }

        Add-Member -Membertype NoteProperty -Name 'permissions' -value $permissions -InputObject $body

        if ( $ControllerId -eq 'default' )
        {
            Add-Member -Membertype NoteProperty -Name 'controllerId' -value '' -InputObject $body
        } elseif ( $ControllerId ) {
            Add-Member -Membertype NoteProperty -Name 'controllerId' -value $ControllerId -InputObject $body
        }

        if ( $AuditComment -or $AuditTimeSpent -or $AuditTicketLink )
        {
            $objAuditLog = New-Object PSObject
            Add-Member -Membertype NoteProperty -Name 'comment' -value $AuditComment -InputObject $objAuditLog

            if ( $AuditTimeSpent )
            {
                Add-Member -Membertype NoteProperty -Name 'timeSpent' -value $AuditTimeSpent -InputObject $objAuditLog
            }

            if ( $AuditTicketLink )
            {
                Add-Member -Membertype NoteProperty -Name 'ticketLink' -value $AuditTicketLink -InputObject $objAuditLog
            }

            Add-Member -Membertype NoteProperty -Name 'auditLog' -value $objAuditLog -InputObject $body
        }

        if ( $PSCmdlet.ShouldProcess( 'permissions paths', '/iam/permissions/store' ) )
        {
            [string] $requestBody = $body | ConvertTo-Json -Depth 100
            $response = Invoke-JS7WebRequest -Path '/iam/permissions/store' -Body $requestBody

            if ( $response.StatusCode -eq 200 )
            {
                $requestResult = ( $response.Content | ConvertFrom-Json ).ok

                if ( !$requestResult )
                {
                    throw ( $response | Format-List -Force | Out-String )
                }
            } else {
                throw ( $response | Format-List -Force | Out-String )
            }
        }

        Write-Verbose ".. $($MyInvocation.MyCommand.Name): permissions stored"
    }

    End
    {
        Trace-JS7StopWatch -CommandName $MyInvocation.MyCommand.Name -StopWatch $stopWatch
        Update-JS7Session
    }
}