MilestonePSTools.Security

0.1.448774

Public/Set-RoleMembership.ps1

                                function Set-RoleMembership {

    <#

    .SYNOPSIS

        Sets the members for a given Role in a Milestone VMS based on one or more SIDs

    .DESCRIPTION

        In some cases it can be helpful to quickly set the members of a role in such a way as new

        members are added while old members are removed if they should no longer be associated with

        the role.

        This function takes a role and an array of SIDs, and ensures that all users in the array of

        SIDs are members while also removing users from the role if their SID is not present in the

        array of SIDs.

        If you do not want to remove users, you can use the DoNotRemoveMembers switch and the result

        will be a role with at least as many members as before the import.

    .EXAMPLE

        PS C:\> Set-RoleMembership -Role (Get-Role -Name 'Guards') -Members (Get-Content -Path .\guard-sids.txt)

        Sets a role named 'Guards' to have only members defined in a guard-sids.txt file where each line contains

        a SID with no leading or trailing white space.

    .NOTES

        Basic users can be managed in this way as well - even Basic users have a SID property available in the VMS.

        You can find this by looking at (Get-ManagementServer).BasicUserFolder.BasicUsers | Select Name, Sid

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact='High')]

    param(

        # Specifies the role for which membership should be updated based on the supplied Members

        [Parameter(Mandatory, ValueFromPipeline)]

        [VideoOS.Platform.ConfigurationItems.Role]

        $Role,

        # Specifies one or more SIDs for users who should be a member of this role

        [Parameter()]

        [string[]]

        $Members,

        # Specifies that users should not be removed from roles if they are not present in the specified JSON file

        [Parameter()]

        [switch]

        $DoNotRemoveMembers,

        # Specifies that this function should operate on the Administrators role which could disable the entire VMS if the wrong user is removed

        [Parameter()]

        [switch]

        $Force

    )

    process {

        if ($Role.RoleType -eq 'Adminstrative' -and -not $Force) {

            Write-Error "This function is dangerous to use on the default Administrators role. Use the Force switch if you want to operate on the Administrators role."

            return

        }

        $existingMembers = $Role.UserFolder.Users.Sid

        $usersToAdd = $Members | Where-Object { $_ -notin $existingMembers }

        $usersToRemove = $existingMembers | Where-Object { $_ -notin $Members }

        foreach ($sid in $usersToAdd) {

            if ($PSCmdlet.ShouldProcess($Role.Name, "Add SID '$sid'")) {

                $null = $Role | Add-User -Sid $sid

            }

        }

        if (-not $DoNotRemoveMembers) {

            foreach ($sid in $usersToRemove) {

                if ($PSCmdlet.ShouldProcess($Role.Name, "Remove SID '$sid'")) {

                    $null = $Role | Remove-User -Sid $sid

                }

            }

        }

    }

}