Public/Set-ViewGroupPermission.ps1

function Set-ViewGroupPermission {
    <#
    .SYNOPSIS
        Sets the permissions on one or more Roles which determine the level of access rights to one or more View Groups
    .DESCRIPTION
        Each Public View Group on a site has a set of permissions associated with each role on the same site. These
        permissions determine whether a View Group is visible to any given role, and whether members of that role are
        allowed to modify the View Group or the contents of that View Group including sub-groups and views. If Overall
        Security rights are granted to the role, those will overrule any permissions granted at the individual View
        Group level.
    .EXAMPLE
        PS C:\> Get-ViewGroup -Name 'Guards' | Set-ViewGroupPermission -RoleName 'Guards' -PermissionSet Read
        Grants read-only access to the view group 'Guards' for the role 'Guards'
    .EXAMPLE
        PS C:\> Get-ViewGroup -Name 'Managers' | Set-ViewGroupPermission -RoleName 'Guards' -PermissionSet None
        Revokes all access to the 'Managers' View Group for the role 'Guards'
    .EXAMPLE
        PS C:\> Get-ViewGroup -Name 'Managers' | Set-ViewGroupPermission -RoleName 'Managers' -PermissionSet Read, Operate
        Grants read and operate permissions for the 'Managers' role so that those members are allowed to see, and modify the contents of the 'Managers' View Group
    #>

    [CmdletBinding(SupportsShouldProcess)]
    param (
        # Specifies the View Group or collection of View Groups for which permissions should be set
        [Parameter(Mandatory, ValueFromPipeline)]
        [VideoOS.Management.VmoClient.PublicViewGroup[]]
        $ViewGroup,

        # Specifies the name of the Role or collection of Roles for which the permissions should be updated
        [Parameter(Mandatory)]
        [string[]]
        [ValidateNotNullOrEmpty()]
        $RoleName,

        # Specifies which permissions to apply. Omitted permissions will be revoked if currently granted.
        # Note: Full is the same as specifying Read, Edit, Delete, Operate, and AdministrateSecurity.
        # Note: Specify None if all permissions should be revoked.
        # Note: If both Full and None are specified, None will take precedence
        [Parameter(Mandatory)]
        [ValidateSet('Read', 'Edit', 'Delete', 'Operate', 'AdministrateSecurity', 'Full', 'None')]
        [string[]]
        $PermissionSet
    )

    process {
        $emptyPermissions = [VideoOS.Management.VmoClient.PublicViewGroupPermissionSet]::new()
        $permissions = [VideoOS.Management.VmoClient.PublicViewGroupPermissionSet]::new()
        $inversePermissions = [VideoOS.Management.VmoClient.PublicViewGroupPermissionSet]::new()
        $inversePermissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::Read
        $inversePermissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::Write
        $inversePermissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::Delete
        $inversePermissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::Operate
        $inversePermissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::AdministrateSecurity
        $fullPermissions = $inversePermissions

        foreach ($permission in $PermissionSet) {
            if ($permission -eq 'Edit') {
                $permission = 'Write'
            }
            if ($permission -eq 'None') {
                $permissions = $emptyPermissions
                $inversePermissions = $fullPermissions
                break
            }
            if ($permission -eq 'Full') {
                $permissions = $fullPermissions
                $inversePermissions = $emptyPermissions
                break
            }
            $permissions += [VideoOS.Management.VmoClient.PublicViewGroupPermission]::$permission
            $inversePermissions -= [VideoOS.Management.VmoClient.PublicViewGroupPermission]::$permission
        }

        <#
            Strategy is to call Allow() only if at least one of the permissions should be granted
            and to call Revoke() only if at least one permission should not be granted.
        #>

        $identities = [string[]]($RoleName | Foreach-Object { "[VideoOS]\$_" })
        foreach ($vg in $ViewGroup) {
            if ($permissions -ne $emptyPermissions) {
                if ($PSCmdlet.ShouldProcess($vg.Name, "Allow $($identities.Count) role(s) $permissions")) {
                    $vg.Allow($permissions, $identities)
                }
            }
            if ($inversePermissions -ne $emptyPermissions) {
                if ($PSCmdlet.ShouldProcess($vg.Name, "Revoke $($identities.Count) role(s) $inversePermissions")) {
                    $vg.Revoke($inversePermissions, $identities)
                }
            }
        }
    }
}