PSWebAccessAuthorization

0.5.0.0

en-US/about_pswebaccessauthorization.help.txt

                                TOPIC

    about_PSWebAccessAuthorization

SHORT DESCRIPTION

    This is a DSC module with a single resource, PwaAuthorizationRule, which is

    designed to configure PowerShell Web Access authorization rules. The

    resource is class-based so target nodes must be running PowerShell v5.0 or

    later. Due to limitations in the PowerShellWebAccess module, you should use

    this resource in a DSC configuration to either add or remove a rule.

LONG DESCRIPTION

    This resource assumes that PowerShell Web Access (PSWA) has already been

    installed and configured on the target node. If you are using DSC to deploy

    PSWA and manage authorization rules, you will need to use DependsOn for

    the rule configuration. The PwaAuthorizationRule resource has this syntax:

        RuleName = [string]

        Ensure = [string]{ Absent | Present }

        [DependsOn = [string[]]]

        [Destination = [string]]

        [DestinationType = [string]{ Computer | ComputerGroup}]

        [Domain = [string]]

        [PsDscRunAsCredential = [PSCredential]]

        [Username = [string[]]]

        [UserType = [string]{ User | UserGroup }]

        [Configuration = [string]]

    The resource relies on commands in the PowerShellWebAccess module

    - Get-PSWAAuthorizationRule 

    - Add-PSWAAuthorizationRule

    - Remove-PSWAAuthorizationRule

    Because there is not "set" command, the DSC resource can't be used to modify

    an existing rule. If you truly need to modify, then create two configuration

    resource settings. The first for ensuring that the rule is absent. The

    second can then define the rule the way you want it with a dependency on the

    first resource.

Details

    To create a rule you need to assign it a name (RuleName) and set Ensure

    to "Present". It isn't specifically clear, but to add a rule you must also

    specify the name of a server or an Active Directory group for Destination.

    If the value is a single computer, then set the DestinationType to

    "Computer", otherwise use "ComputerGroup". Likewise you need to specify the

    name of a user or a group for Username. As with Destination you need to

    specify either 'User' or 'UserGroup' for UserType. You can specify

    multiple users or groups but you cannot mix and match. Use these formats:

        Username = @("Company DBA","Company IT")

        Username = @('jdoe','jhelmick')

        Username = @('jhicks')

    When defining users or groups do NOT specify a domain or machine name. The

    Domain setting will default to the current user domain on the authoring

    box. This domain name will be assigned to all users and groups. If you want

    to create a rule for a local user or group, use the computer name as the

    domain name. You can't mix domain and local settings in the same resource

    configuration but you should be able to create multiple configurations.

    The last setting is Configuration. This is the name of the remoting

    endpoint. The default is "Microsoft.PowerShell". Change this as needed if

    you have created custom endpoints or are using something like JEA.

Wildcards

    If you want to remove multiple rules, you can use a wildcard in the

    RuleName setting. However, do not create any other rules in the same

    configuration that might also be captured by this pattern, especially if the

    local configuration manager is set to auto correct.

EXAMPLES

    This resource assumes the PowerShell Web Access feature has already been

    installed and configured except for authorization rules. Otherwise you would

    need to include DependsOn especially if combining those settings with

    authorization rules in the same configuration.

        PwaAuthorizationRule DBA {

            RuleName = "DBA Access"

            Ensure = "Present"

            Destination = "SqlServerGroup"

            DestinationType = "ComputerGroup"

            Username = @("CompanyDBA")

            UserType = "UserGroup"

        }

    This will add an authorization rule called "DBA Access" that gives any

    member of the CompanyDBA domain group, (defaulting to the current domain)

    access to any server in the SQLServerGroup domain group. The user will have

    access to the Microsoft.PowerShell endpoint.

        PwaAuthorizationRule ITHelp {

            RuleName = "Help Desk"

            Ensure = "Present"

            Destination = "Domain Computers"

            DestinationType = "ComputerGroup"

            Username = @("ITHelp")

            UserType = "UserGroup"

            Configuration = "ITHelpDesk"

        }

    Create an access rule for the ITHelp group to access the custom ITHelpDesk

    endpoint on any server in "Domain Computers" group.

    Or you might want to do this in a configuration:

        PwaAuthorizationRule Remove_PrintOp {

            RuleName = "Print Op"

            Ensure = "Absent"

        }

        PwaAuthorizationRule PrintOp {

            RuleName = "Print Op v2"

            Ensure = "Present"

            Destination = "PrintServers"

            DestinationType = "ComputerGroup"

            Username = @("jdoe","jsmith")

            UserType = "User"

            Configuration = "JeaPrint"

            DependsOn = "[PwsAuthorizationRule]Remove_PrintOp"

        }

    Let's say you have an existing authorization rule called "Print Op" that

    grants access to multiple users. You now need to modify that rule to remove

    one of the users. To accomplish this you will first need to remove the

    existing rule. Then you can create a second instance of the rule to

    re-create with the desired settings. You will have to give this rule a new

    name. One idea is to use some type of versioning, but it is completely up to

    you.

NOTE

    Don't forget that the user or group must already have permission to connect

    to that end point. If they cannot connect via a remoting session in the

    PowerShell console, they will not be able to connect via PowerShell Web

    Access.

TROUBLESHOOTING NOTE

    Be aware that if you create an access rule for multiple users or groups,

    PowerShell will create a rule for each user or group. This means if you have

    a configuration like this:

        RuleName = "Sales Server"

        Ensure = "Present"

        Destination = "SALES02"

        DestinationType = "Computer"

        Username = @("alice","bob","carol")

        UserType = "User"

    It will create 3 rules on the node with the same name and configuration, one

    for each user. If you decide to remove one of these users, you will need to

    remove the rule and then recreate it as documented above.

    Remember, if you use multiple instances of this resource in the same

    configuration, the RuleName value must be unique.

SEE ALSO

    Here is a list of related material you might find useful.

    https://technet.microsoft.com/en-us/library/hh831611(v=ws.11).aspx

    https://blogs.technet.microsoft.com/fromthefield/2015/02/18/powershell-web-access-a-walkthrough

    https://www.pluralsight.com/courses/powershell-web-access-server-implementing

KEYWORDS

    - PWA

    - PSWA

    - AuthorizationRule

    - PowerShellWebAccess