Functions/Security/Revoke-RsSystemAccess.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Copyright (c) 2016 Microsoft Corporation. All Rights Reserved.
# Licensed under the MIT License (MIT)

function Revoke-RsSystemAccess
{
    <#
        .SYNOPSIS
            This script revokes access to SQL Server Reporting Services Instance from users/groups.
        
        .DESCRIPTION
            This script revokes all access on the SQL Server Reporting Services Instance located at the specified Report Server URI from the specified user/group.
        
        .PARAMETER Identity
            Specify the user or group name to revoke access from.
        
        .PARAMETER Strict
            Throw a terminating error when trying to revoke all permissions when there are none assigned to the target identity.
        
        .PARAMETER ReportServerUri
            Specify the Report Server URL to your SQL Server Reporting Services Instance.
            Use the "Connect-RsReportServer" function to set/update a default value.
        
        .PARAMETER Credential
            Specify the credentials to use when connecting to the Report Server.
            Use the "Connect-RsReportServer" function to set/update a default value.
        
        .PARAMETER Proxy
            Report server proxy to use.
            Use "New-RsWebServiceProxy" to generate a proxy object for reuse.
            Useful when repeatedly having to connect to multiple different Report Server.
        
        .EXAMPLE
            Revoke-RsSystemAccess -Identity 'johnd'
            Description
            -----------
            This command will establish a connection to the Report Server located at http://localhost/reportserver using current user's credentials and then revoke all access for user 'johnd'.
        
        .EXAMPLE
            Revoke-RsSystemAccess -ReportServerUri 'http://localhost/reportserver_sql2012' -Identity 'johnd'
            Description
            -----------
            This command will establish a connection to the Report Server located at http://localhost/reportserver_2012 using current user's credentials and then revoke all access for user 'johnd'.
        
        .EXAMPLE
            Revoke-RsSystemAccess -Credential 'CaptainAwesome' -Identity 'johnd'
            Description
            -----------
            This command will establish a connection to the Report Server located at http://localhost/reportserver using CaptainAwesome's credentials and then revoke all access for user 'johnd'.
    #>


    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
    param
    (
        [Alias('UserOrGroupName')]
        [Parameter(Mandatory = $True)]
        [string]
        $Identity,
        
        [switch]
        $Strict,
        
        [string]
        $ReportServerUri,
        
        [Alias('ReportServerCredentials')]
        [System.Management.Automation.PSCredential]
        $Credential,
        
        $Proxy
    )
    
    if ($PSCmdlet.ShouldProcess((Get-ShouldProcessTargetweb -BoundParameters $PSBoundParameters), "Revoke all system access for $Identity"))
    {
        $Proxy = New-RsWebServiceProxyHelper -BoundParameters $PSBoundParameters
        
        #region Retrieve policies and validate
        # retrieving existing policies for the current item
        try
        {
            Write-Verbose "Retrieving system policies..."
            $originalPolicies = $proxy.GetSystemPolicies()
            
            Write-Verbose "Policies retrieved: $($originalPolicies.Length)!"
        }
        catch
        {
            throw (New-Object System.Exception("Error retrieving existing system policies! $($_.Exception.Message)", $_.Exception))
        }
        
        # keeping only those policies where userOrGroupName is not explicitly mentioned
        $policyList = $originalPolicies | Where-Object { $_.GroupUserName -ne $Identity }
        
        if ($Strict -and (-not ($originalPolicies | Where-Object { $_.GroupUserName -eq $Identity })))
        {
            throw (New-Object System.Management.Automation.PSArgumentException("$Identity was not granted any rights on the Report Server!"))
        }
        #endregion Retrieve policies and validate
        
        #region updating policies on the system
        try
        {
            Write-Verbose "Revoking all access for $Identity..."
            $proxy.SetSystemPolicies($policyList)
            Write-Verbose "Revoked all access for $Identity!"
        }
        catch
        {
            throw (New-Object System.Exception("Error occurred while revoking all access from $Identity! $($_.Exception.Message)", $_.Exception))
        }
        #endregion updating policies on the system
    }
}
New-Alias -Name "Revoke-AccessToRs" -Value Revoke-RsSystemAccess -Scope Global