
Get permissions for TPP objects
Determine who has rights for TPP objects and what those rights are
Guid representing a unique object in Venafi.
.PARAMETER PrefixedUniversalId
The id that represents the user or group. Use Get-TppIdentity to get the id.
.PARAMETER Effective
Get effective permissions for the specific user or group on the object.
If only an object guid is provided with this switch, all user and group permssions will be provided.
.PARAMETER ExplicitImplicit
Get explicit and implicit permissions for the specific user or group on the object.
If only an object guid is provided with this switch, all user and group permssions will be provided.
.PARAMETER Attribute
Retrieve identity attribute values for the users and groups. Attributes include Group Membership, Name, Internet Email Address, Given Name, Surname.
Session object created from New-TppSession method. The value defaults to the script session object $TppSession.
List parameter set returns a PSCustomObject with the properties Guid and Permissions
Local and external parameter sets returns a PSCustomObject with the following properties:
    EffectivePermissions (if Effective switch is used)
    ExplicitPermissions (if ExplicitImplicit switch is used)
    ImplicitPermissions (if ExplicitImplicit switch is used)
    Attribute (if Attribute provided)
Get-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission
Guid PrefixedUniversalId
---- -----------
{1234abcd-g6g6-h7h7-faaf-f50cd6610cba} {,}
Get users/groups permissioned to a policy folder
Get-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission -Attribute 'Given Name','Surname'
Guid PrefixedUniversalId Attribute
---------- ------------------- ---------
{1234abcd-g6g6-h7h7-faaf-f50cd6610cba} {@{Name=Given Name; Value=Greg}, @{Name=Surname; Value=Brownstein}}
{1234abcd-g6g6-h7h7-faaf-f50cd6610cba} {@{Name=Given Name; Value=Greg}, @{Name=Surname; Value=Brownstein}}
Get users/groups permissioned to a policy folder including identity attributes for those users/groups
Get-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission -Effective
Guid : {1234abcd-g6g6-h7h7-faaf-f50cd6610cba}
PrefixedUniversalId :
EffectivePermissions : @{IsAssociateAllowed=False; IsCreateAllowed=True; IsDeleteAllowed=True; IsManagePermissionsAllowed=True; IsPolicyWriteAllowed=True;
                       IsPrivateKeyReadAllowed=True; IsPrivateKeyWriteAllowed=True; IsReadAllowed=True; IsRenameAllowed=True; IsRevokeAllowed=False; IsViewAllowed=True;
Guid : {1234abcd-g6g6-h7h7-faaf-f50cd6610cba}
PrefixedUniversalId :
EffectivePermissions : @{IsAssociateAllowed=False; IsCreateAllowed=False; IsDeleteAllowed=False; IsManagePermissionsAllowed=False; IsPolicyWriteAllowed=True;
                       IsPrivateKeyReadAllowed=False; IsPrivateKeyWriteAllowed=False; IsReadAllowed=True; IsRenameAllowed=False; IsRevokeAllowed=True; IsViewAllowed=False;
Get effective permissions for users/groups on a specific policy folder

function Get-TppPermission {

    param (
        [Parameter(Mandatory, ParameterSetName = 'List', ValueFromPipelineByPropertyName)]
        [Parameter(Mandatory, ParameterSetName = 'Effective', ValueFromPipelineByPropertyName)]
        [Parameter(Mandatory, ParameterSetName = 'ExplicitImplicit', ValueFromPipelineByPropertyName)]
        [guid[]] $Guid,

        [Parameter(Mandatory, ParameterSetName = 'Effective')]
        [Parameter(Mandatory, ParameterSetName = 'ExplicitImplicit')]
        [ValidateScript( {
                $_ -match '(AD|LDAP)+\S+:\w{32}$' -or $_ -match 'local:\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$'
        [string[]] $PrefixedUniversalId,

        [Parameter(ParameterSetName = 'List')]
        [Parameter(ParameterSetName = 'Effective')]
        [switch] $Effective,

        [Parameter(ParameterSetName = 'List')]
        [Parameter(ParameterSetName = 'ExplicitImplicit')]
        [switch] $ExplicitImplicit,

        [ValidateSet('Group Membership', 'Name', 'Internet Email Address', 'Given Name', 'Surname')]
        [string[]] $Attribute,

        [TppSession] $TppSession = $Script:TppSession

    begin {

        Write-Verbose ("Parameter set {0}" -f $PsCmdlet.ParameterSetName)

        $params = @{
            TppSession = $TppSession
            Method     = 'Get'
            UriLeaf    = 'placeholder'

        $returnObject = @()

    process {

            $thisGuid = "{$_}"
            $params.UriLeaf = "Permissions/Object/$thisGuid"

            Switch ($PsCmdlet.ParameterSetName)    {
                'List' {
                    $perms = Invoke-TppRestMethod @params
                        if ( $PSBoundParameters.ContainsKey('Effective') -or $PSBoundParameters.ContainsKey('ExplicitImplicit') ) {
                            # get details from list of perms on the object
                            # loop through and get perms on each by re-calling this function

                            $permParams = @{
                                Guid                = $thisGuid
                                PrefixedUniversalId = $_

                            if ( $PSBoundParameters.ContainsKey('Effective') ) {
                                $permParams.Add( 'Effective', $true )
                            } else {
                                $permParams.Add( 'ExplicitImplicit', $true )

                            if ( $PSBoundParameters.ContainsKey('Attribute') ) {
                                $permParams.Add( 'Attribute', $Attribute )

                            Get-TppPermission @permParams
                        } else {
                            # just list out users/groups with rights
                            $returnObject += [PSCustomObject] @{
                                Guid          = $thisGuid
                                PrefixedUniversalId = $_

                {$_ -in 'Effective', 'ExplicitImplicit'} {

                        $thisId = $_

                        if ( $thisId.StartsWith('local:') ) {
                            # format of local is local:universalId
                            $type, $id = $thisId.Split(':')
                            $params.UriLeaf += "/local/$id"
                        } else {
                            # external source, eg. AD, LDAP
                            # format is type+name:universalId
                            $type, $name, $id = $thisId.Split('+:')
                            $params.UriLeaf += "/$type/$name/$id"

                        if ( $PSBoundParameters.ContainsKey('Effective') ) {
                            $params.UriLeaf += '/Effective'

                        $response = Invoke-TppRestMethod @params

                        $thisReturnObject = [PSCustomObject] @{
                            Guid          = $thisGuid
                            PrefixedUniversalId = $thisId

                        if ( $PSBoundParameters.ContainsKey('Effective') ) {
                            $thisReturnObject | Add-Member @{
                                EffectivePermissions = [TppPermission] $response.EffectivePermissions
                        } else {
                            $thisReturnObject | Add-Member @{
                                ExplicitPermissions = [TppPermission] $response.ExplicitPermissions
                                ImplicitPermissions = [TppPermission] $response.ImplicitPermissions

                        $returnObject += $thisReturnObject

            if ( $PSBoundParameters.ContainsKey('Attribute') ) {

                $returnObject | Add-Member @{
                    Attribute = $null

                    $thisObject = $_
                        $attribResponse = Get-TppIdentityAttribute -PrefixedUniversalId $thisObject.PrefixedUniversalId -Attribute $Attribute
                        $thisObject.Attribute = $attribResponse.Attribute
