
Get permissions for TPP objects
Get permissions for users and groups on any object.
The effective permissions will be retrieved by default, but inherited/explicit permissions can be retrieved as well.
All permissions can be retrieved for an object, the default, or for one specific id.
.PARAMETER InputObject
One or more TppObject
Full path to an object
Guid representing a unique object in Venafi.
.PARAMETER PrefixedUniversalId
Get permissions for a specific id for the object provided.
You can use Find-TppIdentity to get the id.
Get explicit (direct) and implicit (inherited) permissions instead of effective.
.PARAMETER Attribute
Retrieve identity attribute values for the users and groups. Attributes include Group Membership, Name, Internet Email Address, Given Name, Surname.
Session object created from New-TppSession method. The value defaults to the script session object $TppSession.
InputObject, Path, Guid
List parameter set returns a PSCustomObject with the properties Guid and Permissions
Local and external parameter sets returns a PSCustomObject with the following properties:
    EffectivePermissions (if Explicit switch is not used)
    ExplicitPermissions (if Explicit switch is used)
    ImplicitPermissions (if Explicit switch is used)
    Attributes (if Attribute provided)
Find-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission
Get effective permissions for users/groups on a specific policy folder
Find-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission -Attribute 'Given Name','Surname'
Get effective permissions on a policy folder including identity attributes for the permissioned users/groups
Find-TppObject -Path '\VED\Policy\My folder' | Get-TppPermission -Explicit
Get explicit and implicit permissions for users/groups on a specific policy folder

function Get-TppPermission {

    [CmdletBinding(DefaultParameterSetName = 'ByObject')]
    param (
        [Parameter(Mandatory, ParameterSetName = 'ByObject', ValueFromPipeline)]
        [TppObject] $InputObject,

        [Parameter(Mandatory, ParameterSetName = 'ByPath', ValueFromPipeline)]
        [ValidateScript( {
                if ( $_ | Test-TppDnPath ) {
                } else {
                    throw "'$_' is not a valid DN path"
        [Alias('DN', 'CertificateDN')]
        [String[]] $Path,

        [Parameter(Mandatory, ParameterSetName = 'ByGuid', ValueFromPipeline)]
        [Guid[]] $Guid,

        [ValidateScript( {
                $_ -match '(AD|LDAP)+\S+:\w{32}$' -or $_ -match 'local:\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$'
        [string[]] $PrefixedUniversalId,

        [switch] $Explicit,

        [ValidateSet('Group Membership', 'Name', 'Internet Email Address', 'Given Name', 'Surname')]
        [string[]] $Attribute,

        [TppSession] $TppSession = $Script:TppSession

    begin {

        Write-Verbose ("Parameter set {0}" -f $PsCmdlet.ParameterSetName)

        $params = @{
            TppSession = $TppSession
            Method     = 'Get'
            UriLeaf    = 'placeholder'

        $returnObject = @()

    process {

        if ( $PSBoundParameters.ContainsKey('Path') ) {
            $InputObject = Get-TppObject -Path $Path -TppSession $TppSession
        } elseif ( $PSBoundParameters.ContainsKey('Guid') ) {
            $InputObject = $Guid | ConvertTo-TppPath -TppSession $TppSession | Get-TppObject -TppSession $TppSession

        foreach ( $thisObject in $InputObject ) {

            $uriBase = ('Permissions/Object/{{{0}}}' -f $thisObject.Guid)
            $params.UriLeaf = $uriBase

            if ( $PSBoundParameters.ContainsKey('PrefixedUniversalId') ) {
                $principals = $PrefixedUniversalId
            } else {
                # get list of principals permissioned to this object
                $principals = Invoke-TppRestMethod @params

            foreach ( $principal in $principals ) {

                $params.UriLeaf = $uriBase

                if ( $principal.StartsWith('local:') ) {
                    # format of local is local:universalId
                    $type, $id = $principal.Split(':')
                    $params.UriLeaf += "/local/$id"
                } else {
                    # external source, eg. AD, LDAP
                    # format is type+name:universalId
                    $type, $name, $id = $principal -Split { $_ -in '+', ':' }
                    $params.UriLeaf += "/$type/$name/$id"

                if ( -not $PSBoundParameters.ContainsKey('Explicit') ) {
                    $params.UriLeaf += '/Effective'

                $response = Invoke-TppRestMethod @params

                $thisReturnObject = [PSCustomObject] @{
                    Object              = $thisObject
                    PrefixedUniversalId = $principal

                if ( $PSBoundParameters.ContainsKey('Explicit') ) {
                    $thisReturnObject | Add-Member @{
                        ExplicitPermissions = [TppPermission] $response.ExplicitPermissions
                        ImplicitPermissions = [TppPermission] $response.ImplicitPermissions
                } else {
                    $thisReturnObject | Add-Member @{
                        EffectivePermissions = [TppPermission] $response.EffectivePermissions

                $returnObject += $thisReturnObject

            if ( $PSBoundParameters.ContainsKey('Attribute') ) {

                $returnObject | Add-Member @{
                    Attributes = $null

                foreach ( $thisObject in $returnObject ) {
                    $attribParams = @{
                        PrefixedUniversalId = $thisObject.PrefixedUniversalId
                        Attribute           = $Attribute
                        TppSession          = $TppSession
                    $attribResponse = Get-TppIdentityAttribute @attribParams
                    $thisObject.Attributes = $attribResponse.Attributes

