Renaming a role and update permissions
Hello,
When a role is renamed in Roles Management, the folders or entries permissions aren't updated. The following script will update the role's name and all permissions on which this role is set.
# Load RDM PowerShell module.
# Adapt the folder's name if you are not using the default installation path.
if (-not (Get-Module RemoteDesktopManager.PowerShellModule)) {
Import-Module 'C:\Program Files (x86)\Devolutions\Remote Desktop Manager\RemoteDesktopManager.PowerShellModule.psd1'
}
function Rename-Role
{
param (
[Parameter(Mandatory=$True,Position=1)]
[string]$oldRoleName,
[Parameter(Mandatory=$True,Position=2)]
[string]$newRoleName,
[Parameter(Mandatory=$True,Position=3)]
[string]$dsName,
[Parameter(Mandatory=$True,Position=4)]
[bool]$chgRole
)
$ds = Get-RDMDataSource -Name $dsName
Set-RDMCurrentDataSource $ds
Update-RDMUI
# Renaming the role
if ($chgRole)
{
Try
{
$role = Get-RDMRole -Name $oldRoleName -ErrorAction SilentlyContinue
$errorOccured = $false
}
catch
{
$errorOccured = $True
}
if (!$errorOccured)
{
Set-RDMRoleProperty -Role $role -Property Name -Value $newRoleName
Set-RDMRole $role
}
}
$repositories = Get-RDMRepository
foreach ($repository in $repositories)
{
Set-RDMCurrentRepository $repository
Update-RDMUI
$sessions = Get-RDMSession
foreach ($session in $sessions)
{
[bool]$updateView = $false
[bool]$updatePerms = $false
# Replace role name in View permission
$roles = $session.Security.ViewRoles
if ($roles -contains $oldRoleName)
{
$roles = $roles -replace [Regex]::Escape($oldRoleName), $newRoleName
$session.Security.ViewRoles = $roles
$updateView = $True
}
# Replace role name in other permissions
$perms = $session.Security.Permissions
$newPerms = @()
foreach ($perm in $perms)
{
$roles = $perm.Roles
if ($roles -contains $oldRoleName)
{
$roles = $roles -replace [Regex]::Escape($oldRoleName), $newRoleName
$perm.Roles = $roles
$newPerms += $perm
$updatePerms = $True
}
}
if ($updatePerms)
{
$session.Security.Permissions = $newPerms
}
if ($updateView -or $updatePerms)
{
try
{
Set-RDMSession $session -Refresh -ErrorAction SilentlyContinue
}
catch
{
$sessionName = $session.Name
$sessionGroup = $session.Group
$sessionType = $session.ConnectionType
Write-Host "An error occurs to modify the role's name $oldRoleName to $newRoleName for session $sessionName of type $sessionType in folder $sessionGroup!!!"
}
}
}
}
Update-RDMUI
Write-Host "Done!!!"
}Best regards,
Érica Poirier
All Comments (13)
- Why is this necessary still 2 years later? You offer this feature in the GUI but it blow's away the underlying data away.
- Why even have ID's and a relational database if you are going to use the text and not ID's to associate objects with?
- Why offer the ability to rename in the GUI if we actually need to do is this in powershell if we expect it to work?
- How are users supposed to know when a feature offered in the GUI, really should be done via Command Line if you actually expect it not to destroy data?
I have managers and first level administrators that I want to pass this job off to. They are never going to do powershell.
Hello,
1a - Why is this necessary still 2 years later? ...
This forum is a powershell repository, many people automate this type of worklow.
1b - ...You offer this feature in the GUI but it blow's away the underlying data away.
See point 3
2 - Why even have ID's and a relational database if you are going to use the text and not ID's to associate objects with?
We have a project to switch to object SIDs, but it hasnt moved from the backlog at this time.
3 - Why offer the ability to rename in the GUI if we actually need to do is this in powershell if we expect it to work?
This would be a bug that would have a high priority, I will check with the QA lead on this. We will open a ticket or kick up the priority. The bug fix will surely be that we do not allow renaming, thats because of our plan to move to SIDs
4 - How are users supposed to know when a feature offered in the GUI, really should be done via Command Line if you actually expect it not to destroy data?
see point 3
5 - I have managers and first level administrators that I want to pass this job off to. They are never going to do powershell.
Our feeling was that renaming an AD group is an event that occurs rarely, at least this is the case for the majority of our customers. We do not expect to allow non-sysadmins to support that workflow
If we open a new ticket, its number will be sent to you to ease tracking.
Best regards,
Maurice
How should the input be formatted if the old role is the same as the new role?
Hello,
If the role's names are exactly the same, this script is useless in that situation.
This script is intended to update a role's name and propagate the update in all permissions. A scenario could be a different role name or a domain migration for a DVLS data source like DomainA\RoleName to DomainB\RoleName. The role name is the same in the last example, but the DVLS instance has been migrated in another domain.
Let me know if that helps to answer your question.
Best regards,
Érica Poirier
Hi,
I'm a big fan of RDM and it's possibilities, but not being able to rename user groups in a decent way is underwhelming.
As previously stated, why not using the group id?
Can this still be turned into a change request?
Thanks,
Wim
Hello Wim,
Thank you for your question.
Indeed, using the SIDs for the User groups (aka AD groups) is on our roadmap for Devolutions Server. This should be available by the end of the year. Once this will be implemented, we will update this thread.
Best regards,
Érica Poirier
Hi Erica,
that is good news, but I really hope this will be implemented in RDM (Enterprise) as well?
best regards,
Wim
Hi Wim,
What data source type are you using?
The AD groups are supported only with a DVLS data source.
Best regards,
Érica Poirier
Dear Erica,
we are using RDM Enterprise with a MS SQL Server Datasource. So we are using normal groups, no AD groups.
best regards,
Wim
Hi,
Thank you very much for providing this script.
I tried it out on our test system and after looking over the entries randomly, everything seemed fine.
The groups were replaced and the permissions seem to be fine.
But the script displayed the following error a few times during execution:
Set-RDMSession : Connection has invalid group specified.
At rename-rdm-groups.ps1:74 char:9
+ Set-RDMSession $session -Refresh
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-RDMSession], Exception
+ FullyQualifiedErrorId : 0,RemoteDesktopManager.PowerShellModule.SetRDMSessionCommand
So I'm a bit worried about using the script in production with our 10,000+ entries.
What could cause this error and what could a possible impact be?
BR
Hello,
Thank you for reporting this issue.
The problem could be related to special characters in the role's name that isn't managed properly in the script. It could be a missing folder or a virtual folder. It's hard to tell without any detailed information about this error.
I have updated the script to handle the error and provide more information about the session's settings if it fails.
Let me know if the new script version helps to identify the issue.
Best regards,
Érica Poirier
Hi,
thank you very much for updating the script!
I reverted our test VM to a snapshot and ran it again.
Now, I got no errors. I am not really sure why I got them the last time I ran the script, but since everything seems to work, I might also rename the groups in production very soon.
Best Regards
Hello,
Thank you for your feedback and glad that the script is now working.
Be sure to have a working backup of the production database prior to run the script in case of an odd problem occurs.
Best regards,
Érica Poirier