Devolutions ForumDevolutions Forum

update root session permissions with DPS instead of RDM

Resolved Implemented

update root session permissions with DPS instead of RDM

avatar
gpunktschmitz

hi!
I want to ask if it's possible to edit the root session permissions with DPS-Cmdlets?

For some vaults we set the permission as follows:

$rdmRootSession = Get-RDMRootSession
if ($rdmRootSession.Security.RoleOverride -ne 'Custom') {
    if (-not($rdmRootSession.Security.Permissions)) {
        $rdmRootSession.Security.RoleOverride = 'Custom'
        $rdmRootSession.Security.Permissions = New-Object PSObject -Property @{ Override = 'Everyone'; Right = 'ViewPassword'; Roles = @(''); RoleValues = ''; }
    }
    $rdmRootSession | Set-RDMRootSession
    Update-RDMUI
}


It would be a huge win for us if this could be done with the DPS module or the DPS cli instead.

KR
G.

https://www.gpunktschmitz.com

All Comments (9)

avatar
Erica Poirier

Hi Guenther,

Thank you for reaching out on that matter.

Yes it's possible to update any vault's root record permission with the DVLS PowerShell module.

You first need to find the ID of the vault's root record. You can get it when selecting the root of the vault and copy the second ID in the URL.



Then please use this ID in the following code.

$vaultID = '38ff6a32-4e78-454c-9b03-d4aab1158cea'
$folderid = ((Get-DSFolders -VaultId $vaultID -IncludeSubFolders).body.data | Where-Object { $_.name -eq "FolderName" }).id

$folderPermissions = @(
    [ConnectionPermission]@{
        IsEmpty  = $false
        Override = [SecurityRoleOverride]::Custom
        Right    = [SecurityRoleRight]::View
        Roles    = @("group1","group2")
    },          
    [ConnectionPermission]@{
        IsEmpty  = $false
        Override = [SecurityRoleOverride]::Custom
        Right    = [SecurityRoleRight]::ViewPassword
        Roles    = @("group1","group2")
    }
)
Set-DSEntityPermissions -EntityId $folderid -Permissions $folderPermissions


Let us know if that helps.

Best regards,

Érica Poirier

527a2c9c-a60d-4403-98f4-e8aab87bfb41.png

avatar
gpunktschmitz

hi Érica ,
I was just trying to test this using the Devolutions.Powershell module (version 2023.1.0.6) but the Cmdlet Set-DSEntityPermissions is not available there.

What's the DVLS PowerShell module you mentioned?
Can you please provide me with a link to it?

Is the Cmdlet going to be included in the Devolutions.Powershell module?

KR
Guenther

https://www.gpunktschmitz.com

avatar
Jonathan Lafontaine

Hi,

Unfortunately, Set-DSEntityPermissions is currently missing in Devolutions.PowerShell. I'm working on the implementation as we speak.
As soon as it is ready, I'll upload a new version.

Regards.

Jonathan Lafontaine

avatar
Jonathan Lafontaine

Hi,

The latest release (2023.1.0.7) with Set-DSEntityPermissions is now available.

Regards

Jonathan Lafontaine

avatar
gpunktschmitz

hi,
I am having a hard time getting the root session id/object.

copying the vault id like Érica showed returns null

$vaultID = '12345678-1234-1234-1234-123456789012'
((Get-DSFolders -VaultId $vaultID -IncludeSubFolders).body.data | Where-Object { $_.name -eq "FolderName" }).id


could you please add a new cmdlet returning the root vault object, just like Get-RDMRootSession does but without requiring RDM?

KR
Guenther

https://www.gpunktschmitz.com

avatar
gpunktschmitz

PS: when running just Get-DSFolders -VaultId $vaultID I get the following error returned although my user is admin on that instance

DetailedErrorMessage ErrorMessage IsSuccess       Result
-------------------- ------------ ---------       ------
                                      False AccessDenied


I've also tested this with different vaults - I do get the error on every vault I tested

https://www.gpunktschmitz.com

avatar
Erica Poirier

Hello Guenther,

Are you on the latest DVLS version?

Could you please try this command to get the proper root record ID for your script?

$folderid = ((Get-DSFolders -VaultId $vaultID -IncludeSubFolders).body.data | Where-Object { $_.connectionType -eq '92' }).id


Let me know if that helps.

Best regards,

Érica Poirier

avatar
gpunktschmitz

hi Érica,
the command you provided does not work when copying the vaultID from the web UI.

It does however return an object when the vaultID is set as follows:

$dsVaultName = 'MyFancyTestVault'
$dsVaultArray = Get-DSVault -All
$dsVaultObject = $dsVaultArray.Body.data | Where-Object {$_.Name -eq $dsVaultName}
$vaultID = $dsVaultObject.ID


so I got the folder object and checked its name

$folderObject = (Get-DSFolders -VaultId $vaultID -IncludeSubFolders).body.data | Where-Object { $_.connectionType -eq '92' }
$folderObject.name

[root]


and also the id

$folderId = $folderObject.id
$folderId

12345678-1234-1234-1234-123456789012


looking good - so far

so the next thing I wanted to do is set the new permissions

$folderPermissions = @(
    [ConnectionPermission]@{
        IsEmpty  = $false
        Override = [SecurityRoleOverride]::Everyone
        Right    = [SecurityRoleRight]::ViewPassword
        Roles    = @("")
    }
)


but this fails with the following error message

InvalidOperation: Unable to find type [ConnectionPermission].


Looking back to my original post I tried creating the permissions "just like before"

$folderPermissions = New-Object PSObject -Property @{ Override = 'Everyone'; Right = 'ViewPassword'; Roles = @(''); RoleValues = ''; }

Set-DSEntityPermissions -EntityId $folderId -Permissions $folderPermissions


This failed with a more detailed error message

Set-DSEntityPermissions: Cannot bind parameter 'Permissions'. Cannot convert value "@{Right=ViewPassword; Roles=System.Object[]; RoleValues=; Override=Everyone}" to type "RemoteDesktopManager.PowerShellModule.Private.models.ConnectionPermission". Error: "Cannot convert the "@{Right=ViewPassword; Roles=System.Object[]; RoleValues=; Override=Everyone}" value of type "System.Management.Automation.PSCustomObject" to type "RemoteDesktopManager.PowerShellModule.Private.models.ConnectionPermission"."


So I figured I should create the permissions object like so:

$folderPermissions = @(
    [RemoteDesktopManager.PowerShellModule.Private.models.ConnectionPermission]@{
        IsEmpty  = $false
        Override = [SecurityRoleOverride]::Everyone
        Right    = [SecurityRoleRight]::ViewPassword
        Roles    = @("")
    }
)


just to read the next error message

Unable to find type [SecurityRoleOverride]


Tinkering some more I thought of getting rid of the specific types for 'Override' and 'Right' and instead use plain strings for thos properties

$folderPermissions = @(
    [RemoteDesktopManager.PowerShellModule.Private.models.ConnectionPermission]@{
        IsEmpty  = $false
        Override = 'Everyone'
        Right    = 'ViewPassword'
        Roles    = @("")
    }
)


as I did not get any errors I ran it agains Set-DSEntityPermissions - again without any errors but a 

Set-DSEntityPermissions -EntityId $folderId -Permissions $folderPermissions

DetailedErrorMessage ErrorMessage IsSuccess  Result
-------------------- ------------ ---------  ------
                                       True Success


success - finally
\o/

also double checked the web UI security settings of the root object now shows the 'ViewPassword' permission as expected.

KR
G.

https://www.gpunktschmitz.com

avatar
Erica Poirier

Hello Guenther,

Thank you for sharing your detailed solution and glad that you have found out the proper method to get it working.

Best regards,

Érica Poirier