Jump to content


Sign in to follow this  
rdr222

Find Differences in Security Roles

Recommended Posts

Is there an easier way to find the actual differences between 2 security roles?  I have some custom security roles that are based off the built in security roles.  When a new feature is introduced or new permissions are added to the built in role I want to reflect those new permissions in the custom role.  RBAViewer can compare the roles and see how many differences there are between the custom one and the builtin one but won't actually tell me what those differences are.  Is there a way I can see what permissions are different between roles with RBAViewer?  Is there another way I can find the differences between 2 roles aside from opening both of them up and comparing them permission by permission?

Share this post


Link to post
Share on other sites

There is always Powershell ...

 

Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1"
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location "$($SiteCode.Name):"

####################################
$server = 'sccm01'    # MECM Primary Server Name
$role1 = 'Company Resource Access Manager'   # Security Role Name
$role2 = 'Compliance Settings Manager'   # Security Role Name
$DiffOnly = $false    # change to $true to show differences only
####################################


$ns = 'root\SMS\Site_'+$SiteCode

function _getRoles{

  Param(
    [parameter(position=0)]
    [string]
    $role
  )

  $props = (Get-CMSecurityRole -Name $role -ErrorAction SilentlyContinue | Select *).Properties
  $rules = [System.Collections.Generic.List[psobject]]::new()

  $props.Operations | ForEach-Object {
    $ops = $_.GrantedOperations
    $typeId = $_.ObjectTypeID

    $BitMask = [convert]::ToString($($ops),2)
    $BitMaskReverse = ([regex]::Matches($BitMask,'.','RightToLeft') | ForEach {$_.value}) -join ''
    0..($BitMaskReverse.Length - 1) | ForEach-Object{
        if($BitMaskReverse.Substring($_, 1) -eq 1){
            $BitFlag = [math]::Pow(2, $_)
            $result = Get-CimInstance -Namespace $ns -Query "SELECT * FROM SMS_AvailableOperation WHERE ObjectTypeID=$typeId and BitFlag=$BitFlag" -ComputerName $server
            $rules.AddRange(@([pscustomobject]@{TypeName = $result.ObjectTypeName; OperationName  = $result.OperationName}) -as [psobject[]])
        }
    }
  }
  return $rules
}

$r1 = _getRoles $role1 | Sort-Object -Property TypeName, OperationName
$r2 = _getRoles $role2 | Sort-Object -Property TypeName, OperationName

function _normalizeList{

  Param(
    [parameter(position=0)]
    [System.Collections.Generic.List[psobject]]
    $list
  )

  $tmp = @{}

  $list.TypeName | Get-Unique | ForEach-Object {
    $tn = $($_)
    $val = ($list | Where-Object {$_.TypeName -eq $tn}).OperationName -join ','
    $tmp.Add($tn,$val)
  }
  return $tmp
}


$list1 = _normalizeList $r1
$list2 = _normalizeList $r2


$allkeys = $list1.Keys + $list2.Keys | Sort-Object | Get-Unique

$final = [System.Collections.Generic.List[psobject]]::new()

foreach($key in $allkeys){
  if($list1[$key]){
    $val1 = $list1[$key]
  }
  else{
    $val1 = ''
  }
  if($list2[$key]){
    $val2 = $list2[$key]
  }
  else{
    $val2 = ''
  }

  if($DiffOnly -eq $false -or $val1 -ne $val2){
    $final.AddRange(@([pscustomobject]@{TypeName = $key; $($role1)  = $val1; $($role2) = $val2}) -as [psobject[]])
  }
}

$final | Out-GridView

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...