/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = roleAssignment.ObjectType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (roleAssignment.ObjectType == null)
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(new ADObjectFilterOptions()
{
Id = roleAssignment.ObjectId
});
if (asignee == null)
{
throw new ArgumentException("No AD object could be found with current parameters, please confirm the information provided is correct and try again");
}
principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
PSRoleAssignment roleAssignment = FilterRoleAssignments(options).FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return(roleAssignment);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType = null;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (roleAssignment.ObjectType == null)
{
var asignee = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
roleAssignment.ObjectId
}).SingleOrDefault();
if (!(asignee is PSErrorHelperObject) && asignee.Type != null)
{
principalType = asignee.Type;
}
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
// Match role assignments at exact scope. At most 1 roleAssignment should match the criteria
PSRoleAssignment roleAssignment = FilterRoleAssignments(options, currentSubscription: string.Empty)
.Where(ra => ra.Scope == options.Scope.TrimEnd('/'))
.FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return(roleAssignment);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType = null;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (string.IsNullOrEmpty(roleAssignment.ObjectType))
{
try
{
var assignee = ActiveDirectoryClient.GetObjectByObjectId(roleAssignment.ObjectId);
principalType = assignee?.Type;
}
catch
{
// Ignore
}
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentId = roleAssignment.RoleAssignmentId.GuidFromFullyQualifiedId();
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
return(AuthorizationManagementClient.RoleAssignments.Create(scope, roleAssignmentId, createParameters).ToPSRoleAssignment(this, ActiveDirectoryClient));
}
