SPServiceAppAdmins: New resource proposal

HeKr09 commented 2 years ago

Resource proposal

I didn't found any resource to set the service application administrators. Maybe I am wrong?! I already implemented a Script-Resource which works fine for me. Maybe the community can optimize it :)

Proposed properties

                    Script "UserProfileServiceAdminFarmAdmin" {
                        GetScript            = {
                            Invoke-SPDscCommand -Arguments @($using:UPS.Name, $using:accountName) -ScriptBlock {
                                $spapp = Get-SPServiceApplication -Name $args[0]
                                $security = Get-SPServiceApplicationSecurity $spapp -Admin
                                return $($security.AccessRules | Where-Object Name -like "*$($args[1])")
                            }
                        }
                        SetScript            = {
                            $accountAccessRule = [ScriptBlock]::Create($GetScript).Invoke()
                            Invoke-SPDscCommand -Arguments @($using:accountAccessRule, $using:accountName, $using:UPS.Name, $using:rights) -ScriptBlock {
                                $principal = New-SPClaimsPrincipal $args[1] -IdentityType WindowsSamAccountName
                                $spapp = Get-SPServiceApplication -Name $args[2]
                                $security = Get-SPServiceApplicationSecurity $spapp -Admin
                                if($args[0].Count -eq 1)
                                {
                                    Revoke-SPObjectSecurity -Identity $security -Principal $principal
                                }
                                Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights $args[3]
                                Set-SPServiceApplicationSecurity -Identity $spapp -ObjectSecurity $security -Admin
                            }
                        }
                        TestScript           = {
                            $accountAccessRule = [ScriptBlock]::Create($GetScript).Invoke()
                            # TODO Test Permissions
                            return $false
                        }

                        DependsOn            = @("[SPUserProfileServiceApp]UserProfileServiceApp")
                        PsDscRunAsCredential = $SpSetupAccount
                    }

Special considerations or limitations

I tried to test the permissions but did not find any proper documentation about the rights enum within the AccessRules.

ykuijs commented 2 years ago

This resource already exists and is called SPServiceAppSecurity. Documentation can be found here

HeKr09 commented 2 years ago

Thank you! I really didn't found it :(

dsccommunity / SharePointDsc