1E 23.7 (SaaS)

A principal is a security identity that can be associated with roles and permissions. Currently in Tachyon a principal can be either a primary Windows domain account or a domain group.

You can report on the principals associated with a Tachyon installation using the Get-TachyonPrincipal cmdlet discussed below.

A principal who has been granted full administrative rights is an Administrator Principal. You can report on these principals using the get-TachyonAdminPrincipal cmdlet discussed below.

A principal can be associated with zero or more roles. Roles define relatively broad areas of functionality with which the principal can interact. For example, 'View Experience Dashboards'.

You can create new roles, as well as work with existing roles in the system.

Role permissions, often abbreviated as just 'permissions' are more fine-grained sets of functionality which, when collated together, define the overall role's capabilities.

Role permissions associate a role with a set of operations that can be performed on securable types. These concepts are discussed below.

For example, the role 'Infrastructure Administrators' is associated with three role permissions. These permissions associate the role with three operations 'Read','Write' and 'Delete'. These operations in turn are defined to be performed against the securable type 'Infrastructure'.

Therefore every role permission must be associated with three entities

As discussed above, each role permission is associated with a securable type. For example, 'InstructionSet' is a securable type.

For each securable type, an allowed range of operations is defined. For example, the InstructionSet securable type defines the following operations:

If we look at the above example 'InstructionSet' securable type, then we can define a set of permissions which we can give a role. As shipped, the following roles are associated with instruction sets.

At present all permissions defined in the system are affirmative i.e, GRANT permissions. While there is a property 'Allowed' on a permission which is intended to support DENY permissions (when set to false), this functionality is not currently supported by the RBAC subsystem and is reserved for future enhancement.

Instruction sets, unlike the remaining securable types, can be associated with role permissions at the instance level. As discussed below for the Add-TachyonPermissionTorRole, you can specify a securable type instance id (which corresponds to the id of the instruction set itself) to this cmdlet to define a particular instruction set to which the permission should apply. If an instance Id is not specified or does not correspond to a valid instruction set id, then the permission is granted to all instruction sets

Management groups (see Working with management groups and the Tachyon PowerShell Toolkit) can be associated with roles (Tachyon versions prior to release 8) or with role/principal pairs (Tachyon versions from 8 onwards). This allows administrators to constrain the rights of other principals to a subset of devices defined by the management group rules.

Returns all principals that have been defined, or, if the Id parameter is specified, the details for the principal whose Id is provided.

Adds the specified account name as a principal. Specify the account in domain\user format. Optionally an email address and/or display name can be provided

Removes the principal whose Id is specified

Returns all administrator principals in the same format as get-TachyonPrincipal

Returns all roles defined, or the specific role if the optional -Id or -Name parameter is supplied

Adds the role specified by the name and description. No two roles may have the same name; an error is raised if you attempt to add a duplicate role.

The -CanBeDelegated parameter is ignored for versions of Tachyon earlier than v8. For versions v8 and later, it defines whether the role can be delegated by a use who lacks global system administrator privileges

Specifically:-

CanBeDelegated = $false means only a Person who has Security -> Write on All Devices Management Group (i.e a so called "Global Security Admin" type of person) can assign that Role.

CanBeDelegated = $true means you need Security -> Read on a management group to assign, or delegate, the role to another principal

CanBeDelegated must be false if any of the permissions for the role use global securable types. The Get-TachyonSecurableType cmdlet will return whether a securable type is global or not in the IsGlobal member

If you attempt to assign a permission to a role with CanBeDelegated set to $true and that permission has global scope, then an error is thrown.

Removes the specified role. If the role is associated with any principals, then an error is raised unless the -Force parameter is supplied. In that case the role is removed regardless.

The -Whatif parameter allows you to view the principals, if any, associated with the role, but without any further action being taken

Returns the roles (if any) associated with the principal whose Id is specified.

Returns the principals (if any) associated with the role whose Id is specified

Adds the role whose role id is specified to the principal whose id is specified

Removes the role whose role id is specified from the principal whose id is specified

Retrieves the management groups associated with a role

Returns the principal/role pairs that have been associated with a management group. In Tachyon 8 onwards, these pairs are associated with management groups as a single entity.

If no arguments are supplied, all principal/role pairs are returned for all management groups.

If a Role Id, Principal Id or Management Group Id is supplied, only the principal/role pairs associated with that Id are returned. Only one of the three Ids can be supplied at any time.

If a RoleName or Principal Name is supplied, only the principal/role pairs associated with the associated name are returned.

Adds the principal and role specified by their respective IDs to the management group specified. An error is thrown if any id is invalid, or if the principal/role pair is already associated with the specified management group

Removes the principal and role specified by their respective IDs from the management group specified. An error is thrown if any id is invalid, or if the principal/role pair is not associated with the specified management group

Returns the details for the permission whose Id is specified or all role permissions which are associated with a specified securable type, specified by the -TypeId parameter

Gets the permissions associated with the role whose Id is specified. The format is identical to that from get-tachyonpermission

Adds a permission to the role. The permission must specify a valid securable type and a valid securable operation on that type. To do this, see the sections below on securable type cmdlets and operation cmdlets

You cannot add a permission with the same values for typeid and operationid multiple times; an error is raised if you do so.

Removes the permission specified by its Id.

Returns the defined securable types. For each securable type, the set of allowed operations is also returned

Returns the valid operations for the specified securable type