Granular Role Based Access Control - Script Visibility

justin2 · November 12, 2022, 3:10pm

Hello,

We are doing more and more comanaged IT and we really need to be able to restrict users to only see certain scripts. We have not given our comanaged IT access to Syncro yet because we have customer names and info in our scripts and we have no way to prevent them from seeing other customers scripts. We need to be able to tag scripts to a customer and allow users to only be able to see scripts for their own customer object (or customers they have been granted access to). I would also like the ability to tag a script so that it can ONLY be run on a certain customer. Today, we have deployment scripts that use unique keys per customer, but I could accidentally run a script meant for Customer01 on Customer02, there is no way to prevent this from happening.

jbaynes · November 15, 2022, 4:25pm

Some room for improvement here for sure.

One suggestion, that we’ve done. Make scripts all generic as much as possible and pass specific keys, etc as variables from the customer record. This has helped us out alot. And de-duplicated a lot of scripts.

jordanritz · November 16, 2022, 1:12pm

I agree being able to give access to scripts based on script tag would be a great feature. Though Like jbaynes said, we do not have any customer specific scripts. All scripts are written generic and customer specific details are stored in the customer custom fields. Then the script can be run against any client and either will do what it needs to based on the fields being filled or gracefully exit if there is nothing to do.

justin2 · December 7, 2022, 1:16am

Well, I am dumb. Not sure why I hadn’t thought of this. Our scripts have been a mess making copies for customers This will save a lot of time! Learn something new every day.

Cheers!

Jimmie · December 7, 2022, 1:34am

Make sure to check to see if the custom field is blank. Some installs will hang open if the token is missing.

This is one I do for VPNs

if ($Destination -ne ""){
    Write-Host "Destination valid, continuing"
}
    else {
        write-host "No Destination Detected"
        Exit 1
    }

if ($ConnectionName -ne ""){
    Write-Host "Connect Name valid, continuing"
}
    else {
        write-host "No Connection Name Detected"
        Exit 1
    }
if ($ServerAddress -ne ""){
    Write-Host "Server Address valid, continuing"
}
    else {
        write-host "No Server Address Detected"
        Exit 1
    }
if ($PresharedKey -ne ""){
    Write-Host "Pre-shared Key valid, continuing"
}
    else {
        write-host "No Pre-shared Detected"
        Exit 1
    }

Simple method

if ($RegistrationToken -eq ""){
        write-host "No Registration Token Detected"
        Exit 1
}

Andy · December 7, 2022, 3:57pm

Script variables for the win :). So much power there if needed. I bet this seriously cuts down your total script count.