Created
May 18, 2023 07:28
-
-
Save ahmedig/92221aaae0c6e41d34ba6500a4932b8d to your computer and use it in GitHub Desktop.
A script to add groups into policies in Purview
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param( | |
[string] $PurviewAccountName, | |
[string] $SubscriptionId, | |
[string] $ResourceGroupName, | |
[string] $ManagedIdentityUserID = $null, | |
[string] $PurviewDataCollectionAdminGroupObjectId, | |
[string] $PurviewDataSourceAdGroupObjectId, | |
[string] $PurviewDataCuratorAdGroupObjectId, | |
[string] $PurviewReaderAdGroupObjectId, | |
[string] $PurviewShareContributorAdGroupObjectId, | |
[string] $PurviewDataSourceUserObjectId = $null, | |
[string] $PurviewDataCuratorUserObjectId = $null, | |
[string] $PurviewReaderUserObjectId = $null, | |
[string] $PurviewShareContributorUserObjectId = $null | |
) | |
function Add-RootCollectionAdmin( | |
[string] $objectId, | |
[string] $SubscriptionId, | |
[string] $ResourceGroupName, | |
[string] $PurviewAccountName | |
) { | |
if (($null -eq $objectId) -or ($objectId -eq "")) { | |
return | |
} | |
Write-Host "Adding root collection admin $objectId" | |
$token = (Get-AzAccessToken -Resource "https://management.azure.com").Token | |
$headers = @{ Authorization = "Bearer $token" } | |
$body = "{ | |
objectId: ""$objectId"" | |
}" | |
$uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Purview/accounts/$PurviewAccountName/addRootCollectionAdmin?api-version=2021-07-01" | |
$retrycount = 1 | |
$completed = $false | |
while (-not $completed) { | |
try { | |
Invoke-RestMethod -Method Post -ContentType "application/json" -Uri $uri -Headers $headers -Body $body -ErrorAction Stop | |
$completed = $true | |
} | |
catch { | |
if ($retrycount -ge $retries) { | |
Write-Host "Metadata policy update failed the maximum number of $retryCount times for $objectId" | |
throw | |
} | |
else { | |
Write-Host "Metadata policy update failed $retryCount time(s). Retrying in $secondsDelay seconds for $objectId" | |
Write-Warning $Error[0] | |
Start-Sleep $secondsDelay | |
$retrycount++ | |
} | |
} | |
} | |
} | |
function CallPurviewApi ( | |
[string] $Method, | |
[string] $Url, | |
[string] $Body | |
) { | |
$Headers = @{} | |
$Headers.Add("Accept", "*/*") | |
$Headers.Add("User-Agent", "Windows PowerShell 7.x Purview API PS") | |
$Headers.Add("Authorization", "Bearer $token") | |
$Headers.Add("Content-Type", "application/json") | |
Write-Host "Invoking API : Sending Request ... " -ForegroundColor DarkCyan -NoNewLine | |
Write-Host " $Method $Url" | |
Try { | |
$result = Invoke-RestMethod -Method $Method -Uri $Url -Headers $Headers -Body $Body | |
} | |
Catch { | |
Write-Host $_ :-> $_.Exception | |
throw | |
} | |
Write-Host "API Response Received :-> " -ForegroundColor Green | |
Write-Output $result | |
} | |
function Get-PolicyId() { | |
$uri = "https://$PurviewAccountName.purview.azure.com/policystore/metadataPolicies?api-version=2021-07-01" | |
$res = (CallPurviewApi -Method "GET" -Url $uri -Body $body) | |
$policy = $res | |
$policyId = $policy.values.id | |
return $policyId | |
} | |
function Add-GroupToPolicy ( | |
[string] $GroupId, | |
[string] $PolicyId, | |
[string] $PolicyName, | |
[System.Array] $dnfCondition | |
) { | |
if ($null -eq $GroupId) { | |
return $dnfCondition | |
} | |
# If there are no groups in the policy, create the whole array item with the policy name | |
if ($null -eq $dnfCondition[1]) { | |
$obj1 = New-Object PSObject -Property @{ | |
fromRule = $PolicyName; | |
attributeName = "derived.purview.role"; | |
attributeValueIncludes = $PolicyName | |
} | |
$obj2 = New-Object PSObject -Property @{ | |
attributeName = "principal.microsoft.groups"; | |
attributeValueIncludedIn = @("$GroupId") | |
} | |
$array = @($obj1, $obj2) | |
$dnfCondition = @($dnfCondition[0], $array) | |
} | |
# If the array item exists, add the group to the existing array | |
else { | |
$dnfCondition[1][1].attributeValueIncludedIn += $GroupId | |
} | |
return $dnfCondition | |
} | |
function Add-UserToPolicy ( | |
[string] $UserId, | |
[System.Array] $dnfCondition | |
) { | |
# If there is no UserId, return the original dnfCondition | |
if (($null -eq $userId) -or ($userId -eq "")) { | |
return $dnfCondition | |
} | |
$dnfCondition[0][0].attributeValueIncludedIn += $UserId | |
return $dnfCondition | |
} | |
# Add Root Collection Admin | |
Add-RootCollectionAdmin -objectId $PurviewDataCollectionAdminGroupObjectId -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName | |
Add-RootCollectionAdmin -objectId $ManagedIdentityUserID -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -PurviewAccountName $PurviewAccountName | |
$token = (Get-AzAccessToken -Resource "https://purview.azure.net").Token | |
$purviewEndpoint = "https://$PurviewAccountName.purview.azure.com" | |
$policyId = Get-PolicyId | |
# Set the Url and get the policy by Id through the API call | |
$uri = "$purviewEndpoint/policystore/metadataPolicies/$policyId`?api-version=2021-07-01" | |
$res = (CallPurviewApi -Method "GET" -Url $uri -Body $body) | |
foreach ($attributeRule in $res.properties.attributeRules) { | |
if ($attributeRule.id -like "*data-source-administrator*") { | |
$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataSourceAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-source-administrator" -dnfCondition $attributeRule.dnfCondition | |
$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataSourceUserObjectId -dnfCondition $attributeRule.dnfCondition | |
} | |
elseif ($attributeRule.id -like "*data-curator*") { | |
$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewDataCuratorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-curator" -dnfCondition $attributeRule.dnfCondition | |
$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewDataCuratorUserObjectId -dnfCondition $attributeRule.dnfCondition | |
} | |
elseif ($attributeRule.id -like "*purview-reader*") { | |
$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewReaderAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_purview-reader" -dnfCondition $attributeRule.dnfCondition | |
$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewReaderUserObjectId -dnfCondition $attributeRule.dnfCondition | |
} | |
elseif ($attributeRule.id -like "*share-contributor*") { | |
$attributeRule.dnfCondition = Add-GroupToPolicy -GroupId $PurviewShareContributorAdGroupObjectId -PolicyId $policyId -PolicyName "purviewmetadatarole_builtin_data-share-contributor" -dnfCondition $attributeRule.dnfCondition | |
$attributeRule.dnfCondition = Add-UserToPolicy -UserId $PurviewShareContributorUserObjectId -dnfCondition $attributeRule.dnfCondition | |
} | |
} | |
Write-Host "Update metadata policy (ID $policyId)..." | |
$body = ConvertTo-Json -InputObject $res -Depth 100 | |
$uri = "$purviewEndpoint/policystore/metadataPolicies/" + $policyId + "?api-version=2021-07-01" | |
CallPurviewApi -Method "PUT" -Url $uri -Body $body |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment