Created
March 22, 2016 00:42
-
-
Save dgosbell/5fc6a31490273864524f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$serverList = @("localhost","localhost\MD12") #an array of SSAS instances | |
$roleName = "Metadata Role" | |
$roleMembers = @("Everyone") # an array of user/group names | |
# load the AMO assemblies into the current runspace | |
$assembly = [System.Reflection.Assembly] | |
$assembly::LoadWithPartialName("Microsoft.AnalysisServices") > $null | |
foreach ($serverName in $serverList) | |
{ | |
# connect to the server | |
$svr = new-Object Microsoft.AnalysisServices.Server | |
$svr.Connect($serverName) | |
foreach ($db in $svr.Databases) | |
{ | |
# $svr.CaptureXml = $true # start capturing commands | |
$r = $db.Roles.FindByName($roleName) | |
if ($r -eq $null) | |
{ | |
# create role | |
# =================== | |
write-Host "Adding $roleName Role to : " $db.Name | |
$r = $db.Roles.Add($roleName) | |
# add role members | |
# =================== | |
foreach($grp in $roleMembers) | |
{ | |
$r.Members.Add($grp) > $null # supress the echoing of the member count | |
} | |
$r.Update() | |
# add database read permissions | |
# =================== | |
$dbPerm = $db.DatabasePermissions.Add($r.ID, "DatabasePermissions_for_$($roleName.Replace(' ','_'))") | |
$dbPerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
## This may be needed for metadata queries | |
$dbPerm.ReadDefinition = [Microsoft.AnalysisServices.ReadDefinitionAccess]::Allowed | |
$dbPerm.Update() | |
# add cube read permissions | |
# =================== | |
foreach ($cube in $db.Cubes) | |
{ | |
$cubePerm = $cube.CubePermissions.Add($r.ID, "CubePermissions_for_$($roleName.Replace(' ','_'))") | |
$cubePerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
$cubePerm.Update() | |
} | |
} | |
else | |
{ | |
# check the membership for existing support roles | |
$membersNeedsFixing = $false | |
write-Host "$roleName Role already exists for : " $db.Name | |
# check if the specified members are missing from the support role | |
foreach ($grp in $roleMembers) | |
{ | |
$membersNeedsFixing = $true | |
foreach ($rm in $r.members) | |
{ | |
if ($rm.Name -ieq $grp ) | |
{ | |
#write-warning " -- support role missing: $grp" | |
$membersNeedsFixing = $false | |
continue | |
} | |
} | |
if ($membersNeedsFixing) | |
{ | |
write-warning " -- $grp missing from role" | |
$r.Members.Add($grp) | |
$roleDirty = $true | |
} | |
} | |
# remove any other members which are not in the specified list | |
# ====================== | |
# need to loop through the list in reverse as deleting from the front | |
# of a collection will change all the indexes | |
for ($iMbr = $r.Members.Count -1;$iMbr -gt 0;$iMbr--) | |
{ | |
$rm = $r.Members[$iMbr] | |
$membersNeedsFixing = $true | |
foreach ($grp in $roleMembers) | |
{ | |
if ($rm.Name -ieq $grp ) | |
{ | |
# this role member exists in the list of specified groups | |
$membersNeedsFixing = $false | |
continue | |
} | |
} | |
if ($membersNeedsFixing) | |
{ | |
write-warning " -- $($rm.Name) [$iMbr] will be removed from the role" | |
$r.Members.RemoveAt($iMbr) | |
$roleDirty = $true | |
} | |
} | |
if ($roleDirty) | |
{ | |
$r.Update(); # only update the role if we've changed something | |
} | |
# check if database permissions are set correctly | |
$dbperm = $db.DatabasePermissions.FindByRole($r.ID) | |
if ($dbperm -eq $null) | |
{ | |
Write-Warning " -- creating db read permissions" | |
$dbPerm = $db.DatabasePermissions.Add($r.ID, "DatabasePermissions_for_$($roleName.Replace(' ','_'))") | |
$dbPerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
## This may be needed for metadata queries | |
$perm.ReadDefinition = [Microsoft.AnalysisServices.ReadDefinitionAccess]::Allowed | |
$dbPerm.Update() | |
} | |
else | |
{ | |
if ($dbperm.Read -ne [Microsoft.AnalysisServices.ReadAccess]::Allowed) | |
{ | |
Write-Warning " -- fixing db read permissions" | |
$dbPerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
$dbPerm.Update() | |
} | |
if ($dbperm.ReadDefinition -ne [Microsoft.AnalysisServices.ReadDefinitionAccess]::Allowed) | |
{ | |
Write-Warning " -- fixing db read permissions" | |
$dbPerm.ReadDefinition = [Microsoft.AnalysisServices.ReadDefinitionAccess]::Allowed | |
$dbPerm.Update() | |
} | |
} | |
# check if cube permissions are set correctly | |
foreach ($c in $db.Cubes) | |
{ | |
$cubePerm = $c.CubePermissions.FindByRole($r.ID) | |
if ($cubePerm -eq $null) | |
{ | |
write-warning " -- creating cube permissions for $($c.name)" | |
$cubePerm = $cube.CubePermissions.Add($r.ID, "CubePermissions_for_$($roleName.Replace(' ','_'))") | |
$cubePerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
$cubePerm.Update() | |
} | |
else | |
{ | |
if ($cubePerm.Read -ne [Microsoft.AnalysisServices.ReadAccess]::Allowed) | |
{ | |
write-warning " -- adding cube read permissions for $($c.name)" | |
$cubePerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed | |
$cubePerm.Update() | |
} | |
} | |
} | |
} | |
} # end foreach DB | |
$svr.Disconnect() | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment