michaellwest/01-New-AccessRuleList.ps1

## 01-New-AccessRuleList.ps1
$allowItemProps = @{
    PropagationType = [Sitecore.Security.AccessControl.PropagationType]::Entity
    SecurityPermission = [Sitecore.Security.AccessControl.SecurityPermission]::AllowAccess
}

$allowDescendantsProps = @{
    PropagationType = [Sitecore.Security.AccessControl.PropagationType]::Descendants
    SecurityPermission = [Sitecore.Security.AccessControl.SecurityPermission]::AllowAccess
}

function New-AccessRuleList {
    [CmdletBinding()]
    [OutputType("System.Collections.Generic.List[Sitecore.Security.AccessControl.AccessRule]")]
    param(
        [string]$Identity,
        [string[]]$AccessRule,
        [Sitecore.Security.AccessControl.PropagationType]$PropagationType,
        [Sitecore.Security.AccessControl.SecurityPermission]$SecurityPermission
    )

    $list = New-Object "System.Collections.Generic.List[Sitecore.Security.AccessControl.AccessRule]"
    foreach($rule in $accessrule) {
        $list.Add((New-ItemAcl -Identity $Identity -AccessRight $rule -PropagationType $PropagationType -SecurityPermission $SecurityPermission))
    }

    @(,$list)
}

## 02-Setup-SystemSecurity.ps1
Import-Function -Name New-AccessRuleList

function Setup-SystemSecurity {
    Write-Host "[System Settings Security]" -Foreground Yellow

    $realEveryone = "\Everyone"
    $virtualDataItem = Get-Item -Path "master:" -ID "{9700DC24-8969-4638-ACC3-34D54335829E}"
    Write-Information "[A] $($virtualDataItem.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $realEveryone -AccessRule item:create @allowItemProps))
    $virtualDataItem | Add-ItemAcl -AccessRules $accessRules

    $developerRole = "sitecore\Developer"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $developerRole -AccessRule item:create,item:write,item:rename,item:delete @allowDescendantsProps))

    $modulesItem = Get-Item -Path "master:" -ID "{08477468-D438-43D4-9D6A-6D84A611971C}"
    Write-Information "[A] $($modulesItem.ItemPath)"
    $modulesItem | Add-ItemAcl -AccessRules $accessRules

    $settingsItem = Get-Item -Path "master:" -ID "{087E1EA5-6280-4575-9E70-85B588DB91B2}"
    Write-Information "[A] $($settingsItem.ItemPath)"
    $settingsItem | Add-ItemAcl -AccessRules $accessRules

    $tasksItem = Get-Item -Path "master:" -ID "{EF58CA2C-3E59-44E0-82C1-97FF9B98535F}"
    Write-Information "[A] $($tasksItem.ItemPath)"
    $tasksItem | Add-ItemAcl -AccessRules $accessRules

    $workflowItem = Get-Item -Path "master:" -ID "{05592656-56D7-4D85-AACF-30919EE494F9}"
    Write-Information "[A] $($workflowItem.ItemPath)"
    $workflowItem | Add-ItemAcl -AccessRules $accessRules
}

## 03-Setup-PublishingTargetSecurity.ps1
Import-Function -Name New-AccessRuleList

function Setup-PublishingTargetSecurity {
    param(
        [ValidateNotNullOrEmpty()]
        [string]$Role
    )
    Write-Host "[System Publishing Target Security]" -Foreground Yellow

    $targets = Get-ChildItem -Path "master:" -ID "{D9E44555-02A6-407A-B4FC-96B9026CAADD}"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $Role -AccessRule item:write @allowItemProps))
    $targets | Add-ItemAcl -AccessRules $accessRules
}

## 04-Setup-LanguageSecurity.ps1
Import-Function -Name New-AccessRuleList

function Setup-LanguageSecurity {
    param(
        [ValidateNotNullOrEmpty()]
        [string]$Domain
    )

    $roleEveryone = "$($domain)\Everyone"

    Write-Host "[Language Security]" -ForegroundColor Yellow
    $languageItem = Get-Item -Path "master:\system\languages"
    Write-Information "[A] $($languageItem.ItemPath) - $($domain)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleEveryone -AccessRule language:read,language:write @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleEveryone -AccessRule language:read,language:write @allowDescendantsProps))
    $languageItem | Add-ItemAcl -AccessRules $accessRules
}

## 05-Setup-TenantSecurity.ps1
Import-Function -Name New-AccessRuleList

function Setup-TenantSecurity {
    [CmdletBinding()]
    param(
        [ValidateNotNullOrEmpty()]
        [string]$Company,
        [ValidateNotNullOrEmpty()]
        [string]$Tenant,
        [ValidateNotNullOrEmpty()]
        [string]$Site
    )

    $tenantPath = "master:\content\$($Company)\$($Tenant)"
    $tenantMediaPath = $tenantPath = "master:\media library\project\$($Company)\$($Tenant)"
    $sitePath = "master:\content\$($Company)\$($Tenant)\$($Site)"
    $siteMediaPath = "master:\media library\project\$($Company)\$($Tenant)\$($Site)"

    $domainName = $Company.ToLower()
    $roleBase = "$($domainName)\Base"
    $roleAdmin = "$($domainName)\Admin"
    $roleAuthor = "$($domainName)\Author"
    $roleDesigner = "$($domainName)\Designer"
    $roleDeveloper = "$($domainName)\Developer"
    $roleEditor = "$($domainName)\Editor"
    $roleFrontEnd = "$($domainName)\Front End"
    $roleEveryone = "$($domainName)\Everyone"

    $siteItem = Get-Item -Path $sitePath
    if($siteItem -eq $null){
        Write-Host "Not in site scope"
        exit
    }

    $tenantItem = Get-Item -Path $tenantPath
    if((Get-Domain -Name $domainName -ErrorAction SilentlyContinue) -eq $null){
        Write-Host "Domain does not exist!"
        exit
    }

    # Create roles if missing

    if(-not(Get-Role -Identity $roleBase -ErrorAction 0)) {
        New-Role -Identity $roleBase > $null
        Add-RoleMember -Identity "sitecore\Sitecore Client Authoring" -Members $roleBase
        Add-RoleMember -Identity "sitecore\Sitecore Client Users" -Members $roleBase
    }

    if(-not(Get-Role -Identity $roleAdmin -ErrorAction 0)) {
        New-Role -Identity $roleAdmin > $null
        Add-RoleMember -Identity "sitecore\Sitecore Local Administrators" -Members $roleAdmin
        Add-RoleMember -Identity $roleBase -Members $roleAdmin
    }

    if(-not(Get-Role -Identity $roleDeveloper -ErrorAction 0)) {
        New-Role -Identity $roleDeveloper > $null
        Add-RoleMember -Identity "sitecore\Developer" -Members $roleDeveloper
        Add-RoleMember -Identity "sitecore\Sitecore Client Advanced Publishing" -Members $roleDeveloper
        Add-RoleMember -Identity $roleBase -Members $roleDeveloper
    }

    if(-not(Get-Role -Identity $roleEditor -ErrorAction 0)) {
        New-Role -Identity $roleEditor > $null
        Add-RoleMember -Identity "sitecore\Author" -Members $roleEditor
        Add-RoleMember -Identity "sitecore\Designer" -Members $roleEditor
        Add-RoleMember -Identity "sitecore\Sitecore Client Publishing" -Members $roleEditor
        Add-RoleMember -Identity $roleBase -Members $roleEditor
    }

    $roleDesignerExists = $true
    if(-not(Get-Role -Identity $roleDesigner -ErrorAction 0)) {
        $roleDesignerExists = $false
    }

    $roleFrontEndExists = $true
    if(-not(Get-Role -Identity $roleFrontEnd -ErrorAction 0)) {
        $roleFrontEndExists = $false
    }

    Write-Host "[Site Security]" -ForegroundColor Yellow
    Write-Information "[A] $($siteItem.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:create,item:rename,item:delete @allowDescendantsProps))
    $siteItem | Set-ItemAcl -AccessRules $accessRules

    $homeItem = Get-Item -Path "$($sitePath)\Home"

    Write-Host "[Home Security]" -ForegroundColor Yellow
    Write-Information "[A] $($homeItem.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:create,item:rename,item:delete @allowDescendantsProps))
    $homeItem | Set-ItemAcl -AccessRules $accessRules

    Write-Host "[Overlay Security]" -ForegroundColor Yellow
    $overlayFolderTemplateId = "{D7BFFBE5-DAD8-4137-85DE-28013313F72F}"
    foreach($overlayItem in $homeItem.Children | Where-Object { $_.TemplateID -eq $overlayFolderTemplateId }) {
        Write-Information "[A] $(($overlayItem | Initialize-Item).ItemPath)"
        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:create @allowItemProps))
        $accessRules.Add((New-ItemAcl -Identity $roleBase -AccessRight * -PropagationType Entity -SecurityPermission DenyInheritance))
        $overlayItem | Set-ItemAcl -AccessRules $accessRules

        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $overlayItem | Set-ItemAcl -AccessRules $accessRules
    }

    Write-Host "[Data Security]" -ForegroundColor Yellow
    $dataItem = Get-Item -Path "$($sitePath)\Data"
    $dataFolders = gci -path $dataItem.Paths.Path -Language $dataItem.Language.Name
    foreach($dF in $dataFolders){
        Write-Information "[A] $($dF.ItemPath)"
        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $dF | Set-ItemAcl -AccessRules $accessRules
    }

    Write-Host "[Media Security]" -ForegroundColor Yellow
    $siteMediaItem = Get-Item -Path "$($sitePath)\Media"
    Write-Information "[A] $($siteMediaItem.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
    $siteMediaItem | Set-ItemAcl -AccessRules $accessRules

    Write-Host "[Media Library Security]" -ForegroundColor Yellow
    $siteMediaLibraryRoot = Get-Item -Path $siteMediaPath
    Write-Information "[A] $($siteMediaLibraryRoot.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
    $siteMediaLibraryRoot | Set-ItemAcl -AccessRules $accessRules

    $tenantMediaLibrarySharedFolder = Get-Item -Path "$($tenantMediaPath)\shared"
    Write-Information "[A] $($tenantMediaLibrarySharedFolder.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
    $tenantMediaLibrarySharedFolder | Set-ItemAcl -AccessRules $accessRules

    Write-Host "[Presentation Security]" -ForegroundColor Yellow
    $presentationItem = Get-Item -Path "$($sitePath)\Presentation"
    $presentationChildren = Get-ChildItem -Path $presentationItem.Paths.Path -Language $presentationItem.Language.Name
    foreach($pC in $presentationChildren){
        Write-Information "[A] $($pC.ItemPath)"
        if($roleDesignerExists) {
            $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
            $accessRules.AddRange((New-AccessRuleList -Identity $roleDesigner -AccessRule item:create,item:write @allowItemProps))
            $accessRules.AddRange((New-AccessRuleList -Identity $roleDesigner -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
            $pC | Set-ItemAcl -AccessRules $accessRules
        }

        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create,item:write @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $pC | Set-ItemAcl -AccessRules $accessRules

        if($roleFrontEndExists) {
            $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
            $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create,item:write @allowItemProps))
            $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
            $pC | Set-ItemAcl -AccessRules $accessRules
         }
    }

    Write-Host "[Theme Security]" -ForegroundColor Yellow
    $sourcePresPath = "/sitecore/media library/Themes/$($domainName)/$($tenantItem.Name)//*[@@templatename='Theme']"
    $tenantThemes = Get-Item -Path "master:" -Query $sourcePresPath -Language $tenantItem.Language.Name | Initialize-Item
    foreach($tTheme in $tenantThemes){
        Write-Information "[A] $($tTheme.ItemPath)"
        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:create,item:write @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $tTheme | Set-ItemAcl -AccessRules $accessRules

        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create,item:write @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $tTheme | Set-ItemAcl -AccessRules $accessRules

        if($roleFrontEndExists) {
            $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
            $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create,item:write @allowItemProps))
            $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
            $tTheme | Set-ItemAcl -AccessRules $accessRules
        }
    }

    Write-Host "[Data Templates Security]" -ForegroundColor Yellow
    $settingsItem = Get-Item -Path "$($sitePath)\Settings"
    $tenantTemplatesItem = Get-Item master: -ID ($settingsItem.Fields['Templates'].Value)
    Write-Information "[A] $($tenantTemplatesItem.ItemPath)"
    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
    $tenantTemplatesItem | Set-ItemAcl -AccessRules $accessRules

    if($roleFrontEndExists) {
        $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
        $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create @allowItemProps))
        $accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
        $tenantTemplatesItem | Set-ItemAcl -AccessRules $accessRules
    }

    $accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
    $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create @allowItemProps))
    $accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
    $tenantTemplatesItem | Set-ItemAcl -AccessRules $accessRules
}

## 06-SecurityWizard.ps1
<#
    AccountType
    ar = Role
    au = User
    a?

    Propagation
    pd = Descendants
    pe = Entity
    p* = Any

    Rule Token
    ! = Deny Inheritance
    + = Allow Access
    - = Deny Access
    ^ = Allow Inheritance
#>

$InformationPreference = "Continue"

Import-Function -Name Setup-LanguageSecurity
Import-Function -Name Setup-PublishingTargetSecurity
Import-Function -Name Setup-SystemSecurity
Import-Function -Name Setup-TenantSecurity

$siteTemplateId = "{6669DC16-F106-44B5-96BE-7A31AE82B5B5}"
$tenantTemplateId = "{215F8C54-68B3-4481-A20B-A5716F06081F}"
$tenantFolderTemplateId = "{4F539F2E-9CF9-4453-8E82-3D13DED12AB3}"

filter Where-IsSxaSite {
    $siteItemTemplateId = "{6669DC16-F106-44B5-96BE-7A31AE82B5B5}"

    $siteContext = $_
    if([string]::IsNullOrEmpty($siteContext.RootPath)) { return }
    $siteItem = Get-Item -Path $siteContext.RootPath
    if($siteItem -eq $null) { return }
    $isSxaSite = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($siteItem).InheritsFrom($siteItemTemplateId)
    if($isSxaSite) {
        $siteItem
    }
}

$availableSiteItems = [Sitecore.Configuration.Factory]::GetSites() | Where-IsSxaSite
$siteLookup = @{}
$availableSiteOptions = [ordered]@{}
$availableSiteItems | Foreach-Object {
    $title = "$($_.Parent.Parent.Name)\$($_.Parent.Name)\$($_.Name)"
    $availableSiteOptions["$($title)"] = $_.ID.ToString()
    $siteLookup[$_.ID.ToString()] = $_
}

$additionalDomainOptions = @{}
foreach($domain in Get-Domain) {
   $mappedDomain = [System.Web.Security.Membership]::Providers["switcher"].Wrappers.DomainMap[$domain.Name]
   if($mappedDomain) {
       $additionalDomainOptions[$domain.Name] = $domain.Name
   }
}

$props = @{
    Parameters = @(
        @{Name="selectedSite"; Title="Choose an available site"; Tooltip="The selected site will have new security settings applied."; Options=$availableSiteOptions; }
    )
    Title = "Setup Tenant Security"
    Icon = "OfficeWhite/32x32/lock2.png"
    Description = "Updates security for the site item and children."
    Width = 450
    Height = 300
    ShowHints = $true
}

if($additionalDomainOptions.Keys.Count -gt 0) {
    $props.Parameters += @{Name="additionalLanguageDomainNames"; Title="Additional Domains"; Tooltip="Domains detected to be associated with the switching provider. Users that need access may be in one of these domains."; Options=$additionalDomainOptions; Editor="checklist"; }
}

$result = Read-Variable @props
if($result -ne "ok") {
    exit
}

$siteItem = $siteLookup[$selectedSite]
$tenantItem = $siteItem.Parent
$tenantFolderItem = $tenantItem.Parent

$isSiteInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($siteItem.TemplateId, $siteItem.Database).InheritsFrom($siteTemplateId)
$isTenantInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($tenantItem.TemplateId, $tenantItem.Database).InheritsFrom($tenantTemplateId)
$isTenantFolderInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($tenantFolderItem.TemplateId, $tenantFolderItem.Database).InheritsFrom($tenantFolderTemplateId)
if($isSiteInherited -and $isTenantInherited -and $isTenantFolderInherited) {

    Setup-TenantSecurity -Company $tenantFolderItem.Name -Tenant $tenantItem.Name -Site $siteItem.Name
    Setup-PublishingTargetSecurity -Role "$($tenantFolderItem.Name.ToLower())\Editor"
    Setup-LanguageSecurity -Domain $tenantFolderItem.Name

    foreach($domainName in $additionalLanguageDomainNames) {
        Setup-LanguageSecurity -Domain $domainName
    }

    Setup-SystemSecurity

    Show-Alert -Title "Security configuration complete. <br/> Company: $($tenantFolderItem.Name) <br/> Tenant: $($tenantItem.Name) <br/> Site: $($siteItem.Name)"
    Show-Result -Text
} else {
    Show-Alert -Title "There was a problem detecting which site to configure security. Should follow the structure Company -> Tenant -> Site."
}
	$allowItemProps = @{
	PropagationType = [Sitecore.Security.AccessControl.PropagationType]::Entity
	SecurityPermission = [Sitecore.Security.AccessControl.SecurityPermission]::AllowAccess
	}

	$allowDescendantsProps = @{
	PropagationType = [Sitecore.Security.AccessControl.PropagationType]::Descendants
	SecurityPermission = [Sitecore.Security.AccessControl.SecurityPermission]::AllowAccess
	}

	function New-AccessRuleList {
	[CmdletBinding()]
	[OutputType("System.Collections.Generic.List[Sitecore.Security.AccessControl.AccessRule]")]
	param(
	[string]$Identity,
	[string[]]$AccessRule,
	[Sitecore.Security.AccessControl.PropagationType]$PropagationType,
	[Sitecore.Security.AccessControl.SecurityPermission]$SecurityPermission
	)

	$list = New-Object "System.Collections.Generic.List[Sitecore.Security.AccessControl.AccessRule]"
	foreach($rule in $accessrule) {
	$list.Add((New-ItemAcl -Identity $Identity -AccessRight $rule -PropagationType $PropagationType -SecurityPermission $SecurityPermission))
	}

	@(,$list)
	}
	Import-Function -Name New-AccessRuleList

	function Setup-SystemSecurity {
	Write-Host "[System Settings Security]" -Foreground Yellow

	$realEveryone = "\Everyone"
	$virtualDataItem = Get-Item -Path "master:" -ID "{9700DC24-8969-4638-ACC3-34D54335829E}"
	Write-Information "[A] $($virtualDataItem.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $realEveryone -AccessRule item:create @allowItemProps))
	$virtualDataItem \| Add-ItemAcl -AccessRules $accessRules

	$developerRole = "sitecore\Developer"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $developerRole -AccessRule item:create,item:write,item:rename,item:delete @allowDescendantsProps))

	$modulesItem = Get-Item -Path "master:" -ID "{08477468-D438-43D4-9D6A-6D84A611971C}"
	Write-Information "[A] $($modulesItem.ItemPath)"
	$modulesItem \| Add-ItemAcl -AccessRules $accessRules

	$settingsItem = Get-Item -Path "master:" -ID "{087E1EA5-6280-4575-9E70-85B588DB91B2}"
	Write-Information "[A] $($settingsItem.ItemPath)"
	$settingsItem \| Add-ItemAcl -AccessRules $accessRules

	$tasksItem = Get-Item -Path "master:" -ID "{EF58CA2C-3E59-44E0-82C1-97FF9B98535F}"
	Write-Information "[A] $($tasksItem.ItemPath)"
	$tasksItem \| Add-ItemAcl -AccessRules $accessRules

	$workflowItem = Get-Item -Path "master:" -ID "{05592656-56D7-4D85-AACF-30919EE494F9}"
	Write-Information "[A] $($workflowItem.ItemPath)"
	$workflowItem \| Add-ItemAcl -AccessRules $accessRules
	}
	Import-Function -Name New-AccessRuleList

	function Setup-PublishingTargetSecurity {
	param(
	[ValidateNotNullOrEmpty()]
	[string]$Role
	)
	Write-Host "[System Publishing Target Security]" -Foreground Yellow

	$targets = Get-ChildItem -Path "master:" -ID "{D9E44555-02A6-407A-B4FC-96B9026CAADD}"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $Role -AccessRule item:write @allowItemProps))
	$targets \| Add-ItemAcl -AccessRules $accessRules
	}
	Import-Function -Name New-AccessRuleList

	function Setup-LanguageSecurity {
	param(
	[ValidateNotNullOrEmpty()]
	[string]$Domain
	)

	$roleEveryone = "$($domain)\Everyone"

	Write-Host "[Language Security]" -ForegroundColor Yellow
	$languageItem = Get-Item -Path "master:\system\languages"
	Write-Information "[A] $($languageItem.ItemPath) - $($domain)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleEveryone -AccessRule language:read,language:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleEveryone -AccessRule language:read,language:write @allowDescendantsProps))
	$languageItem \| Add-ItemAcl -AccessRules $accessRules
	}
	Import-Function -Name New-AccessRuleList

	function Setup-TenantSecurity {
	[CmdletBinding()]
	param(
	[ValidateNotNullOrEmpty()]
	[string]$Company,
	[ValidateNotNullOrEmpty()]
	[string]$Tenant,
	[ValidateNotNullOrEmpty()]
	[string]$Site
	)

	$tenantPath = "master:\content\$($Company)\$($Tenant)"
	$tenantMediaPath = $tenantPath = "master:\media library\project\$($Company)\$($Tenant)"
	$sitePath = "master:\content\$($Company)\$($Tenant)\$($Site)"
	$siteMediaPath = "master:\media library\project\$($Company)\$($Tenant)\$($Site)"

	$domainName = $Company.ToLower()
	$roleBase = "$($domainName)\Base"
	$roleAdmin = "$($domainName)\Admin"
	$roleAuthor = "$($domainName)\Author"
	$roleDesigner = "$($domainName)\Designer"
	$roleDeveloper = "$($domainName)\Developer"
	$roleEditor = "$($domainName)\Editor"
	$roleFrontEnd = "$($domainName)\Front End"
	$roleEveryone = "$($domainName)\Everyone"

	$siteItem = Get-Item -Path $sitePath
	if($siteItem -eq $null){
	Write-Host "Not in site scope"
	exit
	}

	$tenantItem = Get-Item -Path $tenantPath
	if((Get-Domain -Name $domainName -ErrorAction SilentlyContinue) -eq $null){
	Write-Host "Domain does not exist!"
	exit
	}

	# Create roles if missing

	if(-not(Get-Role -Identity $roleBase -ErrorAction 0)) {
	New-Role -Identity $roleBase > $null
	Add-RoleMember -Identity "sitecore\Sitecore Client Authoring" -Members $roleBase
	Add-RoleMember -Identity "sitecore\Sitecore Client Users" -Members $roleBase
	}

	if(-not(Get-Role -Identity $roleAdmin -ErrorAction 0)) {
	New-Role -Identity $roleAdmin > $null
	Add-RoleMember -Identity "sitecore\Sitecore Local Administrators" -Members $roleAdmin
	Add-RoleMember -Identity $roleBase -Members $roleAdmin
	}

	if(-not(Get-Role -Identity $roleDeveloper -ErrorAction 0)) {
	New-Role -Identity $roleDeveloper > $null
	Add-RoleMember -Identity "sitecore\Developer" -Members $roleDeveloper
	Add-RoleMember -Identity "sitecore\Sitecore Client Advanced Publishing" -Members $roleDeveloper
	Add-RoleMember -Identity $roleBase -Members $roleDeveloper
	}

	if(-not(Get-Role -Identity $roleEditor -ErrorAction 0)) {
	New-Role -Identity $roleEditor > $null
	Add-RoleMember -Identity "sitecore\Author" -Members $roleEditor
	Add-RoleMember -Identity "sitecore\Designer" -Members $roleEditor
	Add-RoleMember -Identity "sitecore\Sitecore Client Publishing" -Members $roleEditor
	Add-RoleMember -Identity $roleBase -Members $roleEditor
	}

	$roleDesignerExists = $true
	if(-not(Get-Role -Identity $roleDesigner -ErrorAction 0)) {
	$roleDesignerExists = $false
	}

	$roleFrontEndExists = $true
	if(-not(Get-Role -Identity $roleFrontEnd -ErrorAction 0)) {
	$roleFrontEndExists = $false
	}

	Write-Host "[Site Security]" -ForegroundColor Yellow
	Write-Information "[A] $($siteItem.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:create,item:rename,item:delete @allowDescendantsProps))
	$siteItem \| Set-ItemAcl -AccessRules $accessRules

	$homeItem = Get-Item -Path "$($sitePath)\Home"

	Write-Host "[Home Security]" -ForegroundColor Yellow
	Write-Information "[A] $($homeItem.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:create,item:rename,item:delete @allowDescendantsProps))
	$homeItem \| Set-ItemAcl -AccessRules $accessRules

	Write-Host "[Overlay Security]" -ForegroundColor Yellow
	$overlayFolderTemplateId = "{D7BFFBE5-DAD8-4137-85DE-28013313F72F}"
	foreach($overlayItem in $homeItem.Children \| Where-Object { $_.TemplateID -eq $overlayFolderTemplateId }) {
	Write-Information "[A] $(($overlayItem \| Initialize-Item).ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:create @allowItemProps))
	$accessRules.Add((New-ItemAcl -Identity $roleBase -AccessRight * -PropagationType Entity -SecurityPermission DenyInheritance))
	$overlayItem \| Set-ItemAcl -AccessRules $accessRules

	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$overlayItem \| Set-ItemAcl -AccessRules $accessRules
	}

	Write-Host "[Data Security]" -ForegroundColor Yellow
	$dataItem = Get-Item -Path "$($sitePath)\Data"
	$dataFolders = gci -path $dataItem.Paths.Path -Language $dataItem.Language.Name
	foreach($dF in $dataFolders){
	Write-Information "[A] $($dF.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$dF \| Set-ItemAcl -AccessRules $accessRules
	}

	Write-Host "[Media Security]" -ForegroundColor Yellow
	$siteMediaItem = Get-Item -Path "$($sitePath)\Media"
	Write-Information "[A] $($siteMediaItem.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$siteMediaItem \| Set-ItemAcl -AccessRules $accessRules

	Write-Host "[Media Library Security]" -ForegroundColor Yellow
	$siteMediaLibraryRoot = Get-Item -Path $siteMediaPath
	Write-Information "[A] $($siteMediaLibraryRoot.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$siteMediaLibraryRoot \| Set-ItemAcl -AccessRules $accessRules

	$tenantMediaLibrarySharedFolder = Get-Item -Path "$($tenantMediaPath)\shared"
	Write-Information "[A] $($tenantMediaLibrarySharedFolder.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleBase -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tenantMediaLibrarySharedFolder \| Set-ItemAcl -AccessRules $accessRules

	Write-Host "[Presentation Security]" -ForegroundColor Yellow
	$presentationItem = Get-Item -Path "$($sitePath)\Presentation"
	$presentationChildren = Get-ChildItem -Path $presentationItem.Paths.Path -Language $presentationItem.Language.Name
	foreach($pC in $presentationChildren){
	Write-Information "[A] $($pC.ItemPath)"
	if($roleDesignerExists) {
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDesigner -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDesigner -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$pC \| Set-ItemAcl -AccessRules $accessRules
	}

	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$pC \| Set-ItemAcl -AccessRules $accessRules

	if($roleFrontEndExists) {
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$pC \| Set-ItemAcl -AccessRules $accessRules
	}
	}

	Write-Host "[Theme Security]" -ForegroundColor Yellow
	$sourcePresPath = "/sitecore/media library/Themes/$($domainName)/$($tenantItem.Name)//*[@@templatename='Theme']"
	$tenantThemes = Get-Item -Path "master:" -Query $sourcePresPath -Language $tenantItem.Language.Name \| Initialize-Item
	foreach($tTheme in $tenantThemes){
	Write-Information "[A] $($tTheme.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tTheme \| Set-ItemAcl -AccessRules $accessRules

	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tTheme \| Set-ItemAcl -AccessRules $accessRules

	if($roleFrontEndExists) {
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create,item:write @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tTheme \| Set-ItemAcl -AccessRules $accessRules
	}
	}

	Write-Host "[Data Templates Security]" -ForegroundColor Yellow
	$settingsItem = Get-Item -Path "$($sitePath)\Settings"
	$tenantTemplatesItem = Get-Item master: -ID ($settingsItem.Fields['Templates'].Value)
	Write-Information "[A] $($tenantTemplatesItem.ItemPath)"
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleAdmin -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tenantTemplatesItem \| Set-ItemAcl -AccessRules $accessRules

	if($roleFrontEndExists) {
	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleFrontEnd -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tenantTemplatesItem \| Set-ItemAcl -AccessRules $accessRules
	}

	$accessRules = New-Object Sitecore.Security.AccessControl.AccessRuleCollection
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:create @allowItemProps))
	$accessRules.AddRange((New-AccessRuleList -Identity $roleDeveloper -AccessRule item:read,item:write,item:rename,item:create,item:delete @allowDescendantsProps))
	$tenantTemplatesItem \| Set-ItemAcl -AccessRules $accessRules
	}
	<#
	AccountType
	ar = Role
	au = User
	a?

	Propagation
	pd = Descendants
	pe = Entity
	p* = Any

	Rule Token
	! = Deny Inheritance
	+ = Allow Access
	- = Deny Access
	^ = Allow Inheritance
	#>

	$InformationPreference = "Continue"

	Import-Function -Name Setup-LanguageSecurity
	Import-Function -Name Setup-PublishingTargetSecurity
	Import-Function -Name Setup-SystemSecurity
	Import-Function -Name Setup-TenantSecurity

	$siteTemplateId = "{6669DC16-F106-44B5-96BE-7A31AE82B5B5}"
	$tenantTemplateId = "{215F8C54-68B3-4481-A20B-A5716F06081F}"
	$tenantFolderTemplateId = "{4F539F2E-9CF9-4453-8E82-3D13DED12AB3}"

	filter Where-IsSxaSite {
	$siteItemTemplateId = "{6669DC16-F106-44B5-96BE-7A31AE82B5B5}"

	$siteContext = $_
	if([string]::IsNullOrEmpty($siteContext.RootPath)) { return }
	$siteItem = Get-Item -Path $siteContext.RootPath
	if($siteItem -eq $null) { return }
	$isSxaSite = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($siteItem).InheritsFrom($siteItemTemplateId)
	if($isSxaSite) {
	$siteItem
	}
	}

	$availableSiteItems = [Sitecore.Configuration.Factory]::GetSites() \| Where-IsSxaSite
	$siteLookup = @{}
	$availableSiteOptions = [ordered]@{}
	$availableSiteItems \| Foreach-Object {
	$title = "$($_.Parent.Parent.Name)\$($_.Parent.Name)\$($_.Name)"
	$availableSiteOptions["$($title)"] = $_.ID.ToString()
	$siteLookup[$_.ID.ToString()] = $_
	}

	$additionalDomainOptions = @{}
	foreach($domain in Get-Domain) {
	$mappedDomain = [System.Web.Security.Membership]::Providers["switcher"].Wrappers.DomainMap[$domain.Name]
	if($mappedDomain) {
	$additionalDomainOptions[$domain.Name] = $domain.Name
	}
	}

	$props = @{
	Parameters = @(
	@{Name="selectedSite"; Title="Choose an available site"; Tooltip="The selected site will have new security settings applied."; Options=$availableSiteOptions; }
	)
	Title = "Setup Tenant Security"
	Icon = "OfficeWhite/32x32/lock2.png"
	Description = "Updates security for the site item and children."
	Width = 450
	Height = 300
	ShowHints = $true
	}

	if($additionalDomainOptions.Keys.Count -gt 0) {
	$props.Parameters += @{Name="additionalLanguageDomainNames"; Title="Additional Domains"; Tooltip="Domains detected to be associated with the switching provider. Users that need access may be in one of these domains."; Options=$additionalDomainOptions; Editor="checklist"; }
	}

	$result = Read-Variable @props
	if($result -ne "ok") {
	exit
	}

	$siteItem = $siteLookup[$selectedSite]
	$tenantItem = $siteItem.Parent
	$tenantFolderItem = $tenantItem.Parent

	$isSiteInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($siteItem.TemplateId, $siteItem.Database).InheritsFrom($siteTemplateId)
	$isTenantInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($tenantItem.TemplateId, $tenantItem.Database).InheritsFrom($tenantTemplateId)
	$isTenantFolderInherited = [Sitecore.Data.Managers.TemplateManager]::GetTemplate($tenantFolderItem.TemplateId, $tenantFolderItem.Database).InheritsFrom($tenantFolderTemplateId)
	if($isSiteInherited -and $isTenantInherited -and $isTenantFolderInherited) {

	Setup-TenantSecurity -Company $tenantFolderItem.Name -Tenant $tenantItem.Name -Site $siteItem.Name
	Setup-PublishingTargetSecurity -Role "$($tenantFolderItem.Name.ToLower())\Editor"
	Setup-LanguageSecurity -Domain $tenantFolderItem.Name

	foreach($domainName in $additionalLanguageDomainNames) {
	Setup-LanguageSecurity -Domain $domainName
	}

	Setup-SystemSecurity

	Show-Alert -Title "Security configuration complete. <br/> Company: $($tenantFolderItem.Name) <br/> Tenant: $($tenantItem.Name) <br/> Site: $($siteItem.Name)"
	Show-Result -Text
	} else {
	Show-Alert -Title "There was a problem detecting which site to configure security. Should follow the structure Company -> Tenant -> Site."
	}