Console
Console copied to clipboard
SitecorePowerShell
Delegated Access
Delegated Access
Provide the ability to grant users elevated access for specific scripts exposed through the Context Menu, Ribbon, and Report Action.
This is something I've been thinking about for a while. In my early days of learning Windows PowerShell, specifically Remoting with Winrm, I thought how cool it is to grant additional administrative privileges to a user for a specific process or functionality. I believe this is called "constrained endpoints" or "delegated administration".
Does anything like this exist?
It started out when someone needed to unlock items for other colleagues. I've seen one or two examples of this feature but none that made use of SPE or was easy to implement. That's when I created the elevated unlocked feature and shared on Sitecore Stack Exchange here.
That worked out pretty well so it's now included OOTB with SPE.
What got me working on it now?
One of the drawbacks I found with including that in SPE is the user needs to be added to the "sitecore\Sitecore Local Administrators" or be an Admin (IsAdministrator == true). I'm not a big fan of adding someone to that high-level role just so they could unlock items; now they have access to administer users.... I don't want to modify the existing rules because that will break on the next upgrade and duplicating the feature will lead to this being yet another thing to maintain.
What did I build?
I got to thinking some more, what if I could delegate the access where they are in a role (e.g. sitecore\Elevated Unlock) which could be dynamically mapped to some other role (e.g. sitecore\Sitecore Local Administrators). The experimentation role idea didn't pan out so I landed on user impersonation.
Rather than saying that the user must be in the local administrator's role, you delegate the access so that's the only elevated operation they can perform.
We start with creating a new "Delegated Access" item.
Set the role to receive elevated access, specify the account to impersonate (something with IsAdministrator = true), and assign script items which they should be able to run under privileged account. This configuration will allow scripts to run (Context Menu, Ribbon, Report Action) as the privileged account; the ContextUser for the Sitecore Job runs as the special account.
Optionally, you can control whether something is enabled/visible by adding a special rule to the script (and library) item. By default no rules exist and therefore evaluates to "true". Considering our example of the "Elevated Unlock" button, you can see that a rule checking for delegated access is included.
What is excluded from this feature?
When working with the ISE, Console, or SPE Remoting, the code will execute just like before where the users needs to have the elevated access.
Feedback
Do you see other scenarious in which this should be used? Leave a comment and let me know.
One interesting scenario that now works is the following:
- The rule on the library root (like Reports and Ribbon) can be configured to require a special role.
- Then the user can see the report and run it, but the report only shows data they have access to view and the actions run under the current user (as opposed to the impersonated user).
If you decide that the report needs to be generated with the elevated access as well (perhaps the user has deny read on an item) then you can add the report to the elevated scripts as well. Remember that the report actions would also run as elevated user so be careful.
When using item:executescript such as with the Content Editor Warnings, you'll want to add that target script item to the elevated script items.
Seen in the description below, the Unlock Item script is invoked when clicking the gutter or link in the warning.
