Functions/Get-RSCRoles.ps1
################################################ # Function - Get-RSCRoles - Getting Roles within RSC ################################################ Function Get-RSCRoles { <# .SYNOPSIS A Rubrik Security Cloud (RSC) Reporting Module Function returning a list of all roles configured. .DESCRIPTION Makes the required GraphQL API calls to RSC via Invoke-RestMethod to get the data as described, then creates a usable array of the returned information, removing the need for the PowerShell user to understand GraphQL in order to interact with RSC. .LINK GraphQL schema reference: https://rubrikinc.github.io/rubrik-api-documentation/schema/reference .OUTPUTS Returns an array of all the available information on the GraphQL endpoint in a uniform and usable format. .EXAMPLE Get-RSCRoles This example returns an array of all the information returned by the GraphQL endpoint for this object type. .NOTES Author: Joshua Stenhouse Date: 05/11/2023 #> ################################################ # Importing Module & Running Required Functions ################################################ # Importing the module is it needs other modules Import-Module RSCReporting # Checking connectivity, exiting function with error if not connected Test-RSCConnection ################################################ # Querying RSC GraphQL API ################################################ # Creating array for objects $RSCList = @() # Building GraphQL query $RSCGraphQL = @{"operationName" = "getAllRolesInOrgConnection"; "variables" = @{ "first" = 1000 }; "query" = "query getAllRolesInOrgConnection(`$after: String, `$first: Int) { getAllRolesInOrgConnection(after: `$after, first: `$first) { edges { cursor node { id name description explicitlyAssignedPermissions { ...PermissionsFragment __typename } isOrgAdmin __typename effectivePermissions { objectsForHierarchyTypes { objectIds snappableType } operation } isReadOnly orgId protectableClusters permissions { objectsForHierarchyTypes { objectIds snappableType } operation } } __typename } pageInfo { startCursor endCursor hasNextPage hasPreviousPage __typename } __typename } } fragment PermissionsFragment on Permission { operation objectsForHierarchyTypes { objectIds snappableType __typename } __typename } " } ################################################ # API Call To RSC GraphQL URI ################################################ # Querying API $RSCResponse = Invoke-RestMethod -Method POST -Uri $RSCGraphqlURL -Body $($RSCGraphQL | ConvertTo-JSON -Depth 20) -Headers $RSCSessionHeader $RSCList += $RSCResponse.data.getAllRolesInOrgConnection.edges.node # Getting all results from paginations While ($RSCResponse.data.getAllRolesInOrgConnection.pageInfo.hasNextPage) { # Getting next set $RSCGraphQL.variables.after = $RSCResponse.data.getAllRolesInOrgConnection.pageInfo.endCursor $RSCResponse = Invoke-RestMethod -Method POST -Uri $RSCGraphqlURL -Body $($RSCGraphQL | ConvertTo-JSON -Depth 20) -Headers $RSCSessionHeader $RSCList += $RSCResponse.data.getAllRolesInOrgConnection.edges.node } ################################################ # Processing List ################################################ # Creating array $RSCRoles = [System.Collections.ArrayList]@() # For Each Object Getting Data ForEach ($Role in $RSCList) { # Setting variables $RoleID = $Role.id $RoleName = $Role.name $RoleDescription = $Role.description $RoleIsOrgAdmin = $Role.isOrgAdmin $RoleOrgID = $Role.orgId $RolePermissions = $Role.effectivePermissions $RoleExplicitPermissions = $Role.explicitlyAssignedPermissions # SLA permissions IF($RolePermissions | Where-Object {$_.operation -match "VIEW_SLA"}){$RoleCanViewSLAs = $TRUE}ELSE{$RoleCanViewSLAs = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "CREATE_SLA"}){$RoleCanCreateSLAs = $TRUE}ELSE{$RoleCanCreateSLAs = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MODIFY_SLA"}){$RoleCanModifySLAs = $TRUE}ELSE{$RoleCanModifySLAs = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_SLA"}){$RoleCanManageSLAs = $TRUE}ELSE{$RoleCanManageSLAs = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "DELETE_SLA"}){$RoleCanDeleteSLAs = $TRUE}ELSE{$RoleCanDeleteSLAs = $FALSE} # Job permissions IF($RolePermissions | Where-Object {$_.operation -match "CANCEL_RUNNING_ACTIVITY"}){$RoleCanCancelJobs = $TRUE}ELSE{$RoleCanCancelJobs = $FALSE} # Protection IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_PROTECTION"}){$RoleCanManageProtection = $TRUE}ELSE{$RoleCanManageProtection = $FALSE} # Webhooks IF($RolePermissions | Where-Object {$_.operation -match "VIEW_WEBHOOKS"}){$RoleCanViewWebhooks = $TRUE}ELSE{$RoleCanViewWebhooks = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_WEBHOOKS"}){$RoleCanManageWebhooks = $TRUE}ELSE{$RoleCanManageWebhooks = $FALSE} # Download IF($RolePermissions | Where-Object {$_.operation -match "DOWNLOAD"}){$RoleCanDownload = $TRUE}ELSE{$RoleCanDownload = $FALSE} # Mount IF($RolePermissions | Where-Object {$_.operation -match "MOUNT"}){$RoleCanMount = $TRUE}ELSE{$RoleCanMount = $FALSE} # Instant Recover IF($RolePermissions | Where-Object {$_.operation -match "INSTANT_RECOVER"}){$RoleCanInstantRecover = $TRUE}ELSE{$RoleCanInstantRecover = $FALSE} # Export IF($RolePermissions | Where-Object {$_.operation -match "EXPORT"}){$RoleCanExport = $TRUE}ELSE{$RoleCanExport = $FALSE} # Export Files IF($RolePermissions | Where-Object {$_.operation -match "EXPORT_FILES"}){$RoleCanExportFiles = $TRUE}ELSE{$RoleCanExportFiles = $FALSE} # Reporting IF($RolePermissions | Where-Object {$_.operation -match "VIEW_REPORT"}){$RoleCanViewReports = $TRUE}ELSE{$RoleCanViewReports = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "CREATE_REPORT"}){$RoleCanCreateReports = $TRUE}ELSE{$RoleCanCreateReports = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MODIFY_REPORT"}){$RoleCanModifyReports = $TRUE}ELSE{$RoleCanModifyReports = $FALSE} # Legal hold IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_LEGAL_HOLD"}){$RoleCanManageLegalHold = $TRUE}ELSE{$RoleCanManageLegalHold = $FALSE} # On demand backup IF($RolePermissions | Where-Object {$_.operation -match "TAKE_ON_DEMAND_SNAPSHOT"}){$RoleCanTakeOnDemandBackup = $TRUE}ELSE{$RoleCanTakeOnDemandBackup = $FALSE} # Threat hunting IF($RolePermissions | Where-Object {$_.operation -match "VIEW_THREAT_HUNT_RESULTS"}){$RoleCanViewThreatHunt = $TRUE}ELSE{$RoleCanViewThreatHunt = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "CREATE_THREAT_HUNT"}){$RoleCanCreateThreatHunt = $TRUE}ELSE{$RoleCanCreateThreatHunt = $FALSE} # Delete snapshots IF($RolePermissions | Where-Object {$_.operation -match "DELETE_SNAPSHOT"}){$RoleCanDeleteSnapshots = $TRUE}ELSE{$RoleCanDeleteSnapshots = $FALSE} # Quarantine IF($RolePermissions | Where-Object {$_.operation -match "EDIT_QUARANTINE"}){$RoleCanQuarantineSnapshots = $TRUE}ELSE{$RoleCanQuarantineSnapshots = $FALSE} # Recover from quarantine IF($RolePermissions | Where-Object {$_.operation -match "RECOVER_FROM_QUARANTINE"}){$RoleCanRecoverFromQuarantineSnapshots = $TRUE}ELSE{$RoleCanRecoverFromQuarantineSnapshots = $FALSE} # Cluster actions IF($RolePermissions | Where-Object {$_.operation -match "VIEW_CLUSTER"}){$RoleCanViewCluster = $TRUE}ELSE{$RoleCanViewCluster = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "REMOVE_CLUSTER"}){$RoleCanRemoveCluster = $TRUE}ELSE{$RoleCanRemoveCluster = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "REMOVE_CLUSTER_NODES"}){$RoleCanRemoveClusterNodes = $TRUE}ELSE{$RoleCanRemoveClusterNodes = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_CLUSTER_DISKS"}){$RoleCanManageClusterDisks = $TRUE}ELSE{$RoleCanManageClusterDisks = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_CLUSTER_SETTINGS"}){$RoleCanManageClusterSettings = $TRUE}ELSE{$RoleCanManageClusterSettings = $FALSE} # Resize MV IF($RolePermissions | Where-Object {$_.operation -match "RESIZE_MANAGED_VOLUME"}){$RoleCanResizeManagedVolumes = $TRUE}ELSE{$RoleCanResizeManagedVolumes = $FALSE} # Upgrade cluster IF($RolePermissions | Where-Object {$_.operation -match "UPGRADE_CLUSTER"}){$RoleCanUpgradeCluster = $TRUE}ELSE{$RoleCanUpgradeCluster = $FALSE} # Support tunnel IF($RolePermissions | Where-Object {$_.operation -match "VIEW_CDM_SUPPORT_SETTING"}){$RoleCanViewSupportTunnels = $TRUE}ELSE{$RoleCanViewSupportTunnels = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "ALLOW_SUPPORT_USER_SESSIONS"}){$RoleCanOpenSupportTunnels = $TRUE}ELSE{$RoleCanOpenSupportTunnels = $FALSE} # Access IF($RolePermissions | Where-Object {$_.operation -match "VIEW_ACCESS"}){$RoleCanViewAccess = $TRUE}ELSE{$RoleCanViewAccess = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "MANAGE_ACCESS"}){$RoleCanManageAccess = $TRUE}ELSE{$RoleCanManageAccess = $FALSE} # Restore IF($RolePermissions | Where-Object {$_.operation -match "RESTORE"}){$RoleCanRestore = $TRUE}ELSE{$RoleCanRestore = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "RESTORE_TO_ORIGIN"}){$RoleCanRestoreToOriginal = $TRUE}ELSE{$RoleCanRestoreToOriginal = $FALSE} # Security settings IF($RolePermissions | Where-Object {$_.operation -match "VIEW_SECURITY_SETTINGS"}){$RoleCanViewSecuritySettings = $TRUE}ELSE{$RoleCanViewSecuritySettings = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "EDIT_SECURITY_SETTINGS"}){$RoleCanEditSecuritySettings = $TRUE}ELSE{$RoleCanEditSecuritySettings = $FALSE} # Misc IF($RolePermissions | Where-Object {$_.operation -match "VIEW_CLUSTER_LICENSES"}){$RoleCanViewLicensing = $TRUE}ELSE{$RoleCanViewLicensing = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "VIEW_DASHBOARD"}){$RoleCanViewDashboard = $TRUE}ELSE{$RoleCanViewDashboard = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "REFRESH_DATA_SOURCE"}){$RoleCanRefreshDataSource = $TRUE}ELSE{$RoleCanRefreshDataSource = $FALSE} # Data classification IF($RolePermissions | Where-Object {$_.operation -match "VIEW_DATA_CLASS_GLOBAL"}){$RoleCanViewDataClassification = $TRUE}ELSE{$RoleCanViewDataClassification = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "CONFIGURE_DATA_CLASS_GLOBAL"}){$RoleCanConfigureDataClassification = $TRUE}ELSE{$RoleCanConfigureDataClassification = $FALSE} IF($RolePermissions | Where-Object {$_.operation -match "EXPORT_DATA_CLASS_GLOBAL"}){$RoleCanExportDataClassification = $TRUE}ELSE{$RoleCanExportDataClassification = $FALSE} # Getting URL $RoleURL = Get-RSCObjectURL -ObjectType "Role" -ObjectID $RoleID # Adding To Array $Object = New-Object PSObject $Object | Add-Member -MemberType NoteProperty -Name "RSCInstance" -Value $RSCInstance $Object | Add-Member -MemberType NoteProperty -Name "Role" -Value $RoleName $Object | Add-Member -MemberType NoteProperty -Name "Description" -Value $RoleDescription $Object | Add-Member -MemberType NoteProperty -Name "RoleID" -Value $RoleID $Object | Add-Member -MemberType NoteProperty -Name "IsOrgAdmin" -Value $RoleIsOrgAdmin # SLA permissions $Object | Add-Member -MemberType NoteProperty -Name "ViewSLAs" -Value $RoleCanViewSLAs $Object | Add-Member -MemberType NoteProperty -Name "CreateSLAs" -Value $RoleCanCreateSLAs $Object | Add-Member -MemberType NoteProperty -Name "ModifySLAs" -Value $RoleCanModifySLAs $Object | Add-Member -MemberType NoteProperty -Name "ManageSLAs" -Value $RoleCanManageSLAs $Object | Add-Member -MemberType NoteProperty -Name "DeleteSLAs" -Value $RoleCanDeleteSLAs # Cluster actions $Object | Add-Member -MemberType NoteProperty -Name "ViewCluster" -Value $RoleCanViewCluster $Object | Add-Member -MemberType NoteProperty -Name "RemoveCluster" -Value $RoleCanRemoveCluster $Object | Add-Member -MemberType NoteProperty -Name "RemoveClusterNodes" -Value $RoleCanRemoveClusterNodes $Object | Add-Member -MemberType NoteProperty -Name "ManageClusterDisks" -Value $RoleCanManageClusterDisks $Object | Add-Member -MemberType NoteProperty -Name "ManageClusterSettings" -Value $RoleCanManageClusterSettings # Job permissions $Object | Add-Member -MemberType NoteProperty -Name "CancelJobs" -Value $RoleCanCancelJobs # Protection $Object | Add-Member -MemberType NoteProperty -Name "ManageProtection" -Value $RoleCanManageProtection # Webhooks $Object | Add-Member -MemberType NoteProperty -Name "ViewWebhooks" -Value $RoleCanViewWebhooks $Object | Add-Member -MemberType NoteProperty -Name "ManageWebhooks" -Value $RoleCanManageWebhooks # Download $Object | Add-Member -MemberType NoteProperty -Name "Download" -Value $RoleCanDownload # Mount $Object | Add-Member -MemberType NoteProperty -Name "Mount" -Value $RoleCanMount # Instant Recover $Object | Add-Member -MemberType NoteProperty -Name "InstantRecover" -Value $RoleCanInstantRecover # Export $Object | Add-Member -MemberType NoteProperty -Name "Export" -Value $RoleCanExport # Export Files $Object | Add-Member -MemberType NoteProperty -Name "ExportFiles" -Value $RoleCanExportFiles # Reporting $Object | Add-Member -MemberType NoteProperty -Name "ViewReports" -Value $RoleCanViewReports $Object | Add-Member -MemberType NoteProperty -Name "CreateReports" -Value $RoleCanCreateReports $Object | Add-Member -MemberType NoteProperty -Name "ModifyReports" -Value $RoleCanModifyReports # Legal hold $Object | Add-Member -MemberType NoteProperty -Name "ManageLegalHold" -Value $RoleCanManageLegalHold # On demand backup $Object | Add-Member -MemberType NoteProperty -Name "TakeOnDemandBackup" -Value $RoleCanTakeOnDemandBackup # Threat hunting $Object | Add-Member -MemberType NoteProperty -Name "ViewThreatHunt" -Value $RoleCanViewThreatHunt $Object | Add-Member -MemberType NoteProperty -Name "CreateThreatHunt" -Value $RoleCanCreateThreatHunt # Delete snapshots $Object | Add-Member -MemberType NoteProperty -Name "DeleteSnapshots" -Value $RoleCanDeleteSnapshots # Quarantine $Object | Add-Member -MemberType NoteProperty -Name "QuarantineSnapshots" -Value $RoleCanQuarantineSnapshots $Object | Add-Member -MemberType NoteProperty -Name "RecoverFromQuarantineSnapshots" -Value $RoleCanRecoverFromQuarantineSnapshots # Resize MV $Object | Add-Member -MemberType NoteProperty -Name "ResizeManagedVolumes" -Value $RoleCanResizeManagedVolumes # Upgrade cluster $Object | Add-Member -MemberType NoteProperty -Name "UpgradeCluster" -Value $RoleCanUpgradeCluster # Support tunnel $Object | Add-Member -MemberType NoteProperty -Name "ViewSupportTunnels" -Value $RoleCanViewSupportTunnels $Object | Add-Member -MemberType NoteProperty -Name "OpenSupportTunnels" -Value $RoleCanOpenSupportTunnels # Access $Object | Add-Member -MemberType NoteProperty -Name "ViewAccess" -Value $RoleCanViewAccess $Object | Add-Member -MemberType NoteProperty -Name "ManageAccess" -Value $RoleCanManageAccess # Restore $Object | Add-Member -MemberType NoteProperty -Name "Restore" -Value $RoleCanRestore $Object | Add-Member -MemberType NoteProperty -Name "RestoreToOriginal" -Value $RoleCanRestoreToOriginal # Security settings $Object | Add-Member -MemberType NoteProperty -Name "ViewSecuritySettings" -Value $RoleCanViewSecuritySettings $Object | Add-Member -MemberType NoteProperty -Name "EditSecuritySettings" -Value $RoleCanEditSecuritySettings # Data classification $Object | Add-Member -MemberType NoteProperty -Name "ViewDataClassification" -Value $RoleCanViewDataClassification $Object | Add-Member -MemberType NoteProperty -Name "ConfigureDataClassification" -Value $RoleCanConfigureDataClassification $Object | Add-Member -MemberType NoteProperty -Name "ExportDataClassification" -Value $RoleCanExportDataClassification # Misc $Object | Add-Member -MemberType NoteProperty -Name "ViewLicensing" -Value $RoleCanViewLicensing $Object | Add-Member -MemberType NoteProperty -Name "ViewDashboard" -Value $RoleCanViewDashboard $Object | Add-Member -MemberType NoteProperty -Name "RefreshDataSource" -Value $RoleCanRefreshDataSource $Object | Add-Member -MemberType NoteProperty -Name "RolePermissions" -Value $RolePermissions $Object | Add-Member -MemberType NoteProperty -Name "RoleExplicitPermissions" -Value $RoleExplicitPermissions # URL $Object | Add-Member -MemberType NoteProperty -Name "URL" -Value $RoleURL # Adding $RSCRoles.Add($Object) | Out-Null # End of for each object below } # End of for each object above # # Returning array Return $RSCRoles # End of function } |