Functions/Get-RSC/Get-RSCUserRoleAssignments.ps1
|
################################################ # Function - Get-RSCUserRoleAssignments - Getting Users Role Assignments within RSC ################################################ Function Get-RSCUserRoleAssignments { <# .SYNOPSIS A Rubrik Security Cloud (RSC) Reporting Module Function returning a list of all user role assignments. .DESCRIPTION Makes the required GraphQL API calls to RSC via Invoke-RestMethod to get the data as described, then creates a usable array of the returned information, removing the need for the PowerShell user to understand GraphQL in order to interact with RSC. .LINK GraphQL schema reference: https://rubrikinc.github.io/rubrik-api-documentation/schema/reference .OUTPUTS Returns an array of all the available information on the GraphQL endpoint in a uniform and usable format. .EXAMPLE Get-RSCUserRoleAssignments This example returns an array of all the information returned by the GraphQL endpoint for this object type. .NOTES Author: Joshua Stenhouse Date: 05/11/2023 #> ################################################ # Importing Module & Running Required Functions ################################################ # Importing the module is it needs other modules Import-Module RSCReporting # Checking connectivity, exiting function with error if not connected Test-RSCConnection ################################################ # Querying RSC GraphQL API ################################################ # Creating array for objects $RSCList = @() # Building GraphQL query $RSCGraphQL = @{"operationName" = "usersInCurrentAndDescendantOrganization"; "variables" = @{ "first" = 1000 }; "query" = "query usersInCurrentAndDescendantOrganization(`$first: Int, `$after: String, `$before: String) { usersInCurrentAndDescendantOrganization(first: `$first, after: `$after, before: `$before) { edges { node { id isAccountOwner isHidden lastLogin lockoutState { isLocked lockMethod lockedAt unlockMethod unlockedAt } status totpStatus { isEnabled isEnforced isEnforcedUserLevel isSupported totpConfigUpdateAt } domain emailConfig { account digestId digestName eventDigestConfigJson frequency includeAudits includeEvents isImmediate recipientUserId } eulaState { isAccepted isPactsafeEnabled isPactsafeV2Enabled } groups roles { description id isOrgAdmin isReadOnly name orgId protectableClusters } unreadCount username } } pageInfo { endCursor hasNextPage hasPreviousPage startCursor } } }" } ################################################ # API Call To RSC GraphQL URI ################################################ # Querying API $RSCResponse = Invoke-RestMethod -Method POST -Uri $RSCGraphqlURL -Body $($RSCGraphQL | ConvertTo-JSON -Depth 20) -Headers $RSCSessionHeader $RSCList += $RSCResponse.data.usersInCurrentAndDescendantOrganization.edges.node # Getting all results from paginations While ($RSCResponse.data.usersInCurrentAndDescendantOrganization.pageInfo.hasNextPage) { # Getting next set $RSCGraphQL.variables.after = $RSCResponse.data.usersInCurrentAndDescendantOrganization.pageInfo.endCursor $RSCResponse = Invoke-RestMethod -Method POST -Uri $RSCGraphqlURL -Body $($RSCGraphQL | ConvertTo-JSON -Depth 20) -Headers $RSCSessionHeader $RSCList += $RSCResponse.data.usersInCurrentAndDescendantOrganization.edges.node } ################################################ # Processing List ################################################ # Creating array $RSCUserRoleAssignments = [System.Collections.ArrayList]@() # For Each Object Getting Data ForEach ($User in $RSCList) { # Setting variables $UserID = $User.id $UserName = $User.username $UserEmail = $User.email $UserLockoutState = $User.lockoutState.isLocked $UserLastLoginUNIX = $User.lastLogin $UserDomain = $User.domain $UserTOTPEnabled = $User.totpStatus.isEnabled $UserTOTPEnforced = $User.totpStatus.isEnforced $UserTOTPEnforcedOnUser = $User.totpStatus.isEnforcedUserLevel $UserTOTPSupported = $User.totpStatus.isSupported $UserTOTPConfiguredUNIX = $User.totpStatus.totpConfigUpdateAt $UserStatus = $User.status $UserRoles = $User.roles $UserRoleNames =$UserRoles.name $UserEULAAccepted = $User.eulaState.isAccepted $UserIsHidden = $User.isHidden $UserIsAccountOwner = $User.isAccountOwner # Counting roles $UserRoleCount = $UserRoles | Measure-Object | Select-Object -ExpandProperty Count # Fixing username if null IF($UserName -eq ""){$UserSplit = $UserEmail.Split("@");$UserName = $UserSplit[0]} # Converting UserLastLoginUNIX IF($UserLastLoginUNIX -ne $null){$UserLastLoginUTC = Convert-RSCUNIXTime $UserLastLoginUNIX}ELSE{$UserLastLoginUTC = $null} $UTCDateTime = [System.DateTime]::UtcNow IF($UserLastLoginUTC -ne $null){$UserLastLoginTimespan = New-TimeSpan -Start $UserLastLoginUTC -End $UTCDateTime;$UserLastLoginHoursSince = $UserLastLoginTimespan | Select-Object -ExpandProperty TotalHours;$UserLastLoginHoursSince = [Math]::Round($UserLastLoginHoursSince,1)}ELSE{$UserLastLoginHoursSince = $null} IF($UserLastLoginUTC -ne $null){$UserLastLoginMinutesSince = $UserLastLoginTimespan | Select-Object -ExpandProperty TotalMinutes;$UserLastLoginMinutesSince = [Math]::Round($UserLastLoginMinutesSince)}ELSE{$UserLastLoginMinutesSince = $null} IF($UserLastLoginUTC -ne $null){$UserLastLoginDaysSince = $UserLastLoginTimespan | Select-Object -ExpandProperty TotalDays;$UserLastLoginDaysSince = [Math]::Round($UserLastLoginDaysSince,1)}ELSE{$UserLastLoginDaysSince = $null} # Converting UserTOTPConfiguredUNIX IF($UserTOTPConfiguredUNIX -ne $null){$UserTOTPConfiguredUTC = Convert-RSCUNIXTime $UserTOTPConfiguredUNIX}ELSE{$UserTOTPConfiguredUTC = $null} $UTCDateTime = [System.DateTime]::UtcNow IF($UserTOTPConfiguredUTC -ne $null){$UserTOTPConfiguredTimespan = New-TimeSpan -Start $UserTOTPConfiguredUTC -End $UTCDateTime;$UserTOTPConfiguredHoursSince = $UserTOTPConfiguredTimespan | Select-Object -ExpandProperty TotalHours;$UserTOTPConfiguredHoursSince = [Math]::Round($UserTOTPConfiguredHoursSince,1)}ELSE{$UserTOTPConfiguredHoursSince = $null} IF($UserTOTPConfiguredUTC -ne $null){$UserTOTPConfiguredMinutesSince = $UserTOTPConfiguredTimespan | Select-Object -ExpandProperty TotalMinutes;$UserTOTPConfiguredMinutesSince = [Math]::Round($UserTOTPConfiguredMinutesSince)}ELSE{$UserTOTPConfiguredMinutesSince = $null} IF($UserTOTPConfiguredUTC -ne $null){$UserTOTPConfiguredDaysSince = $UserTOTPConfiguredTimespan | Select-Object -ExpandProperty TotalDays;$UserTOTPConfiguredDaysSince = [Math]::Round($UserTOTPConfiguredDaysSince,1)}ELSE{$UserTOTPConfiguredDaysSince = $null} # For each role ForEach($UserRole in $UserRoles) { # Checking if in default admin group IF($UserRole.id -match "00000000-0000-0000-0000-000000000000"){$IsDefaultAdminRole = $TRUE}ELSE{$IsDefaultAdminRole = $FALSE} # Adding To Array $Object = New-Object PSObject $Object | Add-Member -MemberType NoteProperty -Name "RSCInstance" -Value $RSCInstance $Object | Add-Member -MemberType NoteProperty -Name "Email" -Value $UserEmail $Object | Add-Member -MemberType NoteProperty -Name "UserName" -Value $UserName $Object | Add-Member -MemberType NoteProperty -Name "UserID" -Value $UserID $Object | Add-Member -MemberType NoteProperty -Name "Domain" -Value $UserDomain $Object | Add-Member -MemberType NoteProperty -Name "Role" -Value $UserRole.name $Object | Add-Member -MemberType NoteProperty -Name "RoleID" -Value $UserRole.id $Object | Add-Member -MemberType NoteProperty -Name "IsDefaultAdminRole" -Value $IsDefaultAdminRole $Object | Add-Member -MemberType NoteProperty -Name "OrgID" -Value $UserRole.orgId $Object | Add-Member -MemberType NoteProperty -Name "Description" -Value $UserRole.description # Adding $RSCUserRoleAssignments.Add($Object) | Out-Null } # End of for each object below } # End of for each object above # # Returning array Return $RSCUserRoleAssignments # End of function } |