Role capabilities are a vital part of a JEA session configuration. Each intended role has one or more capabilities assigned, such as visible cmdlets and functions, exported variables, visible providers such as the filesystem or the registry, and so on. The role definitions are usually stored in a role capability file with the psrc extension. One or more of those role capabilities can be assigned to one user and will be merged:
# While all properties can be filled through cmdlet parameters
# it is usually easier to edit the file manually
$roleCapabilityOptions = @{
Path = '.FirstLevelUserSupport.psrc'
Description = 'Provides first level support access to change user passwords'
VisibleCmdlets = @(
@{
Name = 'Get-Service'
Parameters = @{
Name = 'Name'
ValidateSet = 'Spooler'
}
}
@{
Name = 'Add-NTFSAccess'
Parameters = @{
Name = 'Path'
ValidatePattern = '\\namespace\groupshare\Group.*'
},
# Shortened
}
'Read-Host'
)
VisibleFunctions = 'Get-DepartmentAdUser', 'Get-DepartmentAdGroupMember', 'Add-DepartmentAdGroupMember'
FunctionDefinitions = @{
# Shortened, your three visible functions are defined here
}
}
New-PSRoleCapabilityFile @roleCapabilityOptions
While we generally allow Read-Host, you can see that the Get-Service cmdlet is restricted to only getting the spooler service. Likewise, the cmdlet Add-NtfsAccess is restricted to all paths matching the regular expression \\namespace\groupshare\Group.*. All function definitions are added first, and then made visible.
In order to make use of those role capabilities properly in session configurations, you will need to place them in a valid module folder underneath the system-wide module folders, for example, C:Program FilesWindowsPowerShellModules on Windows. They need to reside in a subfolder called RoleCapabilities in your module to automatically be detected:
Any changes to your role capability files will immediately be applied to new sessions! Make sure to protect them from unauthorized access.