Instantly share code, notes, and snippets.
Last active
February 17, 2017 10:19
-
Star
0
(0)
You must be signed in to star a gist -
Fork
0
(0)
You must be signed in to fork a gist
-
-
Save ddemeyer/c80ef8a5a6025eb2267a9c1a91c3a9c4 to your computer and use it in GitHub Desktop.
Synchronize - so add/disable/delete/alter-rights - on InfoShare user profiles with a group of Active Directory users. This maintains the necessary Knowledge Center Content Manager (= LiveContent Architect = Trisoft InfoShare) user profiles for usage with (indirect) Windows Authentication.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 20170217/ddemeyer | |
| # | |
| # SUMMARY | |
| # Synchronize - so add/disable/delete/alter-rights - on InfoShare user profiles with a group of Active Directory users. | |
| # This maintains the necessary Knowledge Center Content Manager (= LiveContent Architect = Trisoft InfoShare) user profiles for | |
| # usage with (indirect) Windows Authentication. | |
| # | |
| # REFERENCES | |
| # http://docs.sdl.com/LiveContent/content/en-US/SDL%20Knowledge%20Center%20full%20documentation-v2.1.3/GUID-ACA60551-D607-4861-9E34-0324178B40FF | |
| # https://github.com/sdl/ISHRemote | |
| # http://technet.microsoft.com/en-us/library/dd378937(WS.10).aspx Active Directory Administration with Windows PowerShell | |
| # https://technet.microsoft.com/en-us/library/ee617195.aspx Active Directory Cmdlets in Windows PowerShell | |
| # | |
| # DOC EXTRACT: Provisioning users through the API | |
| # ---------------------------------------------------------------- | |
| # The API allows you CRUD and Disabling of user profiles. The following algorithm can guide you in sync'ing your user systems. | |
| # Delete or Disable InfoShare User Profiles that no longer exist in the central system. | |
| # List all InfoShare user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No | |
| # For every user in the InfoShare-user-list find the external user profile by FISHEXTERNALID | |
| # If none exists, delete the InfoShare user profile if not referenced otherwise disable the InfoShare user profile | |
| # If one or more exists; check if disabled, possibly disable the InfoShare user profile | |
| # Create or Update InfoShare User Profiles in the InfoShare system. | |
| # List all external users required to have a matching profile in InfoShare (e.g. limited by LDAP role,…) | |
| # For every user in the external-user-list find the InfoShare User Profile by FISHEXTERNALID | |
| # If multiple hits; throw exception as multiple profile hits will never grant a login | |
| # If none exists; create the user profile with required roles and user groups | |
| # If one exists; enable, skip or possibly update the user profile | |
| # CAUTION: Beware that update could overwrite explicitly set values. | |
| # | |
| # NOTES | |
| # . Authentication, either Windows or InfoShare Username/Password requires still some code adaptation. | |
| # Best solution is to externalize this using the -PSCredential parameter, combined with PowerShell's Get-Credential | |
| # . Could use some attention on introducing Param(...) blocks | |
| # . As always more logging and testing, but should get people going. | |
| # | |
| # Prerequisites ############################################################## | |
| # Execute below scriptBlock once to install the prerequisites | |
| $prerequisitesScriptBlock = { | |
| Add-WindowsFeature RSAT-AD-PowerShell | |
| Install-Module ISHRemote -Repository PSGallery -Scope CurrentUser -Force | |
| Update-Module ISHRemote | |
| } | |
| # END of Prerequisites ####################################################### | |
| # Variables to configure before executing this script: ############################################################ | |
| $webServicesBaseUrl = 'https://example.com/ISHWS/' | |
| $ishUserName = 'Admin' # only required when CM is using username/password authentication | |
| $ishPassword = '' # only required when CM is using username/password authentication and when NOT using the -PSCredential option (see below) | |
| $ishSession = 'SessionNotInitialized' | |
| # Your Active Directory domain like 'Company' or 'Global' | |
| $domain = '' | |
| # Your Active Directory group, rerun this script for all AD Groups that have users to be added as CM users | |
| # To know to groups of the user that is currently executing powershell: Get-ADPrincipalGroupMembership $env:username | select name | |
| $ADGroup = 'Mechelen Project' | |
| # Only the user executing this script will get these rights | |
| $AdminUserRoles = "VUSERROLEREVIEWER, VUSERROLEAUTHOR, VUSERROLEADMINISTRATOR" | |
| # all other AD user will get these rights | |
| $UserRoles = "VUSERROLEREVIEWER, VUSERROLEAUTHOR" | |
| $DisableAllExistingDomainUsers = $false; # immediately disable all external users | |
| $RemoveExistingDomainUsers = $false; # immediately delete all external users | |
| # END list of Variables to configure before executing this script ################################################# | |
| Write-Host "`r`n Setting preferences..." | |
| $DebugPreference = "SilentlyContinue" # Continue or SilentlyContinue | |
| $VerbosePreference = "SilentlyContinue" # Continue or SilentlyContinue | |
| $WarningPreference = "Continue" # Continue or SilentlyContinue or Stop | |
| $ProgressPreference= "Continue" # Continue or SilentlyContinue | |
| $WhatIf = $False | |
| Write-Host "`r`n Using variables..." | |
| Write-Host "webServicesBaseUrl ="$webServicesBaseUrl | |
| Write-Host "UserName ="$ishUserName | |
| Write-Host "Password ="$ishPassword | |
| Write-Host "Session ="$ishSession | |
| try | |
| { | |
| Write-Host "`r`nCreate a IshSession through Login..." | |
| # If CM is using Windows Authentication, the login below will be done by the user that is executing the PS session | |
| $ishSession = New-IshSession -WsBaseUrl $webServicesBaseUrl | |
| # If CM is using Username Password authentication: Two options to login, uncomment one: | |
| #$ishSession = New-IshSession -WsBaseUrl $webServicesBaseUrl -PSCredential $ishUserName # Will show login screen, so password must not be set in script | |
| #$ishSession = New-IshSession -WsBaseUrl $webServicesBaseUrl -IshUserName $ishUserName -IshPassword $ishPassword | |
| Write-Host "Domain="$domain | |
| Write-Host "DomainGroup="$ADGroup | |
| ########################################################## | |
| # [A] Disable/Deactivate InfoShare User Profiles that no longer exist in the central system. | |
| # List all InfoShare user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No | |
| # For every user in the InfoShare-user-list find the external user profile by FISHEXTERNALID | |
| # If none exists, disable the InfoShare user profile | |
| # If one or more exists; check if disabled, disable/deactivate the InfoShare user profile | |
| ########################################################## | |
| Write-Host "`r`n[A] Disable/Deactivate InfoShare User Profiles that no longer exist in the central system." | |
| Write-Host "Listing all InfoShare user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No " | |
| $ishMetadataFilterFields = Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHUSERTYPE" -Level "None" -ValueType "Element" -Value "VUSERTYPEEXTERNAL" | | |
| Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHUSERDISABLED" -Level "None" -ValueType "Element" -Value "FALSE" | | |
| Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "None" -FilterOperator "Like" -Value "$domain\%" | |
| $ishMetadataFields = Set-IshMetadataField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "none" | |
| $ishobjectsFind = Find-IshUser -IshSession $ishSession -ActivityFilter "None" -MetadataFilter $ishMetadataFilterFields -RequestedMetadata $ishMetadataFields | |
| foreach ($ishobject in $ishobjectsFind) | |
| { | |
| $externalId = Get-IshMetadataField -IshObject $ishobject -Name FISHEXTERNALID -IshSession $ishSession -Level None | |
| Write-Host "Verifying if $externalId is disabled... " -nonewline | |
| $externalUserArray = $externalId.Split('\'); | |
| $accountName = $externalUserArray[$externalUserArray.Length-1] | |
| $adUser = Get-ADUser -Filter {(Enabled -eq "True") -and (SamAccountName -eq $accountName)} | |
| if ($adUser -ne $null -and !$DisableAllExistingDomainUsers) | |
| { | |
| # Enabled domain user found | |
| Write-Host "is still valid" | |
| } | |
| else | |
| { | |
| # No enabled domain user found, disabling InfoShare user | |
| if ($adUser.SamAccountName.ToLower() -ne $env:username.ToLower()) #No disable on user that is executing this script | |
| { | |
| Write-Host "Disabling and Deactivating InfoShare user identified by $externalId" | |
| $ishMetadataFieldsAction = Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERDISABLED" -Level "none" -ValueType "Element" -Value "TRUE" | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHOBJECTACTIVE" -Level "none" -ValueType "Element" -Value "FALSE" | |
| $ishobject = Write-Output $ishobject | | |
| Set-IshField -IshSession $ishSession -MergeField $ishMetadataFieldsAction -ValueAction "Overwrite" | | |
| Set-IshUser -IshSession $ishSession -WhatIf:$WhatIf | |
| } | |
| else | |
| { | |
| Write-Host "Ignoring InfoShare user identified by $externalId" | |
| } | |
| } | |
| } | |
| ########################################################## | |
| # [B] Create or Update InfoShare User Profiles in the InfoShare system. | |
| # List all external users required to have a matching profile in InfoShare (e.g. limited by group) | |
| # For every user in the external-user-list find the InfoShare User Profile by FISHEXTERNALID | |
| # If multiple hits; throw exception as multiple profile hits will never grant a login | |
| # If none exists; create the user profile with required roles and user groups | |
| # If one exists; enable, skip or possibly update the user profile | |
| # CAUTION: Beware that update could overwrite explicitly set values. | |
| ########################################################## | |
| Write-Host "`r`n[B] Create or Update User Profiles in CM user list" | |
| Write-Host "Listing all enabled users part of $ADGroup ..." | |
| $usersForInfoShare = Get-ADGroupMember -Identity $ADGroup | |
| foreach ($userForInfoShare in $usersForInfoShare) | |
| { | |
| $userDetail = Get-ADUser -Identity ($userForInfoShare).SID -Properties mail | |
| $enabled = ($userDetail).Enabled | |
| if ($enabled -eq "True") | |
| { | |
| $externalId = $domain + "\" + ($userDetail).SamAccountName | |
| $externalName = ($userDetail).name | |
| $externalMail = ($userDetail).mail | |
| Write-Host " $externalId ... " -nonewline | |
| $ishMetadataFilterFields = Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "None" -Value "$externalId" | |
| $ishobjectsFind = Find-IshUser -IshSession $ishSession -ActivityFilter "None" -MetadataFilter $ishMetadataFilterFields | |
| if ($ishobjectsFind) | |
| { | |
| # InfoShare Profile exists | |
| if($RemoveExistingDomainUsers){ | |
| if (($userDetail).SamAccountName.ToLower() -ne $env:username.ToLower()) #No delete on user that is executing this script | |
| { | |
| $ishobject = Remove-IshUser -IshSession $ishSession -IshObject $ishobjectsFind # -Name "$externalName ($externalMail)" | |
| Write-Host "deleted." | |
| }else{ | |
| Write-Host "ignored." | |
| } | |
| }else{ | |
| Write-Host "will not be updated." | |
| } | |
| } | |
| else | |
| { | |
| # Create InfoShare Profile | |
| Write-Host "Creating InfoShare user identified by $externalId... " | |
| # Only user executing this script will be admin | |
| $CurrentUserRoles = $UserRoles | |
| if (($userDetail).SamAccountName.ToLower() -eq $env:username.ToLower()) #No delete on user that is executing this script | |
| { | |
| $CurrentUserRoles = $AdminUserRoles | |
| } | |
| $ishMetadataFieldsAdd = Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERTYPE" -Level "none" -Value "External" | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERDISPLAYNAME" -Level "none" -Value "$externalName" | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "none" -Value $externalId | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERLANGUAGE" -Level "none" -Value "en" | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FUSERGROUP" -Level "none" -ValueType "Element" -Value "VUSERGROUPDEFAULTDEPARTMENT" | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERROLES" -Level "none" -ValueType "Element" -Value $CurrentUserRoles | | |
| Set-IshMetadataField -IshSession $ishSession -Name "FISHEMAIL" -Level "none" -Value $externalMail | |
| $ishobject = Add-IshUser -IshSession $ishSession -Name "$externalName ($externalMail)" -Metadata $ishMetadataFieldsAdd -WhatIf:$WhatIf | |
| } | |
| } | |
| } | |
| Write-Host "`r`nUsers with $domain ExternalId:" | |
| $ishMetadataFilterFields = Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHUSERTYPE" -Level "None" -FilterOperator "In" -Value "Internal, External" | | |
| Set-IshMetadataFilterField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "None" -FilterOperator "Like" -Value "$domain%" | |
| $ishobjectsFind = Find-IshUser -IshSession $ishSession -ActivityFilter "None" -MetadataFilter $ishMetadataFilterFields | |
| $ishobjectsFind | Out-String | |
| } | |
| catch | |
| { | |
| Write-Host "`r`nException" | |
| Write-Host "=========" | |
| $Error[0].Exception.Message | |
| $Error[0].Exception.StackTrace | |
| Write-Host "=========" | |
| } | |
| finally | |
| { | |
| # Write-Host "`r`nRemove-Module ISHRemote..." | |
| # Remove-Module ISHRemote | |
| $ishSession = $null | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment