locked
Let Activity Implementer Set Properties of Extended Manual Activity Class RRS feed

  • Question

  • Hi Guys,

    I tried to add an implicit scope to manual activity implementer to let users of this profile edit a new custom field via tasks. Here is my first attempt:

    #region Parameters
    [CmdletBinding()]
    param ()
    #endregion
    
    #region Variables
    [datetime]$StartTime = Get-Date
    [string]$SMServer = 'localhost'
    [string]$RoleName = 'ActivityImplementer'
    [string]$ClassName = 'ClassExtension_53aa972f_5fe0_49ee_81ba_b65091075e87'
    [string]$PropertyName = 'RFC_ProposalDeliveryTime'
    [string]$SMModule = 'System.Center.Service.Manager'
    [string]$SMNamespace = 'Microsoft.EnterpriseManagement.EnterpriseManagementGroup'
    [string]$RelEndPoint = 'Microsoft.EnterpriseManagement.Security.RelationshipEndpoint'
    [string]$OperationImplicitScope = 'Microsoft.EnterpriseManagement.Security.OperationImplicitScope'
    #endregion
    
    #region Retrieve the SCSM install directory
    Write-Verbose -Message "Retrieving SCSM install path from the registry ..."
    $SCSMRegistryKey = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\System Center\2010\Common\Setup"
    $InstallDirectory = $SCSMRegistryKey.InstallDirectory.TrimEnd('\')
    #endregion
    
    #region Connect to the SCSM Management Group
    ## Add the SCSM DLL in order to interact with the SDK
    Write-Verbose -Message "Loading the SCSM SDK ..."
    $SDKDLLPath = $InstallDirectory + '\SDK Binaries\Microsoft.EnterpriseManagement.Core.dll'
    Add-Type -Path $SDKDLLPath
    
    ## Connect to the Management Group
    Write-Verbose -Message "Connecting to the management group on $SMServer ..."
    $EMGType = $SMNamespace  ##+ '.EnterpriseManagementGroup'
    $EMG = New-Object -TypeName $EMGType -ArgumentList $SMServer
    #endregion
    
    #region Identify the Profile and Class
    ## Get the user profile that should be changed
    Write-Verbose -Message "Retrieving information for user role profile $RoleName ..."
    $Profile = $EMG.Security.GetProfiles() | ?{$_.Name -eq $RoleName}
    
    ## Get class
    Write-Verbose -Message "Retrieving information for class $ClassName ..."
    $Class = $EMG.EntityTypes.GetClasses() | ?{$_.Name -eq $ClassName}
    #endregion
    
    #region Add permissions to update a class property
    ## Retrieve the property information
    Write-Verbose -Message "Retrieving information for property $PropertyName ..."
    $Property = $Class.GetProperties() | ?{$_.Name -eq $PropertyName}
    
    ## Get the Object__Set implicit scope
    Write-Verbose -Message "Configuring custom permissions ..."
    $ObjSet = $Profile.Operations | ?{$_.Name -eq "Object__Set"}
    
    ## Create the new implicit scope object for the class + property combination
    $OIObject = New-Object $OperationImplicitScope -ArgumentList @($Class.Id,$Property.Id)
    
    ## Add the new scope object to the array of scopes, then update the profile
    Write-Verbose -Message "Setting custom permissions ..."
    $ObjSet.ImplicitScopes.Add($OIObject)
    $Profile.Update()
    #endregion 
    
    #region Wrap-up
    Write-Verbose -Message "Permissions configuration complete!" -Verbose
    #Write-Verbose -Message "Total time: $(New-TimeSpan -Start $StartTime -End Get-Date)" -Verbose
    #endregion


    running the code gives me this error:

    Exception calling "Update" with "0" argument(s): "The operation 987525aa-4d63-4e9f-97b0-56ba958f2daa in the profile 0721c457-f7c2-4f2d-b9ac-7111bcceee41 is already restricted to the same type or its base type. Hence there is no need to restrict it to the specified type."

    0721c457-f7c2-4f2d-b9ac-7111bcceee41 is Activity Implementer Profile.

    runing the following query with guid 987525a...

    SELECT [OperationId]
          ,[OperationName]
          ,[OperationNumericId]
          ,[ScopeType]
      FROM [ServiceManager].[dbo].[Operation]
      where OperationId = '987525AA-4D63-4E9F-97B0-56BA958F2DAA'

    Gives the following result:

    Second Attempt:

    I tried to add Object_Add to the profile for extended class:

    #connect using sdk
    #region Retrieve the SCSM install directory
    Write-Verbose -Message "Retrieving SCSM install path from the registry ..."
    $SCSMRegistryKey = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\System Center\2010\Common\Setup"
    $InstallDirectory = $SCSMRegistryKey.InstallDirectory.TrimEnd('\')
    #endregion
    
    #region Connect to the SCSM Management Group
    ## Add the SCSM DLL in order to interact with the SDK
    Write-Verbose -Message "Loading the SCSM SDK ..."
    $SDKDLLPath = $InstallDirectory + '\SDK Binaries\Microsoft.EnterpriseManagement.Core.dll'
    Add-Type -Path $SDKDLLPath
    
    $NS = “Microsoft.EnterpriseManagement”;
    $EMGType = “$NS.EnterpriseManagementGroup”;
    $EMG = new-object $EMGType localhost;
    #get the user profile that should be changed
    $prof_ir = $emg.Security.GetProfiles() | where{$_.name -eq “ActivityImplementer”}
    #get class to give access to
    $class_ssr = $emg.EntityTypes.GetClasses() | where{$_.name -match “ClassExtension_53aa972f_5fe0_49ee_81ba_b65091075e87“}
    #preparation
    $emptyguid = [guid]::empty
    [byte]$relendpoint = “2”
    $oiscope = [microsoft.enterprisemanagement.security.OperationImplicitScope]
    #give access to create (add) new objects of class type (Operations “Object__Add”)
    $obj_add = $prof_ir.operations | where{$_.name -eq “Object__Add”}
    $oiobject = New-Object $oiscope –ArgumentList @($class_ssr.id,$emptyguid,$emptyguid,$relendpoint)
    $obj_add.ImplicitScopes.Add($oiobject)
    $prof_ir.Update()

    A new line is added to [ProfileOperationImplicitScope]:

    Yet still get Unauthorized access exception.

    Any ideas how to solve it?

    Thanks


    YSobhdel


    Monday, February 18, 2019 4:14 PM

All replies