none
Add Roles/members/permissions RRS feed

  • Question

  • Is there a script similar to this one but for Tabular Models?

    https://bhavikmerchant.wordpress.com/2010/09/06/adding-ssas-roles-via-powershell/

    # Script to create roles in EIS cube databases via a text file
    [System.reflection.Assembly]::LoadWithPartialName(“Microsoft.AnalysisServices”)
    [System.reflection.Assembly]::LoadWithPartialName(“System.IO”)
    
    $logFile = “PATH TO LOG FILE”
    $sw = new-object System.IO.StreamWriter($logFile)
    
    $svr = new-Object Microsoft.AnalysisServices.Server
    $svr.Connect(“localhost”)
    
    $dbname = “YOUR_SSAS_DB_NAME”
    $db = $svr.Databases.item($dbname)
    
    # Print the Database Name
    “Adding Roles to Database: ” + $db.Name
    
    #read file here
    $roleLines = Get-Content “PATH TO TEXT FILE CONTAINING LIST OF ROLE NAMES”
    
    #repeat for every line in the file
    foreach ($roleName in $roleLines)
    {
    “Processing Role for: ” + $roleName
    $groupname = “DOMAIN_NAME\” + $roleName
    
    #check if exists and delete if so
    $roleToDelete = $db.Roles.FindByName($roleName)
    
    if ($roleToDelete)
    {
    “Existing role found… deleting!”
    $roleToDelete.Drop(“AlterOrDeleteDependents”)
    
    $error.clear()
    if ($error[0])
    {
    $sw.WriteLine($rolename + “: Error deleting existing : ” + $error[0])
    }
    
    }
    else
    {
    
    #Create Role and add AD group
    [Microsoft.AnalysisServices.Role] $roleToCreate = new-Object([Microsoft.AnalysisServices.Role])($rolename)
    $roleToCreate.Members.Add($groupname)
    
    #Add to db
    “… ‘” + $roleToCreate.Name + “‘ adding to database”
    $db.Roles.Add($roleToCreate)
    
    $error.clear()
    $roleToCreate.Update()
    
    if ($error[0])
    {
    $sw.WriteLine($rolename + “: Error Adding to DB: ” + $error[0])
    }
    else
    {
    
    #Create Database permission
    “… ‘” + $roleToCreate.Name + “‘ updating database permissions”
    $dbperm = $db.DatabasePermissions.Add($roleToCreate.ID)
    $dbperm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed
    
    $error.clear()
    $dbperm.Update()
    
    if ($error[0])
    {
    $sw.WriteLine($rolename + “: Error updating DB Perms: ” + $error[0])
    }
    else
    {
    
    # add role to each cube
    foreach ($cube in $db.Cubes)
    {
    
    #create Cube permission
    “… ‘” + $roleToCreate.Name + “‘ adding to permissions in : ‘” +	$cube.Name + “‘ cube”
    $cubeperm = $cube.CubePermissions.Add($roleToCreate.ID)
    $cubePerm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed
    
    $error.clear()
    $cubeperm.Update()
    
    if ($error[0])
    {
    $sw.WriteLine($rolename + “: Error updating Cube Perms: ” + $error[0])
    }
    }
    
    if(!$error[0])
    {
    
    #create dimension permission
    “… ‘” + $roleToCreate.Name + “‘ adding to Org Structure Dim permissions”
    $dim = $db.Dimensions.FindByName(“Organisation”)
    $att = $dim.Attributes.FindByName(“Cost Centre Code”)
    $dim.DimensionPermissions.Add($roleToCreate.ID)
    
    $dimperm = $dim.DimensionPermissions.add($roleToCreate.ID)
    $dimperm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed
    
    “… ‘” + $roleToCreate.Name + “‘ adding cost centre restriction”
    $attPerm = $dimPerm.AttributePermissions.Add($att.ID)
    $attPerm.AllowedSet = “{[Organisation].[Cost Centre Code].&[” + $roleName + “]}”
    
    $error.clear()
    $dimPerm.Update()
    
    if ($error[0])
    {
    $sw.WriteLine($rolename + “: Error updating Dimension Perms: ” + $error[0])
    }
    }
    
    }
    
    }
    
    }
    
    }
    
    #cleanup
    $sw.close()
    $svr.Disconnect()

    I tried so far the following:

    $Server = new-Object Microsoft.AnalysisServices.Tabular.Server
    $Server.Connect("$server")
    
    $TabDB = $Tabular_Analysis_Server.Databases[$DB]
    
    [Microsoft.AnalysisServices.Tabular.ModelRole] $AddRole = new-Object([Microsoft.AnalysisServices.Tabular.ModelRole])("NewRole1")
    
    $AddRole.Members.Add("member1")
    
    $TabDB.Roles.Add($AddRole)
    
    $AddRole.Update()

    I get this error:

    new-Object : Cannot find an overload for "ModelRole" and the argument count: "1". and

    This $TabDB.Model.Roles.members gives me the roles and members just fine

    if i try doing it this way:

    $TabDB.Model.roles.Add("newrole1")

    I get this error

    Cannot find an overload for "Add" and the argument count: "1".

    This $TabDB.Model.roles.Add() results in

    OverloadDefinitions
    -------------------
    void Add(Microsoft.AnalysisServices.Tabular.ModelRole metadataObject)
    void ICollection[ModelRole].Add(Microsoft.AnalysisServices.Tabular.ModelRole item)
    • Moved by jrv Wednesday, May 8, 2019 11:46 PM Better forum.
    Wednesday, May 8, 2019 11:28 PM

Answers

  •  Remove() requires RoleMember object as input, not string or ID (as for many operations with AMO), you can apply PowerShell where-object (?-aliased)to find member by name:
    cls
    [System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-object Microsoft.AnalysisServices.Server
    $s.connect("my_test_machine\my_MD_instance")
    $d=$s.databases["my_ssas_db"]
    $r=$d.roles[0] #Role ordinal, replace with ID or .FindByName()
    $m=$r.members
    $m.remove(($m|?{$_.Name -eq "my_AD_User_Or_Role_Name"}))
    $r.update([Int]2,[Int]1)
    $s.disconnect()
    rv * -ea 0
    $error.clear()

    • Marked as answer by cataster Friday, May 10, 2019 5:29 PM
    Friday, May 10, 2019 4:19 PM
  • ..

    If i want to update a role with read permissions, or remove a permission, how would i do that? also suppose i want to remove a member without removing a role, how would i do that?
    To prevent access any method will work: removing members, removing role (assuming member doesn't exist in any other role) and changing ModelPermission property flag to None ([Int]1)

    To remove known members (if you know name) try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles["test_role"].Members.Remove("my_domain\my_secret_user")
    $d.Update([Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    To remove all members from role try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    [Microsoft.AnalysisServices.Tabular.ModelRoleMemberCollection]$x=$d.Model.Roles["my_test_role"].Members
    $x.Clear();$d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()
    To block access for all members in role change role property like this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $x=$d.Model.Roles["test"].ModelPermission;$x.value__=[Int]1
    $d.Model.Roles["test"].ModelPermission=$x
    $d.Update([Int]1,[Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    If you prefer removing role then try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles.Remove("my_test_role")
    $d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()

    Please check AMO/TOM reference documents - it has all required methods and properties.

    Friday, May 10, 2019 2:36 AM

All replies

  • Post AS questions in the AS forum.  They will be better equipped to answer your product specific  question.


    \_(ツ)_/

    Wednesday, May 8, 2019 11:44 PM
  • you can try this PS script as template:
    cls;[System.reflection.Assembly]::LoadWithPartialName(“Microsoft.AnalysisServices”)>$null
    [System.reflection.Assembly]::LoadWithPartialName(“Microsoft.AnalysisServices.Tabular”)>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect(“my_test_machine\my_tab_instance”);$d=$s.Databases["my_ssas_db"]
    [Microsoft.AnalysisServices.Tabular.Model]$m=$d.Model
    $r=new-object Microsoft.AnalysisServices.Tabular.ModelRole
    $r.Name="test";$r.ModelPermission="Read"
    $b=new-object Microsoft.AnalysisServices.Tabular.WindowsModelRoleMember
    $b.MemberID="S-1-5-21-0000000001-0000000001-0000000001-1001" #"my_sid_number_from_AD"
    $b.MemberName="my_user_name"
    if(($m.roles|?{$_.Name -eq $r.Name}).count -eq 0){
    "adding role";$m.Roles.Add($r);"adding member"
    $m.Roles["test"].Members.Add($b)
    #$m.Roles.Validate()
    "updating server";$d.Update("ExpandFull")
    }else{"role already exists"};$s.disconnect()
    if($error.count -gt 0){"something went wrong, check script for errors"}else{"run ok, finished."}
    rv * -ea 0;$Error.Clear()

    Thursday, May 9, 2019 6:20 AM
  • Hi cataster,

    You could try below script to see whether it works or not

    [System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices.tABULAR")
    $Server = new-Object Microsoft.AnalysisServices.Tabular.Server
    $Server.Connect("SERVER\INSTANCE")
    
    $TabDB = $SERVER.Databases["DATABASENAME"]
    $AddRole = new-Object Microsoft.AnalysisServices.Tabular.ModelRole
    $AddRole.Name = 'NewRole1'
    $AddRole.ModelPermission="Read"
    $RoleMember = New-Object Microsoft.AnalysisServices.Tabular.WindowsModelRoleMember
    $RoleMember.MemberName = 'DOMAIN\ACCOUNT'
    $TabDB.Model.Roles.Add($AddRole)
    $AddRole.Members.Add($RoleMember)
    $TabDB.Update([Microsoft.AnalysisServices.UpdateOptions]::ExpandFull)
    $server.Disconnect()
    
    Best Regards,
    Zoe Zhi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, May 9, 2019 7:29 AM
  • you can try this PS script as template:
    cls;[System.reflection.Assembly]::LoadWithPartialName(“Microsoft.AnalysisServices”)>$null
    [System.reflection.Assembly]::LoadWithPartialName(“Microsoft.AnalysisServices.Tabular”)>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect(“my_test_machine\my_tab_instance”);$d=$s.Databases["my_ssas_db"]
    [Microsoft.AnalysisServices.Tabular.Model]$m=$d.Model
    $r=new-object Microsoft.AnalysisServices.Tabular.ModelRole
    $r.Name="test";$r.ModelPermission="Read"
    $b=new-object Microsoft.AnalysisServices.Tabular.WindowsModelRoleMember
    $b.MemberID="S-1-5-21-0000000001-0000000001-0000000001-1001" #"my_sid_number_from_AD"
    $b.MemberName="my_user_name"
    if(($m.roles|?{$_.Name -eq $r.Name}).count -eq 0){
    "adding role";$m.Roles.Add($r);"adding member"
    $m.Roles["test"].Members.Add($b)
    #$m.Roles.Validate()
    "updating server";$d.Update("ExpandFull")
    }else{"role already exists"};$s.disconnect()
    if($error.count -gt 0){"something went wrong, check script for errors"}else{"run ok, finished."}
    rv * -ea 0;$Error.Clear()

    If i want to update a role with read permissions, or remove a permission, how would i do that? also suppose i want to remove a member without removing a role, how would i do that?
    • Edited by cataster Thursday, May 9, 2019 4:29 PM
    Thursday, May 9, 2019 4:13 PM
  • Hi cataster,

    You could try below script to see whether it works or not

    [System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices.tABULAR")
    $Server = new-Object Microsoft.AnalysisServices.Tabular.Server
    $Server.Connect("SERVER\INSTANCE")
    
    $TabDB = $SERVER.Databases["DATABASENAME"]
    $AddRole = new-Object Microsoft.AnalysisServices.Tabular.ModelRole
    $AddRole.Name = 'NewRole1'
    $AddRole.ModelPermission="Read"
    $RoleMember = New-Object Microsoft.AnalysisServices.Tabular.WindowsModelRoleMember
    $RoleMember.MemberName = 'DOMAIN\ACCOUNT'
    $TabDB.Model.Roles.Add($AddRole)
    $AddRole.Members.Add($RoleMember)
    $TabDB.Update([Microsoft.AnalysisServices.UpdateOptions]::ExpandFull)
    $server.Disconnect()
    Best Regards,
    Zoe Zhi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    very neat! If i want to update a role with read permissions, or remove a permission, how would i do that? also suppose i want to remove a member without removing a role, how would i do that? i tried $TabDB.Model.Roles.Remove($AddRole) but it returns false

    • Edited by cataster Thursday, May 9, 2019 4:34 PM
    Thursday, May 9, 2019 4:13 PM
  • ..

    If i want to update a role with read permissions, or remove a permission, how would i do that? also suppose i want to remove a member without removing a role, how would i do that?
    To prevent access any method will work: removing members, removing role (assuming member doesn't exist in any other role) and changing ModelPermission property flag to None ([Int]1)

    To remove known members (if you know name) try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles["test_role"].Members.Remove("my_domain\my_secret_user")
    $d.Update([Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    To remove all members from role try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    [Microsoft.AnalysisServices.Tabular.ModelRoleMemberCollection]$x=$d.Model.Roles["my_test_role"].Members
    $x.Clear();$d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()
    To block access for all members in role change role property like this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $x=$d.Model.Roles["test"].ModelPermission;$x.value__=[Int]1
    $d.Model.Roles["test"].ModelPermission=$x
    $d.Update([Int]1,[Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    If you prefer removing role then try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles.Remove("my_test_role")
    $d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()

    Please check AMO/TOM reference documents - it has all required methods and properties.

    Friday, May 10, 2019 2:36 AM
  • ..

    If i want to update a role with read permissions, or remove a permission, how would i do that? also suppose i want to remove a member without removing a role, how would i do that?

    To prevent access any method will work: removing members, removing role (assuming member doesn't exist in any other role) and changing ModelPermission property flag to None ([Int]1)

    To remove known members (if you know name) try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles["test_role"].Members.Remove("my_domain\my_secret_user")
    $d.Update([Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    To remove all members from role try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    [Microsoft.AnalysisServices.Tabular.ModelRoleMemberCollection]$x=$d.Model.Roles["my_test_role"].Members
    $x.Clear();$d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()
    To block access for all members in role change role property like this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $x=$d.Model.Roles["test"].ModelPermission;$x.value__=[Int]1
    $d.Model.Roles["test"].ModelPermission=$x
    $d.Update([Int]0,[Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    If you prefer removing role then try this:
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Model.Roles.Remove("my_test_role")
    $d.Update([Int]1);$s.disconnect();rv * -ea 0;$Error.Clear()

    Please check AMO/TOM reference documents - it has all required methods and properties.

    This is perfect. I did see the documentation btw but i dont really understand how to apply it programmatically. there is no way i would have known the syntax behind the permissions for example: 

    $x.value__=[Int]1

    btw, could you help me out with one more thing? for SSAS (non tabular), i thought it was easy to remove roles/members, but it turns out we have to use Drop

    Drop("AlterOrDeleteDependents")

    Its working for roles and I am able to drop them,

    $d.Roles["test"].Drop("AlterOrDeleteDependents")

    but its not working for members. I have tried both remove and drop and members arent getting removed

    $d.Roles["test"].Members["testMember"].Drop("AlterOrDeleteDependents")

    What am i missing?

    Friday, May 10, 2019 6:38 AM
  • To remove all members from role in SSAS Multidimensional - RoleMemberCollection class has Clear() method, or Remove() for individual member, then just Update() role with UpdateOptions/Mode.
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $r=$d.Roles[0];$m=$r.Members;$m.Clear()
    $r.Update([Int]2,[Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    With Role it's a bit more complex as it's integrated within metadata of dimensions/cube, therefore dependencies will be affected as well (to avoid leaving artifacts)
    So in order to drop known role you can call Drop() method with DropOptions, even no need to call Update() as Drop does it for you automatically.
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Roles["my_role_id"].Drop([Int]2);$s.disconnect()
    rv * -ea 0;$Error.Clear()

    Re: ...I did see the documentation btw but i dont really understand how to apply it programmatically. there is no way i would have known the syntax behind the permissions for example...
      I don't know this stuff either (simply impossible for anyone working on a broad set of technologies to remember all of it), just ad-hoc going through documentation and after 3-5 iterations with different code combinations it starts working (might not even be most efficient way) in 2-5 minutes. Point here - you'll never know without trying, and with documentation they have - it's quick path to solution via trial-and-error.
    Friday, May 10, 2019 1:11 PM
  • To remove all members from role in SSAS Multidimensional - RoleMemberCollection class has Clear() method, or Remove() for individual member, then just Update() role with UpdateOptions/Mode.
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $r=$d.Roles[0];$m=$r.Members;$m.Clear()
    $r.Update([Int]2,[Int]1);$s.disconnect()
    rv * -ea 0;$Error.Clear()
    With Role it's a bit more complex as it's integrated within metadata of dimensions/cube, therefore dependencies will be affected as well (to avoid leaving artifacts)
    So in order to drop known role you can call Drop() method with DropOptions, even no need to call Update() as Drop does it for you automatically.
    cls;[System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-Object Microsoft.AnalysisServices.Server
    $s.Connect("my_test_machine\my_tab_instance");$d=$s.Databases["my_ssas_db"]
    $d.Roles["my_role_id"].Drop([Int]2);$s.disconnect()
    rv * -ea 0;$Error.Clear()

    Re: ...I did see the documentation btw but i dont really understand how to apply it programmatically. there is no way i would have known the syntax behind the permissions for example...
      I don't know this stuff either (simply impossible for anyone working on a broad set of technologies to remember all of it), just ad-hoc going through documentation and after 3-5 iterations with different code combinations it starts working (might not even be most efficient way) in 2-5 minutes. Point here - you'll never know without trying, and with documentation they have - it's quick path to solution via trial-and-error.

    The remove() operation still refuses to work for individual members. 

    $d.Roles["test"].members.remove("member1")
    $d.Roles["test"].Update()

    I have tried it like that, and didnt remove the member

    I tried it this way:

    $m = $d.Roles["test"].members
    $m.Remove("member1")

    $d.Roles["test"].Update([Int]2,[Int]1)

    and the member is still there

    btw, i appreciate your help so far!

    Friday, May 10, 2019 3:10 PM
  •  Remove() requires RoleMember object as input, not string or ID (as for many operations with AMO), you can apply PowerShell where-object (?-aliased)to find member by name:
    cls
    [System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-object Microsoft.AnalysisServices.Server
    $s.connect("my_test_machine\my_MD_instance")
    $d=$s.databases["my_ssas_db"]
    $r=$d.roles[0] #Role ordinal, replace with ID or .FindByName()
    $m=$r.members
    $m.remove(($m|?{$_.Name -eq "my_AD_User_Or_Role_Name"}))
    $r.update([Int]2,[Int]1)
    $s.disconnect()
    rv * -ea 0
    $error.clear()

    • Marked as answer by cataster Friday, May 10, 2019 5:29 PM
    Friday, May 10, 2019 4:19 PM
  •  Remove() requires RoleMember object as input, not string or ID (as for many operations with AMO), you can apply PowerShell where-object (?-aliased)to find member by name:
    cls
    [System.reflection.Assembly]::LoadWithPartialName("Microsoft.AnalysisServices")>$null
    $s=new-object Microsoft.AnalysisServices.Server
    $s.connect("my_test_machine\my_MD_instance")
    $d=$s.databases["my_ssas_db"]
    $r=$d.roles[0] #Role ordinal, replace with ID or .FindByName()
    $m=$r.members
    $m.remove(($m|?{$_.Name -eq "my_AD_User_Or_Role_Name"}))
    $r.update([Int]2,[Int]1)
    $s.disconnect()
    rv * -ea 0
    $error.clear()

    Excellent! Thank you so much! i have pretty much everything now :D
    Friday, May 10, 2019 5:29 PM