Access Controls
Access controls for PowerShell Universal.
Access controls allow you to define who has access to particular resources inside PowerShell Universal.
Access controls are supported by the following resources:
- Apps
- Scripts
There are three types of access controls.
- Global
- Resource
- Tag
PowerShell Universal uses a least-privileged model and users have no access without an access control that applies to their role.
Access controls are defined within the
accessControls.ps1
file within your PowerShell Universal configuration repository. You can define access controls in the admin console under Security \ Access Controls.

There are five different privileges that can be granted to users. These values are available on the
[PowerShellUniversal.AccessControlType]
enumeration. - View (1)
- Edit (2)
- Create (4)
- Delete (8)
- Execute (16)
You can define multiple access control types on a single access control by using a binary or operator.
For example, this creates a privilege for both Create and View.
$Type = ([PowerShellUniversal.AccessControlType]::Create -bor [PowerShellUniversal.AccessControlType]::View)
You can also use the integer values for a more terse syntax. This creates the same Create and View privileges.
$Type = 1 -bor 4
Global access controls allow you to define an access for a role for all resources of the chosen type.
For example, to allow any user with the
ScriptBuilder
role to create a script, you can define an access control using the following command. You'll also want to grant the View privilege so that the user can also view scripts. $Type = ([PowerShellUniversal.AccessControlType]::Create -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'ScriptBuilder' -ObjectType 'Script' -Type $Type
Resource access controls allow you to specify access controls directly on a resource.
This example defines the execute privilege on the
OnBoarding.ps1
script to the ScriptRunner
role. $Type = ([PowerShellUniversal.AccessControlType]::Execute -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'ScriptRunner' -ObjectId 'OnBoarding.ps1' -ObjectType 'Script' -Type $Type
Tag access controls allow you to specify an access control based on a tag. All tagged resources will have this access control defined. This allows you to group resources and apply access controls to the group.
The following example provides the edit privilege to the
ScriptEditor
role and the HR
tag.$Type = ([PowerShellUniversal.AccessControlType]::Edit -bor [PowerShellUniversal.AccessControlType]::View)
New-PSUAccessControl -Role 'ScriptEditor' -Tag 'HR' -Type $Type
Last modified 2mo ago