PowerShell Universal
DownloadsIssuesDiscordForums
v5
v5
  • ❓About
  • 🆕What's New in v5?
  • ⏯️Get Started
  • 📺Video Library
  • 📚Additional Resources
  • ⬇️Installation
    • Docker
    • Upgrade
    • Uninstall
    • Downgrade
    • Migrate and Restore
  • 🔑Licensing
  • 📊System Requirements
  • 🌐Supported Browsers
  • Cmdlet Help
  • 🔌API
    • About
    • Endpoints
    • OpenAPI
    • Event Hubs
    • Security
    • Error Handling
    • Rate Limiting
  • 🤖Automation
    • About Automation
    • Scripts
      • Parameters
    • Jobs
    • Schedules
    • Terminals
    • Tests
    • Triggers
  • 📊Apps
    • About
    • Apps
    • Components
      • Pages
      • Data Display
        • Alert
        • Badge
        • Chip
        • Data Grid
        • Date and Time
        • Icon
        • List
        • Markdown
        • Table
        • Timeline
        • Tooltip
        • Tree View
        • Typography
      • Data Visualization
        • Charts
        • Image
        • Map
      • Feedback
        • Backdrop
        • Modal
        • Progress
        • Skeleton
      • Inputs
        • Autocomplete
        • Button
        • Checkbox
        • Code Editor
        • Date Picker
        • Editor
        • Floating Action Button
        • Form
        • Radio
        • Rating
        • Select
        • Slider
        • Switch
        • Textbox
        • Time Picker
        • Transfer List
        • Upload
      • Navigation
        • Drawer
        • Link
        • Menu
        • Stepper
        • Tabs
      • Layout
        • Grid Layout
        • Grid
        • Hidden
        • Stack
      • Utilities
        • Dynamic Regions
        • Element
        • Error Boundary
        • Protect Section
        • Transitions
        • HTML
      • Surfaces
        • AppBar
        • Card
        • Paper
        • Expansion Panel
      • Custom Components
        • Building Custom JavaScript Components
    • Custom Variable Scopes
    • Interaction
    • Role Based Access
    • Scheduled Endpoints
    • Sessions
    • Static Apps
    • Themes
      • Colors
      • Cascading Style Sheets
      • Styles
  • 🌐Portal
    • About the Universal Portal
    • Portal Pages
    • Portal Widgets
      • Syntax
      • Conditions
      • Dynamic
      • Forms
      • Properties
      • Services
      • Tables
  • 🏗️Platform
    • Cache
    • Computers
    • Health Checks
    • Gallery
    • Middleware
    • Modules
    • Monitoring
    • Notifications
    • Plugins
    • Published Folders
    • Tags
    • Telemetry
    • Translations
    • User Sessions
    • Variables
  • 🔒Security
    • About
    • Local Accounts
    • Forms Authentication
    • Authorization
    • App Tokens
    • Enterprise Security
      • Client Certificate
      • OpenID Connect
      • SAML2
      • WS-Federation
      • Windows SSO
      • Permissions
  • ⚙️Configuration
    • Agent
    • App Settings
    • Best Practices
    • Branding
    • Command Line Options
    • Deployments
    • Environments
    • Feature Flags
    • Git
    • Hosting
      • Azure
      • High Availability
      • IIS
      • Reverse Proxy
    • Management API
    • Module
    • Persistence
    • psu Command Line Tool
    • Repository
    • Running as a Service Account
  • 👩‍💻Development
    • Debugging Scripts
    • Editor
    • Hangfire
    • Logging
    • Profiling
    • Visual Studio Code Extension
  • Changelogs
    • Changelog
    • Extension Changelog
    • Roadmap
    • CVEs
Powered by GitBook

PowerShell Universal

  • Downloads
  • Pricing
  • Gallery

Community

  • Issues
  • Forums
  • Discord

Support

  • Portal
  • Knowledgebase

Copyright 2025 Ironman Software

On this page
  • Permission Identifiers
  • Managing Permissions
  • Example: Assigning a Script to a Role
  • Example: Scheduler Role
  • Default Role Permissions
  • Administrator
  • Operator
  • Execute
  • Reader
  • API Editor
  • API Reader
  • App Editor
  • App Reader

Was this helpful?

Edit on GitHub
Export as PDF
  1. 🔒Security
  2. Enterprise Security

Permissions

Permissions for resources within PowerShell Universal

PreviousWindows SSONextAgent

Last updated 1 month ago

Was this helpful?

PowerShell Universal leverages permissions throughout the platform to provide fine-grained authorization against different scopes and resources. Built-in roles have a read-only set of permissions that are automatically applied to users with those roles. Custom roles can have custom permissions set. Additionally, individual users can have their own set of permissions.

Permissions are stored in the database and not as part of the .universal configuration files.

Permission Identifiers

Each permission uses an identifier to authorize a user to access a resource. They are strings that utilize the scope and resource type, followed by an access type.

For example, the following would provide read access to all API features.

apis/read

Wildcards can be used in permission identifiers to include sub-scopes over multiple access types. The following provides access to all script features.

automation.scripts/*

Managing Permissions

Permissions can be managed for an identity by clicking Security \ Permissions. You can select the identity and define a permission identifier to grant to the identity. This will blend with the permissions granted by any role assignments they may have.

Roles currently cannot be assigned permissions in the permission UI.

Example: Assigning a Script to a Role

You can assign a specific script to a user by accessing the permission dialog for the script. Click the Permissions icon.

Next, click Create Permission. This will display the Creat Permission dialog. This dialog allows you to select the identity or role to assign the script to and the access you'd like to permit.

The user now has access to execute the script. In order to view it within the admin console, you will also need to grant access to the pages necessary to do so.

Click Security \ Permissions. Click Create Permission. Assign the View access to automation.scripts to the role.

Example: Scheduler Role

In this example, we'll define a role that can only manage schedules.

First, create a role name Scheduler. This can be done in the Admin Console by clicking Security \ Roles and then Create New Role. Set the role name and click Ok.

Next, define the following permission for the role. Click the Properties button on the Scheduler role. This grants full access to scheduling and read access to automation.

  • automation.schedules/*

  • automation/read

  • automation/view

The resulting role definition is below.

New-PSURole -Name "Scheduler" -Permission @('automation.schedules/*', 'automation/read') 

Finally, assign the role to a user. You can do so statically, with a policy script or via role to claim mapping.

Default Role Permissions

Below are the default role permissions.

Administrator

Identifier
Description

*

Full access to PowerShell Universal

Operator

Identifier
Description

apis/*

Full access to APIs.

automation/*

Full access to automation features.

apps/*

Full access to Apps.

platform/*

Full access to platform features

settings/*

Full access to platform features

Execute

Identifier
Description

apis/read

Read access to APIs

apis/execute

Execute access to APIs

automation/read

Read access to automation features.

automation/execute

Execute access to automation features.

apps/read

Read access to Apps.

apps/execute

Execute access to Apps.

platform/read

Read access to platform features.

settings/read

Read access to settings.

Reader

Identifier
Description

apis/read

Read access to APIs.

apps/read

Read access to Apps.

automation/read

Read access to automation features.

API Editor

Identifier
Description

apis/*

All access to APIs.

API Reader

Identifier
Description

apis/read

Read access to APIs.

App Editor

Identifier
Description

apps/*

All access to apps.

App Reader

apps/read

Read access to apps.

Permission Icon
Permission Editor
View Role
Assigned Role