Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v2.0
v2.0
  • Home
  • What's new in Access Manager v2
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
        • Installing Access Manager in a Failover Cluster
    • Installing the Access Manager Agent
      • Choosing between the Microsoft and Lithnet agents for LAPS support
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up Microsoft LAPS for Active Directory
      • Setting up Microsoft LAPS for Azure Active Directory
      • Setting up Lithnet LAPS
        • Preparing the AMS directory
        • Setting the AMS directory for Lithnet LAPS clients
        • Setting up Lithnet LAPS for Azure AD joined and registered devices
        • Setting up Lithnet LAPS for domain-joined devices
        • Setting up Lithnet LAPS for macOS and Linux
        • Setting up Lithnet LAPS for standalone Windows devices
      • Setting up BitLocker access
      • Setting up JIT for computers
      • Setting up JIT for roles
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Importing rules from the Lithnet LAPS web app
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Azure Active Directory
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
    • Advanced help topics
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
    • Application help pages
      • Access Manager Directory configuration page
      • Access Manager Directory Devices page
      • Access Manager Directory Groups page
      • Lithnet LAPS configuration page (Access Manager Directory)
      • Access Manager Directory Registration Keys page
      • Lithnet LAPS configuration page (Active Directory)
      • Microsoft LAPS configuration page
      • Active Directory configuration page
      • Auditing page
      • Authentication configuration page
      • Computer authorization rules page
      • Role authorization rules page
      • Azure Active Directory configuration page
      • BitLocker configuration page
      • Database configuration page
      • Effective access page
      • Email configuration page
      • IP Address detection configuration page
      • Just-in-time access configuration page
      • Licensing configuration page
      • Rate limit configuration page
      • Host configuration page
      • User interface configuration page
      • Security page
    • Getting Support
Powered by GitBook
On this page
  • SYNOPSIS
  • SYNTAX
  • DESCRIPTION
  • EXAMPLES
  • Example 1
  • PARAMETERS
  • -AllowExtension
  • -DefaultAccessDuration
  • -Description
  • -Disabled
  • -GroupName
  • -MaximumAccessDuration
  • -Name
  • -Notes
  • -NotificationChannelsFailure
  • -NotificationChannelsSuccess
  • -PrincipalsAllowedJit
  • -PrincipalsDeniedJit
  • -RuleExpiryDate
  • -UserRequestReasonRequirement
  • -DomainControllerName
  • -SiteName
  • CommonParameters
  • INPUTS
  • None
  • OUTPUTS
  • Lithnet.AccessManager.PowerShell.RoleAuthorizationRulePSObject
  • NOTES
  • RELATED LINKS

Was this helpful?

  1. Help and support
  2. PowerShell reference

New-AmsRoleAuthorizationRule

SYNOPSIS

Creates a new role authorization rule

SYNTAX

New-AmsRoleAuthorizationRule -Name <String> -PrincipalsAllowedJit <Object[]> [-PrincipalsDeniedJit <Object[]>]
 -GroupName <String> -MaximumAccessDuration <TimeSpan> [-DefaultAccessDuration <TimeSpan>] [-AllowExtension]
 [-Description <String>] [-RuleExpiryDate <DateTime>] [-Disabled] [-Notes <String>]
 [-UserRequestReasonRequirement <AuditReasonFieldState>] [-NotificationChannelsSuccess <String[]>]
 [-NotificationChannelsFailure <String[]>] [-SiteName <String>] [-DomainControllerName <String>]
 [<CommonParameters>]

DESCRIPTION

This cmdlet creates a new just-in-time access role, and specifies the users who are allowed to claim the role.

Note: The use of this cmdlet requires Access Manager Enterprise Edition

EXAMPLES

Example 1

PS C:\> New-AmsRoleAuthorizationRule -Name "Rocketship production admin" -GroupName "DOMAIN\Rocketship-Prod-Admins" -MaximumAccessDuration 8:30:00 -PrincipalsAllowedJit "DOMAIN\Rocketship-authorized-admins"

Creates a new authorization rule, that allows members of the group DOMAIN\Rocketship-authorized-admins to become members of the DOMAIN\Rocketship-Prod-Admins group for a maximum duration of 8 hours and 30 minutes.

PARAMETERS

-AllowExtension

Specifies if the user is allowed to extend their access request before it expires

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DefaultAccessDuration

The amount of time the user is offered to access this role by default. This value cannot be greater than the value defined in MaximumAccessDuration

Type: TimeSpan
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Description

A description of the role, as shown to end users

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Disabled

Indicates if the rule should be disabled

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-GroupName

The name of the group that users will be added to when granted access to this role

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-MaximumAccessDuration

The maximum amount of time the user can request access to this role

Type: TimeSpan
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Name

The name of the role, as shown to end users

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Notes

A custom field to store notes, only visible to AMS administrators

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-NotificationChannelsFailure

A list of channel IDs that should be notified when a user is denied access to this role

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-NotificationChannelsSuccess

A list of channel IDs that should be notified when a user is granted access to this role

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PrincipalsAllowedJit

The list of users who are allowed to access this role. The list can consist of fully qualified usernames (eg domain\user) or SIDs

Type: Object[]
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PrincipalsDeniedJit

The list of users who are not allowed to access this role. The list can consist of fully qualified usernames (eg domain\user) or SIDs

Type: Object[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-RuleExpiryDate

A date and time when this rule will expire, expressed in local time

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-UserRequestReasonRequirement

Specifies if the user must provide a reason for the request, if they can optionally provide a reason, or are not prompted at all for a reason

Type: AuditReasonFieldState
Parameter Sets: (All)
Aliases:
Accepted values: Hidden, Optional, Required

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DomainControllerName

The name of a domain controller to use when performing the JIT operation against

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SiteName

The name of the site to use when trying to find a domain controller to perform the JIT operation against

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

INPUTS

None

OUTPUTS

Lithnet.AccessManager.PowerShell.RoleAuthorizationRulePSObject

NOTES

Use of this cmdlet requires an Enterprise Edition license.

RELATED LINKS

PreviousNew-AmsGroupNextRemove-AmsComputerAuthorizationRule

Last updated 2 years ago

Was this helpful?

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see .

about_CommonParameters