search
DownloadsPricingRequest a trial

New-AmsRoleAuthorizationRule

hashtag
SYNOPSIS

Creates a new role authorization rule

hashtag
SYNTAX

New-AmsRoleAuthorizationRule -Name <String> -PrincipalsAllowedJit <Object[]> [-PrincipalsDeniedJit <Object[]>]
 -GroupName <String> -MaximumAccessDuration <TimeSpan> [-DefaultAccessDuration <TimeSpan>] [-AllowExtension]
 [-Description <String>] [-RuleExpiryDate <DateTime>] [-Disabled] [-Notes <String>]
 [-UserRequestReasonRequirement <AuditReasonFieldState>] [-NotificationChannelsSuccess <String[]>]
 [-NotificationChannelsFailure <String[]>] [-SiteName <String>] [-DomainControllerName <String>]
 [<CommonParameters>]

hashtag
DESCRIPTION

This cmdlet creates a new just-in-time access role, and specifies the users who are allowed to claim the role.

Note: The use of this cmdlet requires Access Manager Enterprise Edition

hashtag
EXAMPLES

hashtag
Example 1

Creates a new authorization rule, that allows members of the group `DOMAIN\Rocketship-authorized-admins` to become members of the `DOMAIN\Rocketship-Prod-Admins` group for a maximum duration of 8 hours and 30 minutes.

hashtag
PARAMETERS

hashtag
-AllowExtension

Specifies if the user is allowed to extend their access request before it expires

hashtag
-DefaultAccessDuration

The amount of time the user is offered to access this role by default. This value cannot be greater than the value defined in MaximumAccessDuration

hashtag
-Description

A description of the role, as shown to end users

hashtag
-Disabled

Indicates if the rule should be disabled

hashtag
-GroupName

The name of the group that users will be added to when granted access to this role

hashtag
-MaximumAccessDuration

The maximum amount of time the user can request access to this role

hashtag
-Name

The name of the role, as shown to end users

hashtag
-Notes

A custom field to store notes, only visible to AMS administrators

hashtag
-NotificationChannelsFailure

A list of channel IDs that should be notified when a user is denied access to this role

hashtag
-NotificationChannelsSuccess

A list of channel IDs that should be notified when a user is granted access to this role

hashtag
-PrincipalsAllowedJit

The list of users who are allowed to access this role. The list can consist of fully qualified usernames (eg domain\user) or SIDs

hashtag
-PrincipalsDeniedJit

The list of users who are not allowed to access this role. The list can consist of fully qualified usernames (eg domain\user) or SIDs

hashtag
-RuleExpiryDate

A date and time when this rule will expire, expressed in local time

hashtag
-UserRequestReasonRequirement

Specifies if the user must provide a reason for the request, if they can optionally provide a reason, or are not prompted at all for a reason

hashtag
-DomainControllerName

The name of a domain controller to use when performing the JIT operation against

hashtag
-SiteName

The name of the site to use when trying to find a domain controller to perform the JIT operation against

hashtag
CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParametersarrow-up-right.

hashtag
INPUTS

hashtag
None

hashtag
OUTPUTS

hashtag
Lithnet.AccessManager.PowerShell.RoleAuthorizationRulePSObject

hashtag
NOTES

Use of this cmdlet requires an Enterprise Edition license.

hashtag
RELATED LINKS

PreviousNew-AmsGroupNextRemove-AmsActiveDirectoryJitGroupCreationRule

Last updated

Was this helpful?