Find Differences in Security Roles

[rdr222]

Is there an easier way to find the actual differences between 2 security roles?  I have some custom security roles that are based off the built in security roles.  When a new feature is introduced or new permissions are added to the built in role I want to reflect those new permissions in the custom role.  RBAViewer can compare the roles and see how many differences there are between the custom one and the builtin one but won't actually tell me what those differences are.  Is there a way I can see what permissions are different between roles with RBAViewer?  Is there another way I can find the differences between 2 roles aside from opening both of them up and comparing them permission by permission?

[Peter33]

There is always Powershell ...

 

Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1"
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location "$($SiteCode.Name):"

####################################
$server = 'sccm01'    # MECM Primary Server Name
$role1 = 'Company Resource Access Manager'   # Security Role Name
$role2 = 'Compliance Settings Manager'   # Security Role Name
$DiffOnly = $false    # change to $true to show differences only
####################################


$ns = 'root\SMS\Site_'+$SiteCode

function _getRoles{

  Param(
    [parameter(position=0)]
    [string]
    $role
  )

  $props = (Get-CMSecurityRole -Name $role -ErrorAction SilentlyContinue | Select *).Properties
  $rules = [System.Collections.Generic.List[psobject]]::new()

  $props.Operations | ForEach-Object {
    $ops = $_.GrantedOperations
    $typeId = $_.ObjectTypeID

    $BitMask = [convert]::ToString($($ops),2)
    $BitMaskReverse = ([regex]::Matches($BitMask,'.','RightToLeft') | ForEach {$_.value}) -join ''
    0..($BitMaskReverse.Length - 1) | ForEach-Object{
        if($BitMaskReverse.Substring($_, 1) -eq 1){
            $BitFlag = [math]::Pow(2, $_)
            $result = Get-CimInstance -Namespace $ns -Query "SELECT * FROM SMS_AvailableOperation WHERE ObjectTypeID=$typeId and BitFlag=$BitFlag" -ComputerName $server
            $rules.AddRange(@([pscustomobject]@{TypeName = $result.ObjectTypeName; OperationName  = $result.OperationName}) -as [psobject[]])
        }
    }
  }
  return $rules
}

$r1 = _getRoles $role1 | Sort-Object -Property TypeName, OperationName
$r2 = _getRoles $role2 | Sort-Object -Property TypeName, OperationName

function _normalizeList{

  Param(
    [parameter(position=0)]
    [System.Collections.Generic.List[psobject]]
    $list
  )

  $tmp = @{}

  $list.TypeName | Get-Unique | ForEach-Object {
    $tn = $($_)
    $val = ($list | Where-Object {$_.TypeName -eq $tn}).OperationName -join ','
    $tmp.Add($tn,$val)
  }
  return $tmp
}


$list1 = _normalizeList $r1
$list2 = _normalizeList $r2


$allkeys = $list1.Keys + $list2.Keys | Sort-Object | Get-Unique

$final = [System.Collections.Generic.List[psobject]]::new()

foreach($key in $allkeys){
  if($list1[$key]){
    $val1 = $list1[$key]
  }
  else{
    $val1 = ''
  }
  if($list2[$key]){
    $val2 = $list2[$key]
  }
  else{
    $val2 = ''
  }

  if($DiffOnly -eq $false -or $val1 -ne $val2){
    $final.AddRange(@([pscustomobject]@{TypeName = $key; $($role1)  = $val1; $($role2) = $val2}) -as [psobject[]])
  }
}

$final | Out-GridView