Skip to main content
Version: 4.3.0

Managing Roles and Users

The roles and users for the Administrator application are managed with the PowerShell cmdlets in the iCore.Administrator.Configuration module which is included in the Administrator installation.

To import the module

To import the iCore.Administrator.Configuration module, run the Load-AdminModules.ps1 script from the correct Administrator version subdirectory, for example "C:\Program Files (x86)\iCore Administrator\{Version}\Load-AdminModules.ps1". See also Directory structure.

note

User management depends on the site's chosen authentication type (Forms, Windows or Open ID authentication). If you did not set up the site yourself and/or is unsure of which authentication method it uses, contact your system administrator.

Adding permissions to users (Forms authentication)

No users are included per default, so you need to create at least one user and assign it to a role to be able to log in to the web application. The example below shows how to create a new user in the site 'My iCore Site', with user name 'admin' and password 'password':

New-iCoreWebAdminUser -SiteName 'My iCore Site' -UserName 'admin' -Password 'password'

If the iCore Administrator was installed as a web application in an existing site you must also supply the ApplicationName parameter specifying the name of the application.

To add the new user to a role, use the Add-iCoreWebAdminRoleMember cmdlet. There are two pre-defined roles: "Administrators" and "Users". This example shows how to add the user created in the previous step to the "Administrators" role:

Add-iCoreWebAdminRoleMember -SiteName 'My iCore Site' –RoleName 'Administrators' -WebAdminUser 'admin'

Once the user is created and configured as described in the examples, you should be able to log in to the Administrator. To add more users, simply repeat the steps.

Adding permissions to users (Windows authentication)

After installation, no users have permissions to access the iCore Administrator site per default. You need to add at least one Windows user or group to a role in the Administrator to be able to log in to the application.

To add a user or group to a role, use the Add-iCoreWebAdminRoleMember cmdlet. There are two pre-defined roles; Administrators and Users. The example below shows how to add the Windows group MYDOMAIN\\iCoreUsers to the Users role in the Administrator site named 'My iCore Site':

Add-iCoreWebAdminRoleMember –SiteName 'My iCore Site' -RoleName 'Users' -WindowsIdentity 'MYDOMAIN\iCoreUsers'

The same command can be used to add a user. For example, to add the local administrator user to the Administrators group, type:

Add-iCoreWebAdminRoleMember -SiteName 'My iCore Site' -RoleName 'Administrators' –WindowsIdentity 'Administrator'

You should now be able to use the Administrator site when logged in as a user that is a member of the MYDOMAIN\\iCore Users group or if you are logged in as administrator on the local computer.

Adding permissions to users (OpenID Connect)

note

To use Open ID Connect (OIDC) authentication, you need to configure an OIDC provider. For more information, see Configuring an OpenID Connect provider.

No users are included per default, so you need to create at least one user and assign it to a role to be able to log in to the web application.

The example below shows how to create a new OpenId Connect user ("$User") in the site 'My iCore Site', with name 'admin' that is using the 'oid' claim for authentication:

    $User = New-iCoreWebAdminOidcUser -SiteName "My iCore Site" -Name "admin"
Add-iCoreWebAdminOidcUserIdentifier -SiteName "My iCore Site" -UserId $user.Id -Name "oid" -Value "ValueHere"

If the Administrator was installed as a web application in an existing site you also need to include the ApplicationName parameter specifying the name of the application.

To assign the new user to a role, use the Add-iCoreWebAdminRoleMember cmdlet. There are two pre-defined roles: "Administrators" and "Users". This example shows how to assign the user created in the previous example to the Administrators role:

Get-iCoreWebAdminOidcUser -SiteName "My iCore Site" -Name "admin" | Add-iCoreWebAdminRoleMember -SiteName "My iCore Site" -RoleName "Administrators"

Once the user is created and configured as described in the examples, they should be able to log in to the Administrator. To add more users, simply repeat the steps.

tip

The cmdlets operating on the OidcUser configuration return a PSCustomObject representing the user, which can be used to "pipe" commands. For example, you can run the following to create an OidcUser and add a identifier pair at the same time:

New-iCoreWebAdminOidcUser -SiteName "My iCore Site" -Name "admin" | `
Add-iCoreWebAdminOidcUserIdentifier -SiteName "My iCore Site" -Name "oid" -Value "AzureUserOidValue"

Use the Get-Help cmdlet to learn what a cmdlet accepts as a piped parameter and what it returns.

Removing permissions and users (Open ID Connect)

The following example shows how you can remove permissions from the admin user:

Get-iCoreWebAdminOidcUser -SiteName "My iCore Site" -Name "admin" | Remove-iCoreWebAdminRoleMember -SiteName "My iCore Site" -RoleName "Administrators"

To remove the 'admin' user:

Get-iCoreWebAdminOidcUser -SiteName "My iCore Site" -Name "admin"| Remove-OpenIdConnectUser -SiteName "My iCore Site"

Authorization using Azure AD groups

If you have configured authorization using Azure AD (see Configuring authorization using an Azure AD provider) you can use the cmdlet Add-iCoreAdminAzureAdGroupForRole to assign mappings between Administrator roles and Azure AD groups. You can also remove a mapping with the cmdlet Remove-iCoreAdminAzureAdGroupForRole.

  • An Administrator role can be mapped to multiple Azure AD groups.
  • An Administrator user can be a member of multiple Administrator roles if multiple Azure AD groups for different Administrator roles match.
  • Only one Azure AD group mapping for an Administrator role needs to match in order for the Azure AD-authenticated user to gain the permissions of that Administrator role.

Before you start, you need to know the Azure AD group ID (GUID) for the Azure AD group you want to map to an Administrator role.

Example

To map the Azure AD group to the "Administrators" role:

Add-iCoreAdminAzureAdGroupForRole -SiteName "My iCore Site" `
-RoleName "Administrators" `
-AzureAdGroupId "687954fc-ea9f-4612-882f-1971710e9808" `
-AzureAdGroupName "My Azure AD group"

The AzureAdGroupName parameter is just an optional name or comment. We recommend you give the mapping a name, but it is not required.

Other management functions

To create a new role with a specified start page:

New-iCoreWebAdminRole -SiteName 'My iCore Site' –ApplicationName 'iCore Administrator' -Role 'MyNewRole' -StartPageDashboardUrl 'https://www.MyUrl.com'

To set the start page of an existing role:

Set-iCoreWebAdminRoleStartPage -SiteName 'My iCore Site' -ApplicationName 'iCore Administrator' -Role 'MyRole' -StartPageDashboardUrl 'https://www.MyUrl.com'

There are several other cmdlets available that can be used to remove users, change passwords, or reassign roles. For more information, see iCore PowerShell cmdlets.

See also

iCore PowerShell cmdlets
Configuring an OpenID Connect provider