Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[microsoft.ad.user] Add parameter to fail, ignore or warn if the account performing the action does not have the permissions required to modify the AD Group #166

Merged
merged 8 commits into from
Nov 19, 2024
Merged

[microsoft.ad.user] Add parameter to fail, ignore or warn if the account performing the action does not have the permissions required to modify the AD Group #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
70dc89e
Adding new Groups flag, permissions_failure_action
tarmael Nov 14, 2024
89d7ff0
Correcting a missed variable
tarmael Nov 15, 2024
ce25f75
Updating docs page
tarmael Nov 15, 2024
ddb9b1c
Correcting docs from failing build tests
tarmael Nov 15, 2024
17d8403
Update user.yml
tarmael Nov 15, 2024
8875f96
Including version_added doc string per maintainer suggestion
tarmael Nov 19, 2024
2429dc8
Creating Changelog Fragment user-permissions-handling.yml
tarmael Nov 19, 2024
746f79c
Update user-permissions-handling.yml
tarmael Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelogs/fragments/user-permissions-handling.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
minor_changes:
- >-
microsoft.ad.user - Added ``groups.permissions_failure_action`` to control the behaviour when failing to modify the user's groups -
(https://github.com/ansible-collections/microsoft.ad/issues/140).
32 changes: 27 additions & 5 deletions plugins/modules/user.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,12 @@ $setParams = @{
default = 'fail'
type = 'str'
}
permissions_failure_action = @{
choices = 'fail', 'ignore', 'warn'
default = 'fail'
type = 'str'
}

}
}
}
Expand Down Expand Up @@ -396,7 +402,7 @@ $setParams = @{
}
$dnServerParams = @{}
foreach ($actionKvp in $Module.Params.groups.GetEnumerator()) {
if ($null -eq $actionKvp.Value -or $actionKvp.Key -in @('lookup_failure_action', 'missing_behaviour')) {
if ($null -eq $actionKvp.Value -or $actionKvp.Key -in @('lookup_failure_action', 'missing_behaviour', 'permissions_failure_action')) {
continue
}

Expand Down Expand Up @@ -448,10 +454,21 @@ $setParams = @{
$ADParams
}
if ($ADObject) {
Set-ADObject -Identity $member -Add @{
member = $ADObject.DistinguishedName
} @lookupParams @commonParams

try {
Set-ADObject -Identity $member -Add @{
member = $ADObject.DistinguishedName
} @lookupParams @commonParams
}
catch [Microsoft.ActiveDirectory.Management.ADException] {
if ($Module.Params.groups.permissions_failure_action -ne "fail") {
if ($Module.Params.groups.permissions_failure_action -eq "warn") {
$Module.Warn("Cannot add group '$member'. You do not have the required permissions, skipping: $($_.Exception.Message)")
}
}
else {
throw
}
}
}
$Module.Result.changed = $true
}
Expand Down Expand Up @@ -479,6 +496,11 @@ $setParams = @{
}
$Module.Diff.after.groups = @($Module.Diff.after.groups; $member)
}
elseif ($Module.Params.groups.permissions_failure_action -ne "fail") {
if ($Module.Params.groups.permissions_failure_action -eq "warn") {
$Module.Warn("Cannot remove group '$member'. You do not have the required permissions, skipping: $($_.Exception.Message)")
}
}
else {
throw
}
Expand Down
20 changes: 18 additions & 2 deletions plugins/modules/user.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,9 @@ DOCUMENTATION:
description:
- Controls what happens when a group specified by C(groups) is an
invalid group name.
- C(fail) is the default and will return an error any groups do not
- C(fail) is the default and will return an error if any groups do not
exist.
- C(ignore) will ignore any groups that does not exist.
- C(ignore) will ignore any groups that do not exist.
- C(warn) will display a warning for any groups that do not exist
but will continue without failing.
aliases:
Expand All @@ -172,6 +172,22 @@ DOCUMENTATION:
- warn
default: fail
type: str
permissions_failure_action:
description:
- Controls what happens when a group specified by C(groups) is not
able to be modified by the user specified by C(domain_username)
- C(fail) is the default and will return an erro if any groups
membership is not modifiable by the user.
- C(ignore) will ignore any groups that cannot be modified.
- C(warn) will display a warning for any groups that cannot be
modified but will continue without failing.
choices:
- fail
- ignore
- warn
default: fail
type: str
tarmael marked this conversation as resolved.
Show resolved Hide resolved
version_added: 1.8.0
password:
description:
- Optionally set the user's password to this (plain text) value.
Expand Down