New-PAMRole
Creates a PAM role in the MIM Service.
Syntax
New-PAMRole
[-DisplayName] <String>
[[-Privileges] <PAMGroup[]>]
[[-Approvers] <PAMUser[]>]
[[-Candidates] <PAMUser[]>]
[[-TTL] <TimeSpan>]
[[-AvailableFrom] <DateTime>]
[[-AvailableTo] <DateTime>]
[-MFAEnabled]
[-ApprovalEnabled]
[-AvailabilityWindowEnabled]
[[-Description] <String>]
[[-Session] <PAMSession>]
[-DisableAutoApprovalIfOwner]
[<CommonParameters>]Description
A PAM role assigns one or more candidate users with one or more security groups (privileges), to permit a candidate user assigned to the role to subsequently request to activate. The ApprovalEnabled and MFAEnabled parameters control the activation gates for an activation request. The Owners parameter specifies users which can approve activation requests. The TTL specifies the default time to live for memberships in the groups for activation requests through this role.
Examples
EXAMPLE 1
$pr = New-PAMRole -DisplayName "CorpAdmins" -TTL 600 -Privileges $pg -Candidates $sjDescription
This command creates a new PAM Role in the MIM Service, with a Time to Live of 600 seconds. The variable $pg can be a list of groups from an earlier call to New-PAMGroup or Get-PAMGroup, and the variable $sj can be a list of PAM Users from an earlier call to New-PAMUser or Get-PAMUser.
Parameters
-ApprovalEnabled
If present, activation requests for this role will require approval by a role owner.
| Type: | SwitchParameter |
| Position: | 9 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Approvers
If ApprovalEnabled is set, a list of users who are owners of the role and can approve requests.
| Type: | PAMUser[] |
| Position: | 3 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AvailabilityWindowEnabled
If present, the role can only be activated during a specified time interval.
| Type: | SwitchParameter |
| Position: | 10 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AvailableFrom
Optional earliest time of day that a request will be activated. Only the time portion of the parameter is used.
| Type: | DateTime |
| Position: | 6 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AvailableTo
Optional latest time of day that a request will be activated. Only the time portion of the parameter is used.
| Type: | DateTime |
| Position: | 7 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Candidates
The collection of candidate users which are to be associated with and can activate the PAM role.
| Type: | PAMUser[] |
| Position: | 4 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Description
The description of the new PAM role in the MIM Service.
| Type: | String |
| Position: | 11 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableAutoApprovalIfOwner
Disable Self-Approval: Turns off automatic approval when the requestor is also an approver.
| Type: | SwitchParameter |
| Position: | 13 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayName
The name of the new PAM role in the MIM Service.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MFAEnabled
If present, activation requests for this role will require an MFA challenge.
| Type: | SwitchParameter |
| Position: | 8 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Privileges
The collection of groups which are to be associated with the PAM role.
| Type: | PAMGroup[] |
| Position: | 2 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Session
Session with the PAM domain and MIM Service.
| Type: | PAMSession |
| Position: | 12 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TTL
The default time to live in seconds of group memberships assigned to users via this role. A recommended minimum time is 30 minutes.
| Type: | TimeSpan |
| Position: | 5 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Outputs
Microsoft.IdentityManagement.PamCmdlets.Model.PAMRole
One object representing the PAM role created in the MIM Service.