New-PAMRole

Creates a PAM role in the MIM Service.

Syntax

New-PAMRole
   [-DisplayName] <String>
   [-AvailabilityWindowEnabled]
   [[-Description] <String>]
   [[-Session] <PAMSession>]
   [[-Privileges] <PAMGroup[]>]
   [[-Approvers] <PAMUser[]>]
   [[-Candidates] <PAMUser[]>]
   [[-TTL] <TimeSpan>]
   [[-AvailableFrom] <DateTime>]
   [[-AvailableTo] <DateTime>]
   [-MFAEnabled]
   [-ApprovalEnabled]
   [<CommonParameters>]

Description

The New-PAMRole cmdlet creates a Privileged Access Management (PAM) role in the Microsoft Identity Manager (MIM) Service. This cmdlet assigns one or more candidate users with one or more security groups (privileges), to permit a candidate user assigned to the role to subsequently request to activate. The ApprovalEnabled and MFAEnabled parameters control the authorization gates for an activation request. The Owners parameter specifies users which can approve activation requests. The TTL (time to live) parameter specifies the default time to live for memberships in the groups for activation requests through this role.

Examples

Example 1: Create a new PAM role in the MIM Service with a specified time to live

PS C:\> New-PAMRole -DisplayName "CorpAdmins" -TTL 600 -Privileges $PG -Candidates $SJ

This command creates a new PAM Role in the MIM Service, with a Time to Live of 600 seconds. The variable $PG is a list of groups from an earlier call to New-PAMGroup or Get-PAMGroup, and the variable $SJ is a list of PAM Users from an earlier call to New-PAMUser or Get-PAMUser.

Required Parameters

-DisplayName

Specifies the name of the new PAM role in the MIM Service.

Type:String
Position:1
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Optional Parameters

-ApprovalEnabled

Indicates that activation requests to this role will require approval by a role owner.

Type:SwitchParameter
Position:9
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Approvers

Indicates role owners that will approve activation requests if ApprovalEnabled is set to true.

Type:PAMUser[]
Position:3
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AvailabilityWindowEnabled

Indicates the role can only be activated during a specified time interval.

Type:SwitchParameter
Position:10
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AvailableFrom

Indicates the earliest time of day that a request will be activated. Only the time portion of the parameter is used.

Type:DateTime
Position:6
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AvailableTo

Indicates the latest time of day that a request is activated. Only the time portion of the parameter is used.

Type:DateTime
Position:7
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Candidates

Specifies the collection of candidate users which are to be associated with and can activate into the PAM role.

Type:PAMUser[]
Position:4
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Description

Specifies the description of the new PAM role in the MIM Service.

Type:String
Position:11
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-MFAEnabled

Indicates that activation requests to this role will require an MFA challenge.

Type:SwitchParameter
Position:8
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Privileges

Specifies the collection of groups which are to be associated with the PAM role.

Type:PAMGroup[]
Position:2
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Session

Specifies the session with the PAM domain and MIM Service.

Type:PAMSession
Position:12
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-TTL

Specifies the default time to live in seconds of group memberships assigned to users through this role. The minimum recommended time is 5 minutes.

Type:TimeSpan
Position:5
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Outputs

Microsoft.IdentityManagement.PamCmdlets.Model.PAMRole