Grant privilege elevation command to user/role/group

  1. In v1, there is only one privilege elevation command.
    2. If additional columns are added to privilegeelevationassignment table in future for whatever reasons, they need to be optional columns and will be specified as
    additional optional parameters to this API.
    3. In v2, a new API will be added to grant user/group/role permission to run commands specified in a privilege elevation command collection.
    4. When adding permanent privilege elevation assignments (i.e., "Starts" and "Expires" are not specified), the REST API checks if there is any existing permanent privilege elevation assignment for the same command to the same principal and scope already exists, and throws an exception if it finds out.
    However, no distributed lock is taken for this check due to performance reason. So, there is still a slight chance that it may not catch this unusual case. However, this situation is handled
    by privilege elevation. It will calculate the effective permission based on all matching entries.
    5. Note that it is legal to have multiple temporary privilege elevation asignments for the same command to the same principal and scope.
    6. There is no support for dynamic system set.
Language