Extend LM RBAC using this module?

[calladion]

I'm developing a tool that will perform many tasks but one of those tasks is to interact with LM to perform some monitoring environment on-boarding configuration (installing collector, creating device groups, adding devices, etc.). I saw this module and thought it could be the easiest way to implement my project. Thanks for all the work on this module as it saves a lot of work for a lot of people.

My issue is that I can't find a solid way to extend LM's RBAC with this module. I'd ultimately like for anyone that executes my tool to first authenticate with LM and it uses their LM role to determine if they can execute the tool. I see that the Connect-LMAccount function is used to authenticate yourself by passing an apikey/secret or you can use a cached credential using powershell secretstore, but I can't find a way to completely extend RBAC.

I'd like the user to input their LM user account credentials and the tool then ensures they are an active user and inherits their role/permissions in LM for the tool.

Can anyone think of a way to accomplish this? If not, any other ideas other than hard-coding (in a secretstore or wherever) a static api key that has the permissions for what the tool will achieve?

[stevevillardi]

Based on how the API is written there would not be a native way to extend RBAC for different users without having created API credentials for those users ahead of time as the authentication mechanism for LM's v3 API is strictly based on Bearer or LMv1 auth tokens which are attached to specific users in LM. Basic auth which would have made it possible to authenticate via user and pass but it has been deprecated since API v1 which is slated for retirement soon. There would not be a native way to do this with the existing LM API outside of adding your own wrapper on top of this module that validates users and their permissions but uses a main application api token to perform all of the actions assuming the user has the appropriate permissions.