@@ -70,7 +70,6 @@ function Get-CippAllowedPermissions {
7070
7171 # For admin and superadmin: Compute permissions from base role include/exclude rules
7272 if ($PrimaryRole -in @ (' admin' , ' superadmin'
73- Write-Information " Computing permissions for $PrimaryRole using base role rules"
7473
7574 if ($BaseRole ) {
7675 # Start with all permissions and apply include/exclude rules
@@ -143,7 +142,19 @@ function Get-CippAllowedPermissions {
143142 }
144143
145144 # Restrict base permissions to only those allowed by custom roles
146- $RestrictedPermissions = $BasePermissions | Where-Object { $CustomRolePermissions -contains $_ }
145+ # Include Read permissions when ReadWrite permissions are present
146+ $RestrictedPermissions = $BasePermissions | Where-Object {
147+ $Permission = $_
148+ if ($CustomRolePermissions -contains $Permission ) {
149+ $true
150+ } elseif ($Permission -match ' Read$'
151+ # Check if there's a corresponding ReadWrite permission
152+ $ReadWritePermission = $Permission -replace ' Read' , ' ReadWrite'
153+ $CustomRolePermissions -contains $ReadWritePermission
154+ } else {
155+ $false
156+ }
157+ }
147158 foreach ($Permission in $RestrictedPermissions ) {
148159 if ($null -ne $Permission -and $Permission -is [string ]) {
149160 $AllowedPermissions.Add ($Permission )
@@ -161,8 +172,6 @@ function Get-CippAllowedPermissions {
161172 }
162173 # Handle users with only custom roles (no base role)
163174 elseif ($CustomRoles.Count -gt 0 ) {
164- Write-Information ' Computing permissions for custom roles only'
165-
166175 foreach ($CustomRole in $CustomRoles ) {
167176 try {
168177 $RolePermissions = Get-CIPPRolePermissions - RoleName $CustomRole
0 commit comments