Add global and per-user action/category enable/disable controls (v0.5.0)

Global config:
- DisabledActions: comma-separated list of action names to skip globally
- DisabledCategories: comma-separated categories (Core, Management, Advanced)
- Select-ROUserActions filters out globally disabled actions/categories
- Set-ROConfig now accepts empty strings (AllowEmptyString) for clearing

Per-user controls via Set-ROUser:
- -DisableCategory / -EnableCategory: set all actions in a category to 0
  or restore default weights from SeedActionWeights.psd1
- -DisableAction / -EnableAction: toggle individual actions by name

Global disables take precedence over per-user weights.
Bump module version to 0.5.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jagger

CLAUDE.md

@@ -0,0 +1,70 @@
+# RobOtters -- Project Conventions
+
+## Overview
+PowerShell module (RobOtters) that simulates Secret Server user activity for lab environments.
+AD-authenticated users perform randomized actions (0-15 per 30-min cycle) against
+an on-prem Delinea Secret Server instance to generate realistic audit trail data.
+
+## Architecture
+- **PowerShell module** (`RobOtters.psd1` / `RobOtters.psm1`) with Public/Private function split
+- **SQLite** via PSSQLite module for credential store, config, and action logs
+- **REST API** calls to Secret Server `/api/v1/*` endpoints with OAuth2 password grant
+- Runs unattended via **Windows Task Scheduler** every 30 minutes
+
+## Directory Layout
+```
+RobOtters/
++-- RobOtters.psd1          # Module manifest
++-- RobOtters.psm1          # Dot-source loader
++-- Register-ROTask.ps1     # Task Scheduler registration
++-- assets/                 # Images
++-- Data/                   # Schema, seed data, SS reports
++-- Docs/                   # Guides and command reference
++-- Public/                 # Exported cmdlets (13 commands)
++-- Private/                # Internal functions
+|   +-- Data/               # DB helpers
+|   +-- Api/                # Secret Server REST client
+|   +-- Actions/            # 19 Secret Server action functions
+|   +-- Engine/             # Cycle orchestration
+|   +-- Logging/            # File + DB logging
++-- Scripts/                # Migration utilities
++-- Tests/                  # Pester tests
+```
+
+## Data Storage
+- **SQLite DB** lives in `$env:ProgramData\RobOtters\` (or `$env:RO_DATA_PATH` if set)
+- **Log files** in a `Logs/` subfolder under the data root
+- DB and logs are outside the repo directory; gitignored
+
+## Coding Conventions
+- **Verb-Noun** naming: all functions use `RO` prefix (`Verb-RO<Noun>`)
+- All functions use `[CmdletBinding()]` and named parameters
+- Action functions return uniform `[PSCustomObject]@{ Action; TargetType; TargetId; TargetName; Success; ErrorMessage }`
+- Use `Write-ROLog` for all operational logging (not Write-Host)
+- Errors: use `Write-Error` / `throw` for unrecoverable; `Write-Warning` + continue for transient
+- SQL: always parameterized queries via `-SqlParameters` (no string interpolation)
+- Secrets: passwords encrypted at rest (DPAPI by default, AES-256 if `RO_ENCRYPT_KEY` env var is set)
+- No aliases in scripts; use full cmdlet names
+- Prefer splatting for calls with 3+ parameters
+
+## Key Dependencies
+- **PSSQLite** -- SQLite access (`Invoke-SqliteQuery`)
+- **Secret Server REST API** -- `/api/v1/*` with OAuth2 bearer tokens
+
+## Config Defaults (stored in Config table)
+- `SecretServerUrl` -- base URL of the SS instance
+- `MinActionsPerCycle` -- 0
+- `MaxActionsPerCycle` -- 15
+- `LogRetentionDays` -- 30
+- `DefaultDomain` -- lab domain name
+- `PasswordRotationDays` -- 14 (days between automatic password rotations)
+- `AuthFailureAction` -- AlertOnly (or RotateAndAlert)
+- `LauncherTemplateId` -- template ID for launcher-based actions
+- `AccessSnapshotMaxAgeDays` -- max age for user access snapshots
+- `DisabledActions` -- comma-separated list of globally disabled action names
+- `DisabledCategories` -- comma-separated list of globally disabled categories (Core, Management, Advanced)
+
+## Testing
+- Pester v5+ for unit tests
+- `Tests/Unit/` -- pure logic tests (no network/DB)
+- `Tests/Integration/` -- requires live SS instance

Docs/commands/Set-ROUser.md

@@ -32,6 +32,10 @@ then updated (DPAPI-encrypted) in the SQLite database. The -Password and
 | IsEnabled | Nullable[Boolean] | No | -- | Enable or disable the user |
 | ActionWeights | Hashtable | No | -- | Updated action weight map |
 | RandomPassword | Switch | No | -- | Generate and set a random password (mutually exclusive with Password) |
+| EnableCategory | String | No | -- | Enable all actions in a category (Core, Management, Advanced) by restoring default weights |
+| DisableCategory | String | No | -- | Disable all actions in a category by setting weights to 0 |
+| EnableAction | String | No | -- | Enable a specific action by restoring its default weight |
+| DisableAction | String | No | -- | Disable a specific action by setting its weight to 0 |
 
 ## Examples
 
@@ -59,6 +63,23 @@ Set-ROUser -Username 'svc-simuser01' -ActionWeights @{ GetSecret = 10; CreateSec
 ```
 Adjusts the probability weights for the user's actions during simulation cycles.
 
+### Example 5: Disable all Management actions for a user
+```powershell
+Set-ROUser -Username 'svc-simuser01' -DisableCategory 'Management'
+```
+Sets all Management action weights to 0.
+
+### Example 6: Re-enable a category
+```powershell
+Set-ROUser -Username 'svc-simuser01' -EnableCategory 'Management'
+```
+Restores default weights for all Management actions.
+
+### Example 7: Disable a single action
+```powershell
+Set-ROUser -Username 'svc-simuser01' -DisableAction 'CreateSecret'
+```
+
 ## Outputs
 
 | Property | Type | Description |

Docs/configuration.md

@@ -2,7 +2,7 @@
 
 ## Config Keys
 
-All configuration is stored in the Config SQLite table. Use Get-ROConfig and Set-ROConfig to read and write values.
+All configuration is stored in the Config SQLite table (11 keys). Use Get-ROConfig and Set-ROConfig to read and write values.
 
 | Key | Default | Description |
 |-----|---------|-------------|
@@ -15,6 +15,8 @@ All configuration is stored in the Config SQLite table. Use Get-ROConfig and Set
 | AuthFailureAction | AlertOnly | Auth failure behavior: AlertOnly or RotateAndAlert |
 | LauncherTemplateId | 6052 | Template ID for launcher-based secret actions |
 | AccessSnapshotMaxAgeDays | 7 | Days before user access snapshots are considered stale |
+| DisabledActions | (empty) | Comma-separated list of globally disabled action names |
+| DisabledCategories | (empty) | Comma-separated list of globally disabled categories (Core, Management, Advanced) |
 
 ## Examples
 ```powershell
@@ -67,3 +69,33 @@ Get-ROUser -Username 'svc.sim01' -IncludeWeights
 ```
 
 To change defaults for all new users, edit Data/SeedActionWeights.psd1 before running Add-ROUser.
+
+### Disabling Actions Globally
+```powershell
+# Disable specific actions for all users
+Set-ROConfig -Key 'DisabledActions' -Value 'CreateSecret,CreateFolder'
+
+# Disable an entire category for all users
+Set-ROConfig -Key 'DisabledCategories' -Value 'Management'
+
+# Clear (re-enable all)
+Set-ROConfig -Key 'DisabledActions' -Value ''
+Set-ROConfig -Key 'DisabledCategories' -Value ''
+```
+
+Categories: **Core** (SearchSecrets, ViewSecret, CheckoutPassword, ListFolderSecrets, BrowseFolders), **Management** (CreateFolder, CreateSecret, EditSecret, MoveSecret, ToggleComment, ToggleCheckout, ExpireSecret), **Advanced** (CheckinSecret, RunReport, AddFavorite, TriggerHeartbeat, ViewSecretPolicy, ChangePassword, LaunchSecret).
+
+Global disables take precedence over per-user weights.
+
+### Disabling Actions Per User
+```powershell
+# Disable an entire category for one user
+Set-ROUser -Username 'svc.sim01' -DisableCategory 'Management'
+
+# Re-enable (restores default weights)
+Set-ROUser -Username 'svc.sim01' -EnableCategory 'Management'
+
+# Disable/enable a single action
+Set-ROUser -Username 'svc.sim01' -DisableAction 'CreateSecret'
+Set-ROUser -Username 'svc.sim01' -EnableAction 'CreateSecret'
+```

Private/Engine/Select-ROUserActions.ps1

@@ -9,14 +9,37 @@ function Select-ROUserActions {
         [int]$MaxActions = 15
     )
 
-    # Get user's action weights
+    # Get user's action weights (weight > 0 means enabled at user level)
     $weights = Invoke-ROQuery -Query "SELECT ActionName, Weight FROM ActionWeight WHERE UserId = @UserId AND Weight > 0" -SqlParameters @{ UserId = $UserId }
 
     if (-not $weights) {
         Write-ROLog -Message "No action weights found for UserId $UserId" -Level WARN -Component 'Engine'
         return @()
     }
 
+    # Apply global disabled actions filter
+    $disabledActions = Get-ROConfig -Key 'DisabledActions'
+    if ($disabledActions) {
+        $disabledList = $disabledActions -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+        $weights = @($weights | Where-Object { $_.ActionName -notin $disabledList })
+    }
+
+    # Apply global disabled categories filter
+    $disabledCategories = Get-ROConfig -Key 'DisabledCategories'
+    if ($disabledCategories) {
+        $disabledCatList = $disabledCategories -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+        $registry = Get-ROActionRegistry
+        $weights = @($weights | Where-Object {
+            $entry = $registry[$_.ActionName]
+            -not $entry -or $entry.Category -notin $disabledCatList
+        })
+    }
+
+    if (-not $weights -or $weights.Count -eq 0) {
+        Write-ROLog -Message "No eligible actions for UserId $UserId after global filters" -Level WARN -Component 'Engine'
+        return @()
+    }
+
     # Determine number of actions for this cycle
     $actionCount = Get-Random -Minimum $MinActions -Maximum ($MaxActions + 1)
 

Public/Initialize-RODatabase.ps1

@@ -70,6 +70,8 @@ function Initialize-RODatabase {
             AuthFailureAction          = 'AlertOnly'
             LauncherTemplateId         = '6052'
             AccessSnapshotMaxAgeDays   = '7'
+            DisabledActions            = ''
+            DisabledCategories         = ''
         }
 
         foreach ($kv in $defaults.GetEnumerator()) {
@@ -110,6 +112,20 @@ function Initialize-RODatabase {
         Write-ROLog -Message 'Seeded AccessSnapshotMaxAgeDays config (default: 7)' -Component 'Database'
     }
 
+    # Ensure DisabledActions config exists (for existing DBs)
+    $disActCfg = Invoke-ROQuery -Query "SELECT Value FROM Config WHERE Key = 'DisabledActions'" -Scalar
+    if ($null -eq $disActCfg) {
+        Invoke-ROQuery -Query "INSERT INTO Config (Key, Value) VALUES ('DisabledActions', '')"
+        Write-ROLog -Message 'Seeded DisabledActions config (default: empty)' -Component 'Database'
+    }
+
+    # Ensure DisabledCategories config exists (for existing DBs)
+    $disCatCfg = Invoke-ROQuery -Query "SELECT Value FROM Config WHERE Key = 'DisabledCategories'" -Scalar
+    if ($null -eq $disCatCfg) {
+        Invoke-ROQuery -Query "INSERT INTO Config (Key, Value) VALUES ('DisabledCategories', '')"
+        Write-ROLog -Message 'Seeded DisabledCategories config (default: empty)' -Component 'Database'
+    }
+
     # Migrate: backfill missing action weights for existing users
     $seedWeightPath = Join-Path $PSScriptRoot '..\Data\SeedActionWeights.psd1'
     $seedWeightPath = [System.IO.Path]::GetFullPath($seedWeightPath)

Public/Set-ROConfig.ps1

@@ -8,7 +8,9 @@ function Set-ROConfig {
         Valid config keys: SecretServerUrl, DefaultDomain,
         MinActionsPerCycle, MaxActionsPerCycle, LogRetentionDays,
         PasswordRotationDays, AuthFailureAction (AlertOnly or
-        RotateAndAlert), LauncherTemplateId, AccessSnapshotMaxAgeDays.
+        RotateAndAlert), LauncherTemplateId, AccessSnapshotMaxAgeDays,
+        DisabledActions (comma-separated), DisabledCategories
+        (comma-separated: Core, Management, Advanced).
     .PARAMETER Key
         The config key to set.
     .PARAMETER Value
@@ -30,6 +32,7 @@ function Set-ROConfig {
         [string]$Key,
 
         [Parameter(Mandatory)]
+        [AllowEmptyString()]
         [string]$Value
     )
 

Public/Set-ROUser.ps1

@@ -25,6 +25,14 @@ function Set-ROUser {
         Hashtable of ActionName=Weight pairs to upsert.
     .PARAMETER RandomPassword
         Generate a random password and set it in both AD and SQLite.
+    .PARAMETER EnableCategory
+        Enable all actions in a category (Core, Management, Advanced) by restoring default weights.
+    .PARAMETER DisableCategory
+        Disable all actions in a category by setting their weights to 0.
+    .PARAMETER EnableAction
+        Enable a specific action by restoring its default weight.
+    .PARAMETER DisableAction
+        Disable a specific action by setting its weight to 0.
     .EXAMPLE
         Set-ROUser -Username 'svc.sim01' -ActiveHourEnd '19:00'
     .EXAMPLE
@@ -35,6 +43,15 @@ function Set-ROUser {
     .EXAMPLE
         Set-ROUser -Username 'svc.sim01' -IsEnabled $false
         Disable the user.
+    .EXAMPLE
+        Set-ROUser -Username 'svc.sim01' -DisableCategory 'Management'
+        Disable all Management actions for the user.
+    .EXAMPLE
+        Set-ROUser -Username 'svc.sim01' -EnableCategory 'Management'
+        Restore default weights for all Management actions.
+    .EXAMPLE
+        Set-ROUser -Username 'svc.sim01' -DisableAction 'CreateSecret'
+        Disable a single action for the user.
     .OUTPUTS
         PSCustomObject - the updated user record
     .LINK
@@ -57,7 +74,17 @@ function Set-ROUser {
 
         [hashtable]$ActionWeights,
 
-        [switch]$RandomPassword
+        [switch]$RandomPassword,
+
+        [ValidateSet('Core', 'Management', 'Advanced')]
+        [string]$EnableCategory,
+
+        [ValidateSet('Core', 'Management', 'Advanced')]
+        [string]$DisableCategory,
+
+        [string]$EnableAction,
+
+        [string]$DisableAction
     )
 
     $user = Invoke-ROQuery -Query "SELECT * FROM ROUser WHERE Username = @Username COLLATE NOCASE" -SqlParameters @{ Username = $Username }
@@ -130,5 +157,67 @@ ON CONFLICT(UserId, ActionName) DO UPDATE SET Weight = @Weight
         Write-ROLog -Message "Updated action weights for '$Username'" -Component 'UserMgmt'
     }
 
+    # Category-level enable/disable
+    if ($EnableCategory -or $DisableCategory) {
+        $registry = Get-ROActionRegistry
+        $seedPath = Join-Path $PSScriptRoot '..\Data\SeedActionWeights.psd1'
+        $seedPath = [System.IO.Path]::GetFullPath($seedPath)
+        $seedWeights = if (Test-Path $seedPath) { Invoke-Expression (Get-Content -Path $seedPath -Raw) } else { @{} }
+
+        $targetCategory = if ($EnableCategory) { $EnableCategory } else { $DisableCategory }
+        $actionsInCategory = $registry.GetEnumerator() | Where-Object { $_.Value.Category -eq $targetCategory }
+
+        foreach ($entry in $actionsInCategory) {
+            $newWeight = if ($EnableCategory) {
+                if ($seedWeights[$entry.Key]) { $seedWeights[$entry.Key] } else { 10 }
+            } else { 0 }
+
+            Invoke-ROQuery -Query @"
+INSERT INTO ActionWeight (UserId, ActionName, Weight) VALUES (@UserId, @ActionName, @Weight)
+ON CONFLICT(UserId, ActionName) DO UPDATE SET Weight = @Weight
+"@ -SqlParameters @{
+                UserId     = $user.UserId
+                ActionName = $entry.Key
+                Weight     = $newWeight
+            }
+        }
+
+        $verb = if ($EnableCategory) { 'Enabled' } else { 'Disabled' }
+        Write-ROLog -Message "$verb category '$targetCategory' for '$Username'" -Component 'UserMgmt'
+    }
+
+    # Granular action enable/disable
+    if ($EnableAction -or $DisableAction) {
+        $targetAction = if ($EnableAction) { $EnableAction } else { $DisableAction }
+        $registry = Get-ROActionRegistry
+
+        if (-not $registry.ContainsKey($targetAction)) {
+            Write-Error "Unknown action '$targetAction'. Valid actions: $($registry.Keys -join ', ')"
+            return
+        }
+
+        $newWeight = 0
+        if ($EnableAction) {
+            $seedPath = Join-Path $PSScriptRoot '..\Data\SeedActionWeights.psd1'
+            $seedPath = [System.IO.Path]::GetFullPath($seedPath)
+            if (Test-Path $seedPath) {
+                $seedWeights = Invoke-Expression (Get-Content -Path $seedPath -Raw)
+                $newWeight = if ($seedWeights[$targetAction]) { $seedWeights[$targetAction] } else { 10 }
+            } else { $newWeight = 10 }
+        }
+
+        Invoke-ROQuery -Query @"
+INSERT INTO ActionWeight (UserId, ActionName, Weight) VALUES (@UserId, @ActionName, @Weight)
+ON CONFLICT(UserId, ActionName) DO UPDATE SET Weight = @Weight
+"@ -SqlParameters @{
+            UserId     = $user.UserId
+            ActionName = $targetAction
+            Weight     = $newWeight
+        }
+
+        $verb = if ($EnableAction) { 'Enabled' } else { 'Disabled' }
+        Write-ROLog -Message "$verb action '$targetAction' for '$Username'" -Component 'UserMgmt'
+    }
+
     Get-ROUser -Username $Username
 }

README.md

@@ -93,7 +93,7 @@ All settings are stored in the Config SQLite table. Key settings:
 | MaxActionsPerCycle | 15 | Max actions per user per cycle |
 | PasswordRotationDays | 14 | Days between password rotations |
 
-See [Configuration](Docs/configuration.md) for the full list of 9 config keys and 19 action weight customizations.
+See [Configuration](Docs/configuration.md) for the full list of 11 config keys, action weight customizations, and category controls.
 
 ## Troubleshooting
 

RobOtters.psd1

@@ -1,6 +1,6 @@
 @{
     RootModule        = 'RobOtters.psm1'
-    ModuleVersion     = '0.4.0'
+    ModuleVersion     = '0.5.0'
     GUID              = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
     Author            = 'jagger'
     Description       = 'Secret Server user activity simulator for lab environments'