Skip to content

Add Trusted Scripts page (security/trusted-scripts.md) #43

Open
Open
Add Trusted Scripts page (security/trusted-scripts.md)#43
@michaellwest

Description

@michaellwest
michaellwest
opened on Mar 31, 2026

Context

SPE 9.0 introduces a script trust registry (#1426 in Console repo) that allows specific scripts to bypass CLM restrictions even in constrained sessions, with content hash verification for integrity.

Proposed Location

security/trusted-scripts.md

Content to Cover

Overview

  • What trusted scripts are: a registry of Sitecore script items that can use .NET types and bypass language mode restrictions
  • Location in content tree: /sitecore/system/Modules/PowerShell/Settings/Remoting/Trusted Scripts/
  • Template: Trusted Script

Trust Levels

Level Behavior
Untrusted Default; script runs under caller's language mode constraints
Trusted Script can use .NET types and bypass CLM for specific functions

Hash Verification

  • SHA256 content hash stored per trusted script entry
  • On execution, current script content is hashed and compared
  • Hash mismatch actions:
    • Constrain (default) - run under constrained mode if hash doesn't match
    • Block - refuse to execute
    • Warn - log warning but allow execution with trust

Template Fields

Field Type Purpose
Enabled Checkbox Enable/disable this trust entry
Script Treelist References to script items in the Script Library
AllowedProfiles Single-Line Text Comma-separated profile names this trust applies to

Profile-Bound Trust

  • Trust can be limited to specific restriction profiles
  • A script trusted for read-only won't be trusted under read-only-strict unless explicitly listed
  • Empty AllowedProfiles = trusted under all profiles

Built-in Trusted Scripts

  • SPE ships with pre-registered trusted scripts under Trusted Scripts/SPE/
    • Core/Platform/ - core platform functions
    • Training/Web API/ - training and web API examples

Managing Trusted Scripts

  1. Navigate to /sitecore/system/Modules/PowerShell/Settings/Remoting/Trusted Scripts/
  2. Create folder structure to organize trust entries
  3. Create items using Trusted Script template
  4. Select script items via Treelist field
  5. Optionally restrict to specific profiles

Cache Behavior

  • O(1) lookup by script item ID
  • Cache invalidated automatically on save/delete of trust items

Related

  • Depends on Console repo feature/clm branch (#1426)
  • Links to: restriction-profiles.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions