Separate permission scripts
Grant permission script
In the grant permission script, you get $permissionReference (PowerShell v1) or $actionContext.References.Permission (PowerShell v2), whose Reference
property specifies the standard permission currently being granted. In the if not $dryRun
block, write conditional logic to check this value and make the necessary API calls into the target system. For example, add the target account to a certain group. Your script must handle all standard permissions defined in the current permission set.
Update permission script
By default, the update permission script is disabled (empty). In almost all cases, if your permissions require update actions, you should be using sub-permissions in a single permission script instead. See Permission actions.
Revoke permission script
In the revoke permission script, you get the same $permissionReference (PowerShell v1) or $actionContext.References.Permission (PowerShell v2) as in the grant permission script. In the if not $dryRun
block, check the active standard permission and reverse its grant. For example, remove the group membership from the target account.