PoShPACLI
Powershell PACLI Module for CyberArk EPV
Exposes the native functions of the CyberArk PACLI command line utility via a PowerShell wrapper for interfacing with CyberArk EPV.
Latest Updates
- Update for speedier module import.
Getting Started
- Check the relationship table to determine what PoShPACLI function exposes which PACLI command.
Prerequisites
- Requires Powershell v3 (minimum)
- The CyberArk PACLI executable must be present on the same computer as the module.
- NOTE: Issues have been reported & observed when using the module with Pacli versions 4.X & 9.X.
- PACLI 7.2 was used for development, your mileage may vary with other versions.
- NOTE: Issues have been reported & observed when using the module with Pacli versions 4.X & 9.X.
- A CyberArk user with which to authenticate, which has appropriate Vault/Safe permissions.
Install & Use
Save the Module to your powershell modules folder of choice. Find your local PowerShell module paths with the following command:
$env:PSModulePathThe name of the folder for the module should be "PoShPACLI".
Import the module:
Import-Module PoShPACLIDiscover Commands:
Get-Command -Module PoShPACLIFunction Initialize-PoShPACLI must be run before working with the other module functions:
Initialize-PoShPACLI -pacliFolder D:\PACLIThis is required to locate the CyberArk PACLI executable in the SYSTEM path, or in a folder you specify, in order for the module to be able to execute the utility.
An identical process to using the PACLI tool on its own should be followed:
Example method to use the module to add a password object to a safe:
Connecting to a Vault
#Locate/set path to PACLI executable
Initialize-PoShPACLI
#Start PACLI Executable
Start-PVPacli
#Define Vault
New-PVVaultDefinition -vault "VAULT" -address "vaultAddress"
#Logon to vault
Connect-PVVault -vault "VAULT" -user "User" -password (Read-Host -AsSecureString)
Add Password Object to Safe
#Open Safe
Open-PVSafe -vault "VAULT" -user "User" -safe "SAFE_Name"
#Add Password to Safe
Add-PVPasswordObject -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -password (Read-Host -AsSecureString)
#Add Device Type for password
Add-PVFileCategory -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -category "DeviceType" -value
"Device_Type"
#Add PolicyID for password
Add-PVFileCategory -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -category "PolicyID" -value "Policy_Name"
#Add Logon Domain for password
Add-PVFileCategory -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -category "LogonDomain" -value "Domain_Name"
#Add Address for password
Add-PVFileCategory -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -category 'Address' -value "Address_Value"
#Add UserName for password
Add-PVFileCategory -vault "VAULT" -user "User" -safe "SAFE_Name" -folder "Root" `
-file "passwordFile" -category "UserName" -value "Account_Name"
#Close Safe
Close-PVSafe -vault "VAULT" -user "User" -safe "SAFE_Name"Disconnect from Vault
#Logoff From Vault
Disconnect-PVVault -vault "VAULT" -user "User"
#Stop Pacli process
Stop-PVPacliWorking with the Pipeline
Every command sent to the PACLI utility requires the name of the authenticated user as well as the name of the vault defined via New-PVVaultDefinition to be supplied. There is also the option to run multiple PACLI processes via the sessionID parameter.
All PoShPACLI functions output the name, vault & sessionID parameter values, meaning they can be used for pipeline operations. Custom Formats are used to control display of these properties.
PACLI Pipeline Token
Goal: Object Containing User, Vault & SessionID values
#Start Pacli
$token = Start-PVPACLI -sessionID 42| New-PVVaultDefinition -address 192.168.0.1 -vault "DEV" |
Connect-PVVault -user PACLIUser -password $password
$token | fl
vault : DEV
user : PACLIUser
sessionID : 42
A token like the one above can be passed on the pipeline to other PoShPACLI functions, no longer, laboriously, having to type these parameter values for every function:
#Open a Safe
$token | Open-PVSafe -safe Safe
#Find a file
$token | Find-PVFile -safe TestSafe -folder Root -filePattern *
#Get File List
$token | Get-PVFileList -safe Safe2 -folder Root
$token | Get-PVFileList -safe Safe3 -folder Root | ? {$_.InternalName -eq "000000000000024"} | Format-List
#Etc...
$token | get-PVSafeEvent -safePatternName XXXyyyZzZ
$token | Get-PVUserList
$token | Get-PVGroupMember -group xSecGroup1
$token | Get-PVSafe -safe testsafe
$token | Get-PVSafeList
PACLI Pipeline Examples
Output can be piped between PoShPACLI functions as shown in the below high level examples:
#open/close safe
$token |
Open-PVSafe -safe safename |
Close-PVSafe
#Open safe, get list of all files, get file activity for each file
$token |
Open-PVSafe -safe safename |
Get-PVFileList -folder Root |
Get-PVFileActivity
#Open safe, find files, update filecategory in each file
$token |
Open-PVSafe -safe TestSafe |
Find-PVFile -folder Root -filePattern * |
Set-PVFileCategory -category username -value root
#Get all safe activity of a safe owner
$token |
Get-PVUserSafeList -owner username |
Get-PVSafeActivity
#get all events from safes a user owns
$token |
Get-PVUserSafeList -owner username |
Get-PVSafeEvent
#Remove a specific owner from all safes
$token |
Get-PVUserSafeList -owner username |
Remove-PVSafeOwner
#Disable all users in a Location
$token |
Get-PVUserList |
Where-Object {$_.Location -eq "\Inactive"} |
Set-PVUser -disabled
#Disable a User
$token |
Get-PVUser -destUser admin1 |
Set-PVUser -disabled
#Rename User
$token |
Get-PVUser -destUser OldUser |
Rename-PVUser -newName NewUser
#Remove all group members
$token |
Get-PVGroupMember -group xGroup1 |
Remove-PVGroupMember
#Add members of one group to another group
$token |
Get-PVGroupMember -group xGroup1 |
Add-PVGroupMember -group xGroup2
#Get Status of all requests
$token | Get-PVRequest | Get-PVRequestStatus
#Disable specific Trusted Network Area
$token |
Get-PVTrustedNetworkArea -trusterName NewUser |
Where-Object {$_.NetworkArea -eq "All"} |
Disable-PVTrustedNetworkArea
#Find/Delete File
$token |
Open-PVSafe -safe safename |
Get-PVFileList -folder Root |
Where-Object {$_.InternalName -eq "000000000000042"} |
Remove-PVFile
Note:
-
This is the first release supporting pipeline operations; every possible combination of pipeline command will not yet have been tested.
-
Updates may be required.
-
Please log an issue for any encountered problems.
-
-
The
-WhatIf&-Confirmswitches are available to ascertain what the pipeline operation will do.
Custom Formats
All Output now either has Default Properties assigned, or a TypeName for which views are configured via the PoShPACLI.Format.ps1xml File.
Table & List views are configured.
In an attempt to keep output tidy, not all properties are always shown. To see all properties pipe to Format-List *:
$token | Get-PVSafe -safe PoShSafe | Format-List *Author
- Pete Maan - pspete
License
This project is licensed under the MIT License - see the LICENSE.md file for details
Contributing
Any and all contributions to this project are appreciated. See the CONTRIBUTING.md for a few more details.
PACLI to PoShPACLI Function Relationship
The table shows how the the PoShPACLI module functions relate to the native PACLI commands:
| PACLI Command | PoshPACLI Function |
|---|---|
| INIT | Start-PVPacli |
| TERM | Stop-PVPacli |
| DEFINEFROMFILE | Import-PVVaultDefinition |
| DEFINE | New-PVVaultDefinition |
| DELETEVAULT | Remove-PVVaultDefinition |
| CREATELOGONFILE | New-PVLogonFile |
| LOGON | Connect-PVVault |
| LOGOFF | Disconnect-PVVault |
| CTLGETFILENAME | Get-PVCTL |
| CTLADDCERT | Add-PVCTLCertificate |
| CTLLIST | Get-PVCTLCertificate |
| CTLREMOVECERT | Remove-PVCTLCertificate |
| STOREFILE | Add-PVFile |
| FINDFILES | Find-PVFile |
| RETRIEVEFILE | Get-PVFile |
| LOCKFILE | Lock-PVFile |
| MOVEFILE | Move-PVFile |
| DELETEFILE | Remove-PVFile |
| RESETFILE | Reset-PVFile |
| UNDELETEFILE | Restore-PVFile |
| UNLOCKFILE | Unlock-PVFile |
| INSPECTFILE | Get-PVFileActivity |
| ADDFILECATEGORY | Add-PVFileCategory |
| LISTFILECATEGORIES | Get-PVFileCategory |
| DELETEFILECATEGORY | Remove-PVFileCategory |
| UPDATEFILECATEGORY | Set-PVFileCategory |
| FILESLIST | Get-PVFileList |
| FILEVERSIONSLIST | Get-PVFileVersionList |
| FOLDERSLIST | Get-PVFolder |
| MOVEFOLDER | Move-PVFolder |
| ADDFOLDER | New-PVFolder |
| DELETEFOLDER | Remove-PVFolder |
| UNDELETEFOLDER | Restore-PVFolder |
| GROUPDETAILS | Get-PVGroup |
| ADDGROUP | New-PVGroup |
| DELETEGROUP | Remove-PVGroup |
| UPDATEGROUP | Set-PVGroup |
| ADDGROUPMEMBER | Add-PVGroupMember |
| GROUPMEMBERS | Get-PVGroupMember |
| DELETEGROUPMEMBER | Remove-PVGroupMember |
| GETHTTPGWURL | Get-PVHttpGwUrl |
| LDAPBRANCHESLIST | Get-PVLDAPBranch |
| LDAPBRANCHADD | New-PVLDAPBranch |
| LDAPBRANCHDELETE | Remove-PVLDAPBranch |
| LDAPBRANCHUPDATE | Set-PVLDAPBranch |
| LOCATIONSLIST | Get-PVLocation |
| ADDLOCATION | New-PVLocation |
| DELETELOCATION | Remove-PVLocation |
| RENAMELOCATION | Rename-PVLocation |
| UPDATELOCATION | Set-PVLocation |
| MAILUSER | Send-PVMailMessage |
| NETWORKAREASLIST | Get-PVNetworkArea |
| MOVENETWORKAREA | Move-PVNetworkArea |
| ADDNETWORKAREA | New-PVNetworkArea |
| DELETENETWORKAREA | Remove-PVNetworkArea |
| RENAMENETWORKAREA | Rename-PVNetworkArea |
| ADDAREAADDRESS | New-PVNetworkAreaAddress |
| DELETEAREAADDRESS | Remove-PVNetworkAreaAddress |
| VALIDATEOBJECT | Set-PVObjectValidation |
| GENERATEPASSWORD | New-PVPassword |
| STOREPASSWORDOBJECT | Add-PVPasswordObject |
| RETRIEVEPASSWORDOBJECT | Get-PVPasswordObject |
| DELETEPREFFEREDFOLDER | Remove-PVPreferredFolder |
| ADDPREFERREDFOLDER | Add-PVPreferredFolder |
| REQUESTSLIST | Get-PVRequest |
| DELETEREQUEST | Remove-PVRequest |
| REQUESTCONFIRMATIONSTATUS | Get-PVRequestStatus |
| CONFIRMREQUEST | Set-PVRequestStatus |
| ADDRULE | Add-PVRule |
| RULESLIST | Get-PVRule |
| DELETERULE | Remove-PVRule |
| CLOSESAFE | Close-PVSafe |
| SAFEDETAILS | Get-PVSafe |
| ADDSAFE | New-PVSafe |
| OPENSAFE | Open-PVSafe |
| DELETESAFE | Remove-PVSafe |
| RENAMESAFE | Rename-PVSafe |
| RESETSAFE | Reset-PVSafe |
| UPDATESAFE | Set-PVSafe |
| INSPECTSAFE | Get-PVSafeActivity |
| SAFEEVENTSLIST | Get-PVSafeEvent |
| ADDEVENT | Write-PVSafeEvent |
| LISTSAFEFILECATEGORIES | Get-PVSafeFileCategory |
| ADDSAFEFILECATEGORY | New-PVSafeFileCategory |
| DELETESAFEFILECATEGORY | Remove-PVSafeFileCategory |
| UPDATESAFEFILECATEGORY | Set-PVSafeFileCategory |
| ADDSAFESHARE | Add-PVSafeGWAccount |
| DELETESAFESHARE | Remove-PVSafeGWAccount |
| CLEARSAFEHISTORY | Clear-PVSafeHistory |
| SAFESLIST | Get-PVSafeList |
| SAFESLOG | Get-PVSafeLog |
| ADDNOTE | Set-PVSafeNote |
| ADDOWNER | Add-PVSafeOwner |
| OWNERSLIST | Get-PVSafeOwner |
| DELETEOWNER | Remove-PVSafeOwner |
| UPDATEOWNER | Set-PVSafeOwner |
| ADDTRUSTEDNETWORKAREA | Add-PVTrustedNetworkArea |
| DEACTIVATETRUSTEDNETWORKAREA | Disable-PVTrustedNetworkArea |
| ACTIVATETRUSTEDNETWORKAREA | Enable-PVTrustedNetworkArea |
| TRUSTEDNETWORKAREALIST | Get-PVTrustedNetworkArea |
| DELETETRUSTEDNETWORKAREA | Remove-PVTrustedNetworkArea |
| USERDETAILS | Get-PVUser |
| LOCK | Lock-PVUser |
| ADDUSER | New-PVUser |
| DELETEUSER | Remove-PVUser |
| RENAMEUSER | Rename-PVUser |
| UPDATEUSER | Set-PVUser |
| UNLOCK | Unlock-PVUser |
| INSPECTUSER | Get-PVUserActivity |
| CLEARUSERHISTORY | Clear-PVUserHistory |
| USERSLIST | Get-PVUserList |
| SETPASSWORD | Set-PVUserPassword |
| GETUSERPHOTO | Get-PVUserPhoto |
| PUTUSERPHOTO | Set-PVUserPhoto |
| OWNERSAFESLIST | Get-PVUserSafeList |
| ADDUPDATEEXTERNALUSERENTITY | Add-PVExternalUser |