psPAS
PowerShell Module for CyberArk Privileged Access Security
Use PowerShell to manage CyberArk via the Web Services REST API.
Contains all published methods of the API up to CyberArk v10.10.
Existing psPAS Users: Module Version 3.0 introduced breaking changes; review the Changelog for full details.
Module Status
Master Branch | Code Coverage | PowerShell Gallery | Downloads | Latest Build | License |
---|---|---|---|---|---|
Usage
Authenticate
It all starts with a Logon
New-PASSession
is used to send a logon request to the CyberArk API.
On successful authentication psPAS
uses the data which was provided for the request & also returned from the API for all subsequent operations.
CyberArk Authentication
- Use a PowerShell credential object containing a valid vault username and password.
$cred = Get-Credential
PowerShell credential request
Enter your credentials.
User: safeadmin
Password for user safeadmin: **********
New-PASSession -Credential $cred -BaseURI https://cyberark.virtualreal.it
LDAP Authentication
- Specify LDAP credentials allowed to authenticate to the vault.
$cred = Get-Credential
PowerShell credential request
Enter your credentials.
User: xApprover_1
Password for user xApprover_1: **********
New-PASSession -Credential $cred -BaseURI https://cyberark.virtualreal.it -type LDAP
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
xApprover_1 LDAP EPVUser False False False False
RADIUS Authentication (with OTP if supported)
-
Some 2FA solutions allow a One Time Passcode to be sent with the password.
- If an OTP is provided, it is sent to the API with the password, separated by a comma: "
$Password,$OTP
"
- If an OTP is provided, it is sent to the API with the password, separated by a comma: "
$cred = Get-Credential
PowerShell credential request
Enter your credentials.
User: DuoUser
Password for user DuoUser: **********
New-PASSession -Credential $cred -BaseURI https://cyberark.virtualreal.it -type RADIUS -OTP 006314
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
DuoUser LDAP EPVUser False False False False
Shared Authentication with Client Certificate
- If IIS is configured to require client certificates,
psPAS
will use any provided certificate details for the duration of the session.
$Cert = "0E199489C57E666115666D6E9990C2ACABDB6EDB"
New-PASSession -UseSharedAuthentication -BaseURI https://cyberark.virtualreal.it -CertificateThumbprint $Cert
Basic Operations
Search
Safes
- Get information relating to Safes you have access to:
Find-PASSafe -search 3_TestSafe_028_XYJ
SafeUrlId SafeName Description Location
--------- -------- ----------- --------
3_TestSafe_028_XYJ 3_TestSafe_028_XYJ TestSafe: 3_TestSafe_028_XYJ \
Get-PASSafe -SafeName 3_TestSafe_028_XYJ
SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
-------- ----------- --------------------- ------------------------- -----------
3_TestSafe_028_XYJ PasswordManager 3 TestSafe: 3_TestSafe_028_XYJ
Safe Members
- Find Safe Members:
Get-PASSafeMember -SafeName 3_TestSafe_028_XYJ -MemberName ACC-G-3_TestSafe_028_XYJ-Usr
UserName SafeName Permissions
-------- -------- -----------
ACC-G-3_TestSafe_028_XYJ-Usr 3_TestSafe_028_XYJ {UseAccounts, RetrieveAccounts, ListAccounts, ViewAuditLog…}
Users
- Query for Vault Users:
Get-PASUser -Search xap
ID UserName Source UserType ComponentUser Location
-- -------- ------ -------- ------------- --------
657 xApprover_A LDAP EPVUser False \VR\VirtualReal\Users
658 xApprover_1 LDAP EPVUser False \VR\VirtualReal\Users
659 xApprover_B LDAP EPVUser False \VR\VirtualReal\Users
660 xApprover_2 LDAP EPVUser False \VR\VirtualReal\Users
661 xApprover_C LDAP EPVUser False \VR\VirtualReal\Users
662 xApprover_3 LDAP EPVUser False \VR\VirtualReal\Users
Accounts
- Return Account data:
Get-PASAccount -filter "SafeName eq 3_TestSafe_028_XYJ" -search sbwudlov
AccountID : 286_4
Safe : 3_TestSafe_028_XYJ
address : SOMEDOMAIN.COM
userName : sbwudlov
name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId : Z_WINDOMAIN_OFF
secretType : password
platformAccountProperties : @{LogonDomain=SOMEDOMAIN}
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime : 06/06/2019 23:37:02
Classic API
- There is a limitation of only returning details of the first found account when using the Classic API.
- The
keywords
&safe
parameters ofGet-PASAccount
force use of the Classic API:
- The
Get-PASAccount -Safe 3_TestSafe_028_XYJ
WARNING: 2 matching accounts found. Only the first result will be returned
AccountID : 286_3
Safe : 3_TestSafe_028_XYJ
Folder : Root
Name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf
UserName : kmgrsebf
PlatformID : Z_WINDOMAIN_OFF
DeviceType : Operating System
Address : SOMEDOMAIN.COM
InternalProperties : @{CreationMethod=PVWA}
- More results can be returned by specifying alternative parameters and avoiding the Classic API:
PS>Get-PASAccount -filter "SafeName eq 3_TestSafe_028_XYJ"
AccountID : 286_3
Safe : 3_TestSafe_028_XYJ
address : SOMEDOMAIN.COM
userName : kmgrsebf
name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf
platformId : Z_WINDOMAIN_OFF
secretType : password
platformAccountProperties : @{LogonDomain=SOMEDOMAIN}
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864221}
createdTime : 06/06/2019 23:37:01
AccountID : 286_4
Safe : 3_TestSafe_028_XYJ
address : SOMEDOMAIN.COM
userName : sbwudlov
name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId : Z_WINDOMAIN_OFF
secretType : password
platformAccountProperties : @{LogonDomain=SOMEDOMAIN}
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime : 06/06/2019 23:37:02
Administration
Add An Account
- Add an account to manage:
#Convert Password to SecureString
$Password = ConvertTo-SecureString -String "Secret1337$" -AsPlainText -Force
#Additional account details
$platformAccountProperties = @{
"LOGONDOMAIN"="domain.com"
"Notes"="Demo Account. Owner:psPete"
"Classification"="1F"
}
#Add Account
Add-PASAccount -secretType Password -secret $Password -SafeName "YourSafe" -PlatformID "YourPlatform" `
-Address "domain" -Username SomeUsername -platformAccountProperties $platformAccountProperties
Create Safes
- Simple safe creation:
Add-PASSafe -SafeName NewSafe -Description "New Safe" -ManagingCPM PasswordManager -NumberOfVersionsRetention 10
SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
-------- ----------- --------------------- ------------------------- -----------
NewSafe PasswordManager 10 New Safe
Add Safe Members
- Consistent safe membership:
Add-PASSafeMember -SafeName NewSafe -MemberName NewMember -UseAccounts $false -ListAccounts $true `
-RetrieveAccounts $false -ViewAuditLog $true -ViewSafeMembers $true
MemberName SearchIn SafeName Permissions
---------- -------- -------- -----------
NewMember vault NewSafe {ListAccounts, ViewAuditLog, ViewSafeMembers}
Update Accounts
- Update values for individual account properties:
Set-PASAccount -AccountID 286_4 -op replace -path /address -value NEWDOMAIN.COM
AccountID : 286_4
Safe : 3_TestSafe_028_XYJ
address : NEWDOMAIN.COM
userName : sbwudlov
name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId : Z_WINDOMAIN_OFF
secretType : password
platformAccountProperties : @{LogonDomain=SOMEDOMAIN}
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime : 06/06/2019 23:37:02
Set-PASAccount -AccountID 286_4 -op replace -path /platformAccountProperties/LogonDomain -value NEWDOMAIN
AccountID : 286_4
Safe : 3_TestSafe_028_XYJ
address : NEWDOMAIN.COM
userName : sbwudlov
name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId : Z_WINDOMAIN_OFF
secretType : password
platformAccountProperties : @{LogonDomain=NEWDOMAIN}
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime : 06/06/2019 23:37:02
Import a Connection Component
- Import Custom Connection Components:
Import-PASConnectionComponent -ImportFile C:\Temp\ConnectionComponent.zip
Platforms
- Import & Export of CPM Platforms:
#Import a Platform
Import-PASPlatform -ImportFile C:\Temp\Platform.zip
#Export a Platform
Export-PASPlatform -PlatformID "Some-SSH-Platform" -Path C:\Temp
Pipeline Operations
- Work with the PowerShell pipeline:
#Find directory groups assigned to safes
Get-PASSafe -query JXW | Get-PASSafeMember |
Where-Object{ Get-PASGroup -search $_.UserName -filter 'groupType eq Directory' }
UserName SafeName Permissions
-------- -------- -----------
ACC-G-1_TestSafe_049_JXW-Usr 1_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, ViewAudit…}
ACC-G-1_TestSafe_049_JXW-Adm 1_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, Unlock…}
ACC-G-2_TestSafe_049_JXW-Usr 2_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, ViewAudit…}
ACC-G-2_TestSafe_049_JXW-Adm 2_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, Unlock…}
ACC-G-3_TestSafe_049_JXW-Usr 3_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, ViewAudit…}
ACC-G-3_TestSafe_049_JXW-Adm 3_TestSafe_049_JXW {ListContent, RestrictedRetrieve, Retrieve, Unlock…}
- Multiple
psPAS
commands can be used together, along with standard PowerShell CmdLets:
#Add all "admin" users in the root location to the PVWAMonitor group
Get-PASUser -UserType EPVUser -Search Admin | Where-Object{ $_.location -eq "\" } |
Add-PASGroupMember -GroupName PVWAMonitor
#Find an account, then find the members of the account's safe.
Get-PASAccount -id 330_5 | Get-PASSafe | Get-PASSafeMember
UserName SafeName Permissions
-------- -------- -----------
Master ApproveTest {Add, AddRenameFolder, BackupSafe, Delete...}
Batch ApproveTest {Add, AddRenameFolder, BackupSafe, Delete...}
Backup Users ApproveTest BackupSafe
Auditors ApproveTest {ListContent, ViewAudit, ViewMembers}
Operators ApproveTest {AddRenameFolder, DeleteFolder, ManageSafe, MoveFilesAndFolders...}
DR Users ApproveTest BackupSafe
Notification Engines ApproveTest {ListContent, ViewAudit, ViewMembers}
PVWAGWAccounts ApproveTest {ListContent, ViewAudit, ViewMembers}
PasswordManager ApproveTest {Add, AddRenameFolder, Delete, DeleteFolder...}
SafeAdmin ApproveTest {Add, AddRenameFolder, BackupSafe, Delete...}
SafeAdmin1 ApproveTest {Add, AddRenameFolder, BackupSafe, Delete...}
zApprover_1 ApproveTest {ListContent, ViewAudit, ViewMembers}
xReq ApproveTest {ListContent, RestrictedRetrieve, Retrieve, ViewAudit...}
Advanced Examples
Bulk Operations
The standard features of PowerShell which allow creation of and iterations through collections of objects, can be used to perform bulk operations:
Example 1 - On-board Multiple Accounts
$Accounts = Import-Csv -Path C:\Temp\Accounts.csv
New-PASSession -Credential $creds -BaseURI https://your.pvwa.url
foreach($Account in $Accounts){
$Password = ConvertTo-SecureString -String $Account.Password -AsPlainText -Force
Add-PASAccount -secretType Password `
-secret $Password `
-platformAccountProperties @{"LOGONDOMAIN"=$Account.LogonDomain} `
-SafeName $Account.SafeName `
-PlatformID $Account.PlatformID `
-Address $Account.Address `
-Username $Account.Username
}
Close-PASSession
Example 2 - Delete Multiple Safes
#Specify Vault Logon Credentials
$LogonCredential = Get-Credential
#Logon
New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url
$Safes = Get-PASSafe -query TestSafe
#Delete Safes
foreach ($Safe in $Safes){
Remove-PASSafe -SafeName $Safe -WhatIf
}
#Logoff
Close-PASSession
Example 3 - Move a List of Users to a New Location
#Vault Logon Credentials
$LogonCredential = Get-Credential
#Logon
New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url
#get list of users
$users = Get-Content .\userlist.txt
#move users
$users | foreach{
Set-PASUser -UserName $_ -Location "\New\Location\Path" -WhatIf
}
#Logoff
Close-PASSession
Safe Permissions
- Define Safe Roles and assign to safe members:
$Role1 = [PSCustomObject]@{
UseAccounts = $true
ListAccounts = $true
ViewAuditLog = $false
ViewSafeMembers = $false
}
$Role2 = [PSCustomObject]@{
UseAccounts = $false
ListAccounts = $true
RetrieveAccounts = $false
AddAccounts = $true
UpdateAccountContent = $true
UpdateAccountProperties = $true
InitiateCPMAccountManagementOperations = $true
SpecifyNextAccountContent = $false
RenameAccounts = $true
DeleteAccounts = $true
UnlockAccounts = $true
ManageSafe = $true
ManageSafeMembers = $true
BackupSafe = $false
ViewAuditLog = $true
ViewSafeMembers = $true
RequestsAuthorizationLevel = $false
AccessWithoutConfirmation = $true
CreateFolders = $true
DeleteFolders = $true
MoveAccountsAndFolders = $true
}
$Role1 | Add-PASSafeMember -SafeName NewSafe -MemberName User23 -SearchIn Vault
MemberName SearchIn SafeName Permissions
---------- -------- -------- -----------
User23 Vault NewSafe {UseAccounts, RetrieveAccounts, ListAccounts}
$Role2 | Add-PASSafeMember -SafeName NewSafe -MemberName SafeAdmin1 -SearchIn Vault
MemberName SearchIn SafeName Permissions
---------- -------- -------- -----------
SafeAdmin1 Vault NewSafe {ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties…}
PSM Sessions
Terminate all Active PSM Sessions on a PSM Server
#Find Active Sessions for a PSM Server IP
#Terminate the Sessions
Get-PASPSMSession | Where-Object{
($_.RawProperties.ProviderID -eq $(Get-PASComponentDetail -ComponentID SessionManagement |
Where-Object{$_.ComponentIP -eq "192.168.60.20"} |
Select -ExpandProperty ComponentUserName))
-and ($_.IsLive) -and ($_.CanTerminate)} | Stop-PASPSMSession
Updating Multiple Properties of an Account
- Multiple updates can be performed in a single request:
[array]$operations += @{"op"="remove";"path"="/platformAccountProperties/LogonDomain"}
[array]$operations += @{"op"="replace";"path"="/name";"value"="SomeNewName"}
[array]$operations += @{"op"="replace";"path"="/address";"value"="domain.co.uk"}
Set-PASAccount -AccountID 286_4 -operations $operations
AccountID : 286_4
Safe : 3_TestSafe_028_XYJ
address : domain.co.uk
userName : sbwudlov
name : SomeNewName
platformId : Z_WINDOMAIN_OFF
secretType : password
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime : 06/06/2019 23:37:02
Using Methods
Methods present on objects returned from psPAS functions can be leveraged to get the data you need with ease.
- The
psPAS.CyberArk.Vault.Safe
object returned byGet-PASSafe
has a ScriptMethod (SafeMembers()
), which will run a query for the members of the safe:
#List all safes where AppUser is not a member
Get-PASSafe | Where-Object{ ($_.safemembers() | Select-Object -ExpandProperty UserName) -notcontains "AppUser"}
- Retrieved credentials can be immediately converted into Secure Strings:
(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()
API Sessions
- If actions are required to be performed under the context of different user accounts, it is possible to work with different authenticated sessions:
#Start first session
$VaultAdmin = Get-Credential
PowerShell credential request
Enter your credentials.
User: VaultAdmin
Password for user VaultAdmin: **********
New-PASSession -Credential $VaultAdmin -BaseURI https://cyberark.virtualreal.it
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
VaultAdmin Internal EPVUser False False False False
#Save first session data
$FirstSession = Get-PASSession
#Start second session
$SafeAdmin = Get-Credential
PowerShell credential request
Enter your credentials.
User: SafeAdmin
Password for user SafeAdmin: **********
New-PASSession -Credential $SafeAdmin -BaseURI https://cyberark.virtualreal.it
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
SafeAdmin Internal EPVUser False False False False
#Save second session data
$SecondSession = Get-PASSession
#Switch back to first session
Use-PASSession -Session $FirstSession
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
VaultAdmin Internal EPVUser False False False False
#End first session
Close-PASSession
#Switch to second session
Use-PASSession -Session $SecondSession
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
SafeAdmin Internal EPVUser False False False False
#End second session
Close-PASSession
psPAS Functions
Your version of CyberArk determines which functions of psPAS will be supported.
Check the below table to determine what is available for you to use.
The CyberArk Version listed is the minimum required to use the function.
The module will attempt to confirm that your version of CyberArk meets the minimum
version requirement (if you are using version 9.7+, and the function being invoked
requires version 9.8+).
Check the output of Get-Help
for the psPAS
functions for further details of available parameters and version requirements.
Function Name | CyberArk Version | Description |
---|---|---|
New-PASSession |
9.0 | Authenticates a user to CyberArk Vault |
Close-PASSession |
9.0 | Logoff from CyberArk Vault. |
Get-PASSession |
--- | Get psPAS Session Data. |
Use-PASSession |
--- | Set psPAS Session Data. |
Add-PASPublicSSHKey |
9.6 | Adds an authorised public SSH key for a user. |
Get-PASPublicSSHKey |
9.6 | Retrieves a user's SSH Keys. |
Remove-PASPublicSSHKey |
9.6 | Deletes a Public SSH Key from a user |
Add-PASAccountACL |
9.0 | Adds a new privileged command rule to an account. |
Get-PASAccountACL |
9.0 | Lists privileged commands rule for an account |
Remove-PASAccountACL |
9.0 | Deletes privileged commands rule from an account |
Add-PASAccountGroupMember |
9.95 | Adds an account as a member of an account group. |
Get-PASAccountGroup |
9.10 | Returns account groups in a Safe. |
Get-PASAccountGroupMember |
9.10 | Returns members of an account group. |
New-PASAccountGroup |
9.95 | Adds a new account group |
Remove-PASAccountGroupMember |
9.10 | Deletes a member of an account group |
Add-PASAccount |
9.0 | Adds a new account. |
Add-PASPendingAccount |
9.7 | Adds discovered account or SSH key as a pending account. |
Get-PASAccount |
9.3 | Returns information about accounts. |
Get-PASAccountActivity |
9.7 | Returns activities for an account. |
Get-PASAccountPassword |
9.7 | Returns password for an account. |
Remove-PASAccount |
9.3 | Deletes an account |
Set-PASAccount |
9.5 | Updates details of an account. |
Invoke-PASCPMOperation |
9.7 | Invoke CPM verify, change & reconcile tasks. |
Unlock-PASAccount |
9.10 | Checks in an exclusive-use account. |
Add-PASApplication |
9.1 | Adds a new application |
Add-PASApplicationAuthenticationMethod |
9.1 | Add authentication method to an application |
Get-PASApplication |
9.1 | Returns details of applications |
Get-PASApplicationAuthenticationMethod |
9.1 | Returns application authentication methods |
Remove-PASApplication |
9.1 | Deletes an application |
Remove-PASApplicationAuthenticationMethod |
9.1 | Delete auth method from an application |
Import-PASConnectionComponent |
10.3 | Imports a Connection Component |
Get-PASPSMConnectionParameter |
9.10 | Get required parameters to connect through PSM |
Get-PASPSMRecording |
9.10 | Get details of PSM Recording |
Get-PASPSMSession |
9.10 | Get details of PSM Sessions |
Resume-PASPSMSession |
10.2 | Resumes a Suspended PSM Session. |
Stop-PASPSMSession |
10.1 | Terminates a PSM Session. |
Suspend-PASPSMSession |
10.2 | Suspends a PSM Session. |
Get-PASOnboardingRule |
9.7 | Gets automatic on-boarding rules |
New-PASOnboardingRule |
9.7 | Adds a new on-boarding rule |
Remove-PASOnboardingRule |
9.7 | Deletes an automatic on-boarding rule |
Get-PASPlatform |
9.10 | Retrieves details of a specified platform. |
Import-PASPlatform |
10.2 | Import a new platform |
Export-PASPlatform |
10.4 | Export a platform |
Add-PASPolicyACL |
9.0 | Adds a new privileged command rule |
Get-PASPolicyACL |
9.0 | Lists OPM Rules for a policy |
Remove-PASPolicyACL |
9.0 | Delete privileged commands from policy |
Approve-PASRequest |
9.10 | Confirm a single request |
Deny-PASRequest |
9.10 | Reject a single request |
Get-PASRequest |
9.10 | List requests |
Get-PASRequestDetail |
9.10 | Get request details |
New-PASRequest |
9.10 | Creates an access request for an account |
Remove-PASRequest |
9.10 | Deletes a request |
Add-PASSafeMember |
9.3 | Adds a Safe Member to a safe |
Get-PASSafeMember |
9.7 | Lists the members of a Safe |
Remove-PASSafeMember |
9.3 | Removes a member from a safe |
Set-PASSafeMember |
9.3 | Updates a Safe Member's Permissions |
Add-PASSafe |
9.2 | Adds a new safe |
Get-PASSafe |
9.7 | Returns safe details |
Remove-PASSafe |
9.3 | Deletes a safe |
Set-PASSafe |
9.3 | Updates a safe |
Get-PASSafeShareLogo |
9.7 | Returns details of SafeShare Logo |
Get-PASServer |
9.7 | Returns details of the Web Service Server |
Get-PASServerWebService |
9.7 | Returns details of the Web Service |
Get-PASComponentDetail |
10.1 | Returns details about component instances. |
Get-PASComponentSummary |
10.1 | Returns consolidated information about components. |
Add-PASGroupMember |
9.7 | Adds a user as a group member |
Get-PASLoggedOnUser |
9.7 | Returns details of the logged on user |
Get-PASUserLoginInfo |
10.4 | Returns login details of the current user |
Get-PASUser |
9.7 | Returns details of a user |
New-PASUser |
9.7 | Creates a new user |
Remove-PASUser |
9.7 | Deletes a user |
Set-PASUser |
9.7 | Updates a user |
Unblock-PASUser |
9.7 | Activates a suspended user |
Get-PASDirectory |
10.4 | Get configured LDAP directories |
Add-PASDirectory |
10.4 | Add a new LDAP directory |
Add-PASDirectoryMapping |
10.4 | Add a new LDAP directory mapping |
Add-PASPTARule |
10.4 | Add a new Risky Commandrule to PTA |
Get-PASPTAEvent |
10.3 | Get security eventsfrom PTA |
Get-PASPTARemediation |
10.4 | Get automatic response config from PTA |
Get-PASPTARule |
10.4 | List Risky Command rules from PTA |
Set-PASPTARemediation |
10.4 | Update automaticresponse config in PTA |
Set-PASPTARule |
10.4 | Update a Risky Commandrule in PTA |
Get-PASGroup |
10.5 | Return group information |
Remove-PASGroupMember |
10.5 | Remove group members |
Set-PASOnboardingRule |
10.5 | Update Onboarding Rules |
Add-PASDiscoveredAccount |
10.5 | Add discovered accounts to the Accounts Feed |
Connect-PASPSMSession |
10.5 | Get required parameters to connect to a PSM Session |
Get-PASPSMSessionActivity |
10.6 | Get activity details from an active PSM Session. |
Get-PASPSMSessionProperty |
10.6 | Get property details from an active PSM Session. |
Get-PASPSMRecordingActivity |
10.6 | Get activity details from a PSM Recording. |
Get-PASPSMRecordingProperty |
10.6 | Get property details from a PSM Recording. |
Export-PASPSMRecording |
10.6 | Save PSM Session Recording to a file. |
Request-PASAdHocAccess |
10.6 | Request temporary access to a server. |
Get-PASDirectoryMapping |
10.7 | Get details of configureddirectory mappings. |
Set-PASDirectoryMapping |
10.7 | Update a configureddirectory mapping. |
Remove-PASDirectory |
10.7 | Delete a directory configuration. |
Find-PASSafe |
10.1 | List or Search Safes by name. |
Set-PASDirectoryMappingOrder |
10.10 | Reorder Directory Mappings |
Set-PASUserPassword |
10.10 | Reset a User's Password |
Installation
Prerequisites
- Requires Powershell v3 (minimum)
- CyberArk PAS REST API/Web Service
- A user with which to authenticate, with appropriate Vault/Safe permissions.
Install Options
This repository contains a folder named psPAS
.
The folder needs to be copied to one of your PowerShell Module Directories.
Use one of the following methods:
Option 1: Install from PowerShell Gallery
PowerShell 5.0 or above required.
To download the module from the PowerShell Gallery,
from a PowerShell prompt, run:
Install-Module -Name psPAS -Scope CurrentUser
Option 2: Manual Install
Find your PowerShell Module Paths with the following command:
$env:PSModulePath.split(';')
Extract the archive
Copy the psPAS
folder to your "Powershell Modules" directory of choice.
Verification
Validate Module Exists on your local machine:
Get-Module -ListAvailable psPAS
Import the module:
Import-Module psPAS
List Module Commands:
Get-Command -Module psPAS
Get detailed information on specific commands:
Get-Help Add-PASUser -Full
Changelog
All notable changes to this project will be documented in the Changelog
Author
- Pete Maan - pspete
License
This project is licensed under the MIT License.
Contributing
Any and all contributions to this project are appreciated.
See the CONTRIBUTING.md for a few more details.
Acknowledgements
Hat Tips:
Assaf Miron (AssafMiron) For the JSON formatting assistance.
Warren Frame
(RamblingCookieMonster) for the borrowed Add-ObjectDetail.ps1
&
New-DynamicParam.ps1
helper functions.
Joe Garcia (infamousjoeg) for the unofficial API documentation.
Chapeau!