/psPAS

PowerShell module for CyberArk Privileged Access Security REST API

Primary LanguagePowerShellMIT LicenseMIT

psPAS

psPAS: PowerShell Module for the CyberArk API

Through the PVWA REST API, administer CyberArk PAS with PowerShell.

Contains all of the documented API capabilities up to CyberArk v14.0.

Docs: https://pspas.pspete.dev


Module Status

Master Branch Latest Build CodeFactor Coverage PowerShell Gallery License
appveyor tests codefactor codecov psgallery license
release github coveralls downloads

Usage

Logo

Authenticate

Everything begins with a Logon:

To submit a logon request to the CyberArk API, use the psPAS New-PASSession command.

All subsequent operations are carried out by psPAS utilises the input data provided for the New-PASSession request (URL, Certificate), as well as data received from the API after successful authentication (Authentication Token, PVWA Version).

CyberArk Authentication

  • Use a PowerShell credential object containing a valid vault username and password.
$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: safeadmin
Password for user safeadmin: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com

LDAP Authentication

  • Specify LDAP credentials allowed to authenticate to the vault.
$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: xApprover_1
Password for user xApprover_1: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type LDAP

Get-PASLoggedOnUser

UserName    Source UserTypeName AgentUser Expired Disabled Suspended
--------    ------ ------------ --------- ------- -------- ---------
xApprover_1 LDAP   EPVUser      False     False   False    False

RADIUS Authentication

$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: DuoUser
Password for user DuoUser: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type RADIUS -OTP 123456

Get-PASLoggedOnUser

UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
DuoUser  LDAP   EPVUser      False     False   False    False

SAML Authentication

SAML SSO authentication using IWA and ADFS can be performed

New-PASSession -BaseURI $url -SAMLAuth

Where IWA SSO is not possible, the PS-SAML-Interactive module can be used to get the SAMLResponse from an authentication service.

The SAMLResponse received from the IdP is sent to complete saml authentication to the API.

import-module -name 'C:\PS-SAML-Interactive.psm1'

$loginURL = 'https://company.okta.com/home/app1/0oa11xddwdzhvlbiZ5d7/aln1k2HsUl5d7'
$baseURL = 'https://pvwa.mycompany.com'

$loginResponse = New-SAMLInteractive -LoginIDP $loginURL

New-PASSession -SAMLAuth -concurrentSession $true -BaseURI $baseURL -SAMLResponse $loginResponse

Certificate Authentication

  • Where PVWA/IIS requires client certificates, 'psPAS' will use any specified certificates for the duration of the session.

PKI Authentication Example:

Add-Type -AssemblyName System.Security
# Get Valid Certs
$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)
# Select Cert
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection(
    $MyCerts,
    'Choose a certificate',
    'Choose a certificate',
    'SingleSelection'
) | select -First 1

New-PASSession -Credential $cred -BaseURI $url -type PKI -Certificate $Cert

Shared Authentication Example:

$Cert = "0E199489C57E666115666D6E9990C2ACABDB6EDB"
New-PASSession -UseSharedAuthentication -BaseURI https://pvwa.somedomain.com -CertificateThumbprint $Cert

Shared Services Authentication

Privilege Cloud Shared Services authentication flows require the pspete IdentityCommand module, available from the Powershell Gallery & GitHub.

Identity User

Provide Identity User credentials and tenant details for authentication to CyberArk Identity for Privilege Cloud Shared Services:

#using URL
New-PASSession -IdentityTenantURL https://SomeTenantName.id.cyberark.cloud -PrivilegeCloudURL https://SomeTenant.privilegecloud.cyberark.cloud -Credential $Cred -IdentityUser
#using subdomain
New-PASSession -TenantSubdomain SomeTenantName -Credential $Cred -IdentityUser
Service User

Provide tenant ID and non-interactive API User credentials for authentication via CyberArk Identity for Privilege Cloud Shared Services:

New-PASSession -TenantSubdomain YourPrivilegeCloudTenantID -Credential $ServiceUserCreds -ServiceUser

Consult the vendor documentation for guidance on setting up a dedicated API Service user for non-interactive API use.

Basic Operations

Logo

Search

Safes
  • Get information relating to Safes you have access to:
Get-PASSafe -search _YZO

SafeName           ManagingCPM     NumberOfDaysRetention NumberOfVersionsRetention Description
--------           -----------     --------------------- ------------------------- -----------
1_TestSafe_096_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_096_YZO
1_TestSafe_100_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_100_YZO
3_TestSafe_058_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_058_YZO
3_TestSafe_068_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_068_YZO
3_TestSafe_069_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_069_YZO
2_TestSafe_090_YZO PasswordManager                       3                         TestSafe: 2_TestSafe_090_YZO
1_TestSafe_067_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_067_YZO

Safe Members

  • Find Safe Members:
Get-PASSafeMember -SafeName 1_TestSafe_067_YZO -search Usr

UserName                     SafeName           Permissions
--------                     --------           -----------
ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False;.....
Users
  • Query for Vault Users:
Get-PASUser -Search xap

ID  UserName    Source UserType ComponentUser Location
--  --------    ------ -------- ------------- --------
657 xApprover_A LDAP   EPVUser  False         \psPETE\Users
658 xApprover_1 LDAP   EPVUser  False         \psPETE\Users
659 xApprover_B LDAP   EPVUser  False         \psPETE\Users
660 xApprover_2 LDAP   EPVUser  False         \psPETE\Users
661 xApprover_C LDAP   EPVUser  False         \psPETE\Users
662 xApprover_3 LDAP   EPVUser  False         \psPETE\Users
Accounts
  • Return Account data:
Get-PASAccount -SafeName "3_TestSafe_028_XYJ" -search sbwudlov

AccountID                 : 286_4
Safe                      : 3_TestSafe_028_XYJ
address                   : SOMEDOMAIN.COM
userName                  : sbwudlov
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId                : Z_WINDOMAIN_OFF
secretType                : password
platformAccountProperties : @{LogonDomain = SOMEDOMAIN }
secretManagement          : @{automaticManagementEnabled = True; lastModifiedTime = 1559864222 }
createdTime               : 06/06/2019 23:37:02
1st Gen API
  • The keywords & safe parameters of Get-PASAccount force use of the 1st gen API:
Get-PASAccount -Safe 3_TestSafe_028_XYJ
WARNING: 2 matching accounts found. Only the first result will be returned

AccountID          : 286_3
Safe               : 3_TestSafe_028_XYJ
Folder             : Root
Name               : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf
UserName           : kmgrsebf
PlatformID         : Z_WINDOMAIN_OFF
DeviceType         : Operating System
Address            : SOMEDOMAIN.COM
InternalProperties : @{CreationMethod = PVWA }
  • Only details of the first found account will be returned.
  • More results can be returned by specifying alternative parameters to avoid sending the request via the 1st gen API
PS>Get-PASAccount -SafeName "3_TestSafe_028_XYJ"

AccountID                 : 286_3
Safe                      : 3_TestSafe_028_XYJ
address                   : SOMEDOMAIN.COM
userName                  : kmgrsebf
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf
platformId                : Z_WINDOMAIN_OFF
secretType                : password
platformAccountProperties : @{LogonDomain = SOMEDOMAIN }
secretManagement          : @{automaticManagementEnabled = True; lastModifiedTime = 1559864221 }
createdTime               : 06/06/2019 23:37:01

AccountID                 : 286_4
Safe                      : 3_TestSafe_028_XYJ
address                   : SOMEDOMAIN.COM
userName                  : sbwudlov
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId                : Z_WINDOMAIN_OFF
secretType                : password
platformAccountProperties : @{LogonDomain = SOMEDOMAIN }
secretManagement          : @{automaticManagementEnabled = True; lastModifiedTime = 1559864222 }
createdTime               : 06/06/2019 23:37:02

Logo

Administration

Add An Account
  • Add an account to manage:
#Convert Password to SecureString
$Password = ConvertTo-SecureString -String "Secret1337$" -AsPlainText -Force

#Additional account details
$platformAccountProperties = @{
  "LOGONDOMAIN"="domain.com"
  "Notes"="Demo Account. Owner:psPete"
  "Classification"="1F"
}

#Add Account
Add-PASAccount -secretType Password -secret $Password -SafeName "YourSafe" -PlatformID "YourPlatform" `
-Address "domain" -Username SomeUsername -platformAccountProperties $platformAccountProperties
Create Safes
  • Simple safe creation:
Add-PASSafe -SafeName NewSafe -Description "New Safe" -ManagingCPM PasswordManager -NumberOfVersionsRetention 10

SafeName ManagingCPM     NumberOfDaysRetention NumberOfVersionsRetention Description
-------- -----------     --------------------- ------------------------- -----------
NewSafe  PasswordManager                       10                        New Safe
Add Safe Members
  • Consistent safe membership:
Add-PASSafeMember -SafeName NewSafe -MemberName NewMember -UseAccounts $false -ListAccounts $true `
	-RetrieveAccounts $false -ViewAuditLog $true -ViewSafeMembers $true

UserName  SafeName Permissions
--------  -------- -----------
NewMember NewSafe  @{useAccounts=False; retrieveAccounts=False; listAccounts=True; addAccounts=False;...
Update Accounts
  • Update values for individual account properties:
Set-PASAccount -AccountID 286_4 -op replace -path /address -value NEWDOMAIN.COM

AccountID                 : 286_4
Safe                      : 3_TestSafe_028_XYJ
address                   : NEWDOMAIN.COM
userName                  : sbwudlov
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId                : Z_WINDOMAIN_OFF
secretType                : password
platformAccountProperties : @{LogonDomain=SOMEDOMAIN}
secretManagement          : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime               : 06/06/2019 23:37:02

Set-PASAccount -AccountID 286_4 -op replace -path /platformAccountProperties/LogonDomain -value NEWDOMAIN

AccountID                 : 286_4
Safe                      : 3_TestSafe_028_XYJ
address                   : NEWDOMAIN.COM
userName                  : sbwudlov
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId                : Z_WINDOMAIN_OFF
secretType                : password
platformAccountProperties : @{LogonDomain=NEWDOMAIN}
secretManagement          : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime               : 06/06/2019 23:37:02

Logo

CPM Operations
Verify
  • Verify passwords
# immediate verification
Invoke-PASCPMOperation -AccountID $ID -VerifyTask
Change
  • Change passwords for accounts or account groups
# immediate change
Invoke-PASCPMOperation -AccountID $ID -ChangeTask

# immediate change to a specific password value
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeImmediately $true -NewCredentials $SecureString

# change password in the Vault only
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -NewCredentials $SecureString

# change password for account group
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeEntireGroup $true

# change password for account group to a specific password value
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeEntireGroup $true -NewCredentials $SecureString
Reconcile
  • Reconcile passwords
# immediate reconcile
Invoke-PASCPMOperation -AccountID $ID -ReconcileTask
Import a Connection Component
  • Import Custom Connection Components:
Import-PASConnectionComponent -ImportFile C:\Temp\ConnectionComponent.zip
Platforms
  • Import & Export of CPM Platforms:
#Import a Platform
Import-PASPlatform -ImportFile C:\Temp\Platform.zip

#Export a Platform
Export-PASPlatform -PlatformID "Some-SSH-Platform" -Path C:\Temp

Logo

Pipeline Operations

  • Work with the PowerShell pipeline:
#Find directory groups assigned to safes
Get-PASSafe -search YZO | Get-PASSafeMember -memberType group -includePredefinedUsers $false |
    Where-Object { Get-PASGroup -search $_.UserName -groupType Directory }

UserName                     SafeName           Permissions
--------                     --------           -----------
ACC-G-1_TestSafe_096_YZO-Usr 1_TestSafe_096_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-1_TestSafe_096_YZO-Adm 1_TestSafe_096_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-1_TestSafe_100_YZO-Usr 1_TestSafe_100_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-1_TestSafe_100_YZO-Adm 1_TestSafe_100_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_058_YZO-Usr 3_TestSafe_058_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_058_YZO-Adm 3_TestSafe_058_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_068_YZO-Usr 3_TestSafe_068_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_068_YZO-Adm 3_TestSafe_068_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_069_YZO-Usr 3_TestSafe_069_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_069_YZO-Adm 3_TestSafe_069_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-2_TestSafe_090_YZO-Usr 2_TestSafe_090_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-2_TestSafe_090_YZO-Adm 2_TestSafe_090_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-1_TestSafe_067_YZO-Adm 1_TestSafe_067_YZO @{useAccounts=True; retrieveAccounts=True; lis...
  • Multiple psPAS commands can be used together, along with standard PowerShell CmdLets:
#Add all "admin" users in the root location to the PVWAMonitor group
Get-PASUser -UserType EPVUser -Search Admin | Where-Object { $_.location -eq "\" } |
Add-PASGroupMember -GroupName PVWAMonitor

#Find an account, then find the members of the account's safe.
Get-PASAccount -id 283_3 | Get-PASSafeMember

UserName                     SafeName           Permissions
--------                     --------           -----------
SafeAdmin                    3_TestSafe_100_OWZ @{useAccounts=True; retrieveAccounts=True; lis...
PSMAppUsers                  3_TestSafe_100_OWZ @{useAccounts=False; retrieveAccounts=False; lis...
PasswordManager              3_TestSafe_100_OWZ @{useAccounts=True; retrieveAccounts=True; lis...
SafeAdmin3                   3_TestSafe_100_OWZ @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_100_OWZ-Usr 3_TestSafe_100_OWZ @{useAccounts=True; retrieveAccounts=True; lis...
ACC-G-3_TestSafe_100_OWZ-Adm 3_TestSafe_100_OWZ @{useAccounts=True; retrieveAccounts=True; lis...
Prov_ZZSRV01                 3_TestSafe_100_OWZ @{useAccounts=False; retrieveAccounts=True; lis...
psPAS                        3_TestSafe_100_OWZ @{useAccounts=False; retrieveAccounts=True; lis...

Advanced Examples

Logo

Bulk Operations

The standard features of PowerShell which allow creation of and iterations through collections of objects, can be used to perform bulk operations:

Example 1 - On-board Multiple Accounts
$Accounts = Import-Csv -Path C:\Temp\Accounts.csv

New-PASSession -Credential $creds -BaseURI https://your.pvwa.url

foreach($Account in $Accounts){

    $Password = ConvertTo-SecureString -String $Account.Password -AsPlainText -Force

    Add-PASAccount -secretType Password `
    -secret $Password `
    -platformAccountProperties @{"LOGONDOMAIN"=$Account.LogonDomain} `
    -SafeName $Account.SafeName `
    -PlatformID $Account.PlatformID `
    -Address $Account.Address `
    -Username $Account.Username

}

Close-PASSession
Example 2 - Delete Multiple Safes
#Specify Vault Logon Credentials
$LogonCredential = Get-Credential

#Logon
New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url

$Safes = Get-PASSafe -search TestSafe

#Delete Safes
foreach ($Safe in $Safes){

  Remove-PASSafe -SafeName $Safe.SafeName -WhatIf

}

#Logoff
Close-PASSession
Example 3 - Move a List of Users to a New Location
#Vault Logon Credentials
$LogonCredential = Get-Credential

#Logon
New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url

#get list of users
$users = Get-Content .\userlist.txt

#move users
$users | foreach{

  Set-PASUser -UserName $_ -Location "\New\Location\Path" -WhatIf

}

#Logoff
Close-PASSession

Logo

Safe Permissions

  • Define Safe Roles and assign to safe members:
$Role1 = [PSCustomObject]@{
  UseAccounts                            = $true
  ListAccounts                           = $true
  ViewAuditLog                           = $false
  ViewSafeMembers                        = $false
}

$Role2 = [PSCustomObject]@{
  UseAccounts                            = $false
  ListAccounts                           = $true
  RetrieveAccounts                       = $false
  AddAccounts                            = $true
  UpdateAccountContent                   = $true
  UpdateAccountProperties                = $true
  InitiateCPMAccountManagementOperations = $true
  SpecifyNextAccountContent              = $false
  RenameAccounts                         = $true
  DeleteAccounts                         = $true
  UnlockAccounts                         = $true
  ManageSafe                             = $true
  ManageSafeMembers                      = $true
  BackupSafe                             = $false
  ViewAuditLog                           = $true
  ViewSafeMembers                        = $true
  requestsAuthorizationLevel1            = $false
  requestsAuthorizationLevel2            = $false
  AccessWithoutConfirmation              = $true
  CreateFolders                          = $true
  DeleteFolders                          = $true
  MoveAccountsAndFolders                 = $true
}

$Role1 | Add-PASSafeMember -SafeName NewSafe -MemberName a032485 -SearchIn Vault

UserName SafeName Permissions
-------- -------- -----------
a032485  NewSafe  @{useAccounts=True; retrieveAccounts=False; listAccounts=True;...

$Role2 | Add-PASSafeMember -SafeName NewSafe -MemberName SafeAdmin1 -SearchIn Vault

UserName   SafeName Permissions
--------   -------- -----------
SafeAdmin1 NewSafe  @{useAccounts=False; retrieveAccounts=False; listAccounts=Tr...

Logo

PSM Sessions

Terminate all Active PSM Sessions on a PSM Server
#Find Active Sessions for a PSM Server IP
#Terminate the Sessions
Get-PASPSMSession | Where-Object{
  ($_.RawProperties.ProviderID -eq $(Get-PASComponentDetail -ComponentID SessionManagement |
    Where-Object{$_.ComponentIP -eq "192.168.60.20"} |
    Select -ExpandProperty ComponentUserName))
  -and ($_.IsLive) -and ($_.CanTerminate)} | Stop-PASPSMSession

Logo

Updating Multiple Properties of an Account

  • Multiple updates can be performed in a single request:
[array]$operations += @{"op"="remove";"path"="/platformAccountProperties/LogonDomain"}
[array]$operations += @{"op"="replace";"path"="/name";"value"="SomeNewName"}
[array]$operations += @{"op"="replace";"path"="/address";"value"="domain.co.uk"}

Set-PASAccount -AccountID 286_4 -operations $operations

AccountID        : 286_4
Safe             : 3_TestSafe_028_XYJ
address          : domain.co.uk
userName         : sbwudlov
name             : SomeNewName
platformId       : Z_WINDOMAIN_OFF
secretType       : password
secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222}
createdTime      : 06/06/2019 23:37:02

Logo

Using Methods

Methods present on objects returned from psPAS functions can be leveraged to get the data you need with ease.

  • The psPAS.CyberArk.Vault.Safe object returned by Get-PASSafe has a ScriptMethod (SafeMembers()), which will run a query for the members of the safe:
#List all safes where AppUser is not a member
Get-PASSafe | Where-Object{ ($_.safemembers() | Select-Object -ExpandProperty UserName) -notcontains "AppUser"}
  • Retrieved credentials can be immediately converted into Secure Strings or into a PsCredential object:
#Returns a Secure String
(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

#Returns a PsCredential Object
(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToPsCredential()

#Returns a PsCredential Object with a custom username (to include a domain for example)
(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToPsCredential("MyDomain\MyAccount")

Logo

API Sessions

  • If actions are required to be performed under the context of different user accounts, it is possible to work with different authenticated sessions:
#Start first session
$VaultAdmin = Get-Credential

PowerShell credential request
Enter your credentials.
User: VaultAdmin
Password for user VaultAdmin: **********


New-PASSession -Credential $VaultAdmin -BaseURI https://pvwa.somedomain.com

Get-PASLoggedOnUser

UserName   Source   UserTypeName AgentUser Expired Disabled Suspended
--------   ------   ------------ --------- ------- -------- ---------
VaultAdmin Internal EPVUser      False     False   False    False

#Save first session data
$FirstSession = Get-PASSession

#Start second session
$SafeAdmin = Get-Credential

PowerShell credential request
Enter your credentials.
User: SafeAdmin
Password for user SafeAdmin: **********


New-PASSession -Credential $SafeAdmin -BaseURI https://pvwa.somedomain.com

Get-PASLoggedOnUser

UserName  Source   UserTypeName AgentUser Expired Disabled Suspended
--------  ------   ------------ --------- ------- -------- ---------
SafeAdmin Internal EPVUser      False     False   False    False

#Save second session data
$SecondSession = Get-PASSession

#Switch back to first session
Use-PASSession -Session $FirstSession

Get-PASLoggedOnUser

UserName   Source   UserTypeName AgentUser Expired Disabled Suspended
--------   ------   ------------ --------- ------- -------- ---------
VaultAdmin Internal EPVUser      False     False   False    False

#End first session
Close-PASSession

#Switch to second session
Use-PASSession -Session $SecondSession

Get-PASLoggedOnUser

UserName  Source   UserTypeName AgentUser Expired Disabled Suspended
--------  ------   ------------ --------- ------- -------- ---------
SafeAdmin Internal EPVUser      False     False   False    False

#End second session
Close-PASSession

Sample Scripts

A selection of psPAS sample scripts can be found in the psPAS-Examples repository.

Logo

psPAS Functions

This section lists the commands available in psPAS as well as any relevant version requirements.

Depending on your version of CyberArk, different psPAS commands and parameters are available.

The most recent psPAS version should work with your particular CyberArk version and be able to be used with it.

The version requirements for certain parameters are described in greater detail in the command's documentation.

The module will take steps to verify that your version of CyberArk meets any psPAS command's minimum version requirement.

If version requirement criteria are not met, operations may be prevented.

To learn more about the parameters that may be used and the required version, consult the output of the 'Get-Help' command for the 'psPAS' functions.

Click the below dropdown to view the current list of psPAS functions and their minimum version requirements:

List of Functions
Function Name CyberArk Version Description
New-PASSession 9.0 Authenticates a user to CyberArk Vault
Close-PASSession 9.0 Logoff from CyberArk Vault.
Get-PASSession --- Get psPAS Session Data.
Use-PASSession --- Set psPAS Session Data.
Add-PASPublicSSHKey 9.6 Adds an authorised public SSH key for a user.
Get-PASPublicSSHKey 9.6 Retrieves a user's SSH Keys.
Remove-PASPublicSSHKey 9.6 Deletes a Public SSH Key from a user
Add-PASAccountACL 9.0 Adds a new privileged command rule to an account.
Get-PASAccountACL 9.0 Lists privileged commands rule for an account
Remove-PASAccountACL 9.0 Deletes privileged commands rule from an account
Add-PASAccountGroupMember 9.95 Adds an account as a member of an account group.
Get-PASAccountGroup 9.10 Returns account groups in a Safe.
Get-PASAccountGroupMember 9.10 Returns members of an account group.
New-PASAccountGroup 9.95 Adds a new account group
Remove-PASAccountGroupMember 9.10 Deletes a member of an account group
Add-PASAccount 9.0 Adds a new account.
Add-PASPendingAccount 9.7 Adds discovered account or SSH key as a pending account.
Get-PASAccount 9.3 Returns information about accounts.
Get-PASAccountActivity 9.7 Returns activities for an account.
Get-PASAccountPassword 9.7 Returns password for an account.
Remove-PASAccount 9.3 Deletes an account
Set-PASAccount 9.5 Updates details of an account.
Invoke-PASCPMOperation 9.7 Invoke CPM verify, change & reconcile tasks.
Unlock-PASAccount 9.10 Checks in an exclusive-use account.
Add-PASApplication 9.1 Adds a new application
Add-PASApplicationAuthenticationMethod 9.1 Add authentication method to an application
Get-PASApplication 9.1 Returns details of applications
Get-PASApplicationAuthenticationMethod 9.1 Returns application authentication methods
Remove-PASApplication 9.1 Deletes an application
Remove-PASApplicationAuthenticationMethod 9.1 Delete auth method from an application
Import-PASConnectionComponent 10.3 Imports a Connection Component
New-PASPSMSession 9.10 Get required parameters to connect through PSM
Get-PASPSMRecording 9.10 Get details of PSM Recording
Get-PASPSMSession 9.10 Get details of PSM Sessions
Resume-PASPSMSession 10.2 Resumes a Suspended PSM Session.
Stop-PASPSMSession 10.1 Terminates a PSM Session.
Suspend-PASPSMSession 10.2 Suspends a PSM Session.
Get-PASOnboardingRule 9.7 Gets automatic on-boarding rules
New-PASOnboardingRule 9.7 Adds a new on-boarding rule
Remove-PASOnboardingRule 9.7 Deletes an automatic on-boarding rule
Get-PASPlatform 9.10 Retrieves details of a specified platform.
Import-PASPlatform 10.2 Import a new platform
Export-PASPlatform 10.4 Export a platform
Add-PASPolicyACL 9.0 Adds a new privileged command rule
Get-PASPolicyACL 9.0 Lists OPM Rules for a policy
Remove-PASPolicyACL 9.0 Delete privileged commands from policy
Approve-PASRequest 9.10 Confirm a single request
Deny-PASRequest 9.10 Reject a single request
Get-PASRequest 9.10 List requests
Get-PASRequestDetail 9.10 Get request details
New-PASRequest 9.10 Creates an access request for an account
Remove-PASRequest 9.10 Deletes a request
Add-PASSafeMember 9.3 Adds a Safe Member to a safe
Get-PASSafeMember 9.7 Lists the members of a Safe
Remove-PASSafeMember 9.3 Removes a member from a safe
Set-PASSafeMember 9.3 Updates a Safe Member's Permissions
Add-PASSafe 9.2 Adds a new safe
Get-PASSafe 9.7 Returns safe details
Remove-PASSafe 9.3 Deletes a safe
Set-PASSafe 9.3 Updates a safe
Get-PASSafeShareLogo 9.7 Returns details of SafeShare Logo
Get-PASServer 9.7 Returns details of the Web Service Server
Get-PASServerWebService 9.7 Returns details of the Web Service
Get-PASComponentDetail 10.1 Returns details about component instances.
Get-PASComponentSummary 10.1 Returns consolidated information about components.
Add-PASGroupMember 9.7 Adds a user as a group member
Get-PASLoggedOnUser 9.7 Returns details of the logged on user
Get-PASUserLoginInfo 10.4 Returns login details of the current user
Get-PASUser 9.7 Returns details of a user
New-PASUser 9.7 Creates a new user
Remove-PASUser 9.7 Deletes a user
Set-PASUser 9.7 Updates a user
Unblock-PASUser 9.7 Activates a suspended user
Get-PASDirectory 10.4 Get configured LDAP directories
Add-PASDirectory 10.4 Add a new LDAP directory
New-PASDirectoryMapping 10.4 Create a new LDAP directory mapping
Add-PASPTARule 10.4 Add a new Risky Commandrule to PTA
Get-PASPTAEvent 10.3 Get security events from PTA
Set-PASPTAEvent 11.3 Set PTA security event status
Get-PASPTARemediation 10.4 Get automatic response config from PTA
Get-PASPTARule 10.4 List Risky Command rules from PTA
Set-PASPTARemediation 10.4 Update automaticresponse config in PTA
Set-PASPTARule 10.4 Update a Risky Commandrule in PTA
Get-PASAccountDetail 10.4 Returns information about accounts.
Get-PASGroup 10.5 Return group information
Remove-PASGroupMember 10.5 Remove group members
Set-PASOnboardingRule 10.5 Update Onboarding Rules
Add-PASDiscoveredAccount 10.5 Add discovered accounts to the Accounts Feed
Connect-PASPSMSession 10.5 Get required parameters to connect to a PSM Session
Get-PASPSMSessionActivity 10.6 Get activity details from an active PSM Session.
Get-PASPSMSessionProperty 10.6 Get property details from an active PSM Session.
Get-PASPSMRecordingActivity 10.6 Get activity details from a PSM Recording.
Get-PASPSMRecordingProperty 10.6 Get property details from a PSM Recording.
Export-PASPSMRecording 10.6 Save PSM Session Recording to a file.
Request-PASJustInTimeAccess 10.6 Request temporary access to a server.
Revoke-PASJustInTimeAccess 12.0 Revoke temporary server access.
Get-PASDirectoryMapping 10.7 Get details of configured directory mappings.
Set-PASDirectoryMapping 10.7 Update a configured directory mapping.
Remove-PASDirectory 10.7 Delete a directory configuration.
Find-PASSafe 10.1 - 11.7 List or Search Safes by name.
Set-PASDirectoryMappingOrder 10.10 Reorder Directory Mappings
Set-PASUserPassword 10.10 Reset a User's Password
New-PASGroup 11.1 Create a new CyberArk group
Get-PASPlatformSafe 11.1 List details for all platforms
Remove-PASDirectoryMapping 11.1 Deletes a Directory Mapping
Enable-PASCPMAutoManagement 10.4 Enables Automatic CPM Management for an account
Disable-PASCPMAutoManagement 10.4 Disables Automatic CPM Management for an account
Test-PASPSMRecording 11.2 Determine validity of PSM Session Recording
Copy-PASPlatform 11.4 Duplicate a platform
Enable-PASPlatform 11.4 Enable a platform
Disable-PASPlatform 11.4 Disable a platform
Remove-PASPlatform 11.4 Delete a platform
Remove-PASGroup 11.5 Delete a user group
Get-PASAllowedReferrer 11.5 List PVWA Allowed Referrer
Add-PASAllowedReferrer 11.5 Add PVWA Allowed Referrer
Get-PASAccountSSHKey 11.5 Get Private SSH Key value of Account
Get-PASAuthenticationMethod 11.5 List authentication methods
Add-PASAuthenticationMethod 11.5 Add authentication method
Set-PASAuthenticationMethod 11.5 Update authentication method
Get-PASConnectionComponent 11.5 List configured connection components
Get-PASPSMServer 11.5 List configured PSM Servers
Get-PASPlatformPSMConfig 11.5 List Platform PSM configuration
Set-PASPlatformPSMConfig 11.5 Update Platform PSM configuration
Start-PASAccountImportJob 11.6 Add multiple accounts to existing Safes.
Get-PASAccountImportJob 11.6 Get status of account import
New-PASAccountObject --- Format an object to include in an import list
Get-PASDiscoveredAccount 11.6 List discovered accounts
Add-PASOpenIDConnectProvider 11.7 Adds an OIDC Authentication Provider
Get-PASOpenIDConnectProvider 11.7 Gets details of configured OIDC Authentication Providers
Remove-PASOpenIDConnectProvider 11.7 Deletes an OIDC Authentication Provider
Set-PASOpenIDConnectProvider 11.7 Updates an OIDC Authentication Provider
Remove-PASAuthenticationMethod 11.7 Delete an authentication method
Clear-PASDiscoveredAccountList 12.1 Clear all discovered accounts from the pending account list
Get-PASAccountPasswordVersion 12.1 Get details of previous password versions
New-PASAccountPassword 12.0 Generate new password values based on platform policy
Set-PASLinkedAccount 12.1 Associate logon and reconcile accounts
Clear-PASLinkedAccount 12.2 Clear associated linked accounts
Clear-PASPrivateSSHKey 12.1 Remove all MFA caching SSH Keys
New-PASPrivateSSHKey 12.1 Generate MFA caching SSH Keys
Remove-PASPrivateSSHKey 12.1 Delete MFA caching SSH Keys
Set-PASGroup 12.0 Update CyberArk groups
Get-PASPlatformSummary 12.2 Get information on platform system types
Enable-PASUser 12.6 Enable CyberArk Users
Disable-PASUser 12.6 Disable CyberArk Users
Publish-PASDiscoveredAccount 12.6 Onboard Discovered Accounts
Get-PASLinkedAccount 12.2 Get details of linked accounts
Get-PASLinkedGroup 12.2 Get details of linked groups
Add-PASPersonalAdminAccount 12.6 Add Personal Admin Account (Privilege Cloud Only).
Get-PASPTAGlobalCatalog 13.0 Get Global Catalog connectivity details for PTA.
Add-PASPTAGlobalCatalog 13.0 Add Global Catalog connectivity details to PTA.
Get-PASUserTypeInfo 13.2 Get User Type Info
Get-PASPTARiskEvent 13.2 Get PTA Risk Events
Set-PASPTARiskEvent 13.2 Update PTA Risk Events
Get-PASPTARiskSummary 13.2 Get PTA Risk Summary
New-PASRequestObject --- Format an object to include in an request list
Add-PASPTAIncludedTarget 14.0 Includes a PTA Monitored Target
Add-PASPTAExcludedTarget 14.0 Excludes a PTA Monitored Target
Add-PASPTAPrivilegedGroup 14.0 Configures a PTA Privileged Group
Add-PASPTAPrivilegedUser 14.0 Configures a PTA Privileged User
Get-PASPTAExcludedTarget 14.0 Get PTA Excluded Target
Get-PASPTAIncludedTarget 14.0 Get PTA Included target
Get-PASPTAPrivilegedGroup 14.0 Get PTA Privileged Group
Get-PASPTAPrivilegedUser 14.0 Get PTA Privileged User
Remove-PASPTAExcludedTarget 14.0 Remove PTA Excluded Target
Remove-PASPTAIncludedTarget 14.0 Remove PTA Included Target
Remove-PASPTAPrivilegedGroup 14.0 Remove PTA Privileged Group
Remove-PASPTAPrivilegedUser 14.0 Remove PTA Privileged User
Set-PASIPAllowList P Cloud Only Set P Cloud IP Allow List
Get-PASIPAllowList P Cloud Only Get P Cloud IP Allow List
Get-PASBYOKConfig P Cloud Only Get P Cloud BYOK Config
Publish-PASDiscoveredLocalAccount P Cloud Only Publish P Cloud Discovered Local Account
Remove-PASDiscoveredLocalAccount P Cloud Only Delete P Cloud Discovered Local Account
Get-PASDiscoveredLocalAccountActivity P Cloud Only Get P Cloud Discovered Local Account Activity
Get-PASDiscoveredLocalAccount P Cloud Only Get P Cloud Discovered Local Account
Clear-PASDiscoveredLocalAccount P Cloud Only Clear all P Cloud Discovered Local Accounts
Add-PASDiscoveredLocalAccount P Cloud Only Add P Cloud Discovered Local Account

Installation

Logo

Prerequisites

  • PowerShell Core, or Windows Powershell v5 (minimum)
  • CyberArk PAS REST API/PVWA Web Service (available and accessible over HTTPS using TLS 1.2)
  • A user who can authenticate and has the necessary Vault/Safe permissions.

Install Options

Users can download psPAS from GitHub or the PowerShell Gallery.

Choose any of the following ways to download the module and install it:

Option 1: Install from PowerShell Gallery

This is the easiest and most popular way to install the module.

PowerShell 5.0 or above must be used to download the module from the PowerShell Gallery.

  1. Open a PowerShell prompt

  2. Execute the following command:

Install-Module -Name psPAS -Scope CurrentUser

Option 2: Manual Install

The module files can be manually copied to one of your PowerShell module directories.

Use the following command to get the paths to your local PowerShell module folders:

$env:PSModulePath.split(';')

The module files must be placed in one of the listed directories, in a folder called psPAS.

More: about_PSModulePath

The module files are available to download using a variety of methods:

PowerShell Gallery
  • Download from the module from the PowerShell Gallery:
    • Run the PowerShell command Save-Module -Name psPAS -Path C:\temp
    • Copy the C:\temp\psPAS folder to your "Powershell Modules" directory of choice.
psPAS Release
  • Download the latest GitHub release
    • Unblock & Extract the archive
    • Rename the extracted psPAS-v#.#.# folder to psPAS
    • Copy the psPAS folder to your "Powershell Modules" directory of choice.
psPAS Branch
  • Download GitHub Branch
    • Unblock & Extract the archive
    • Copy the psPAS (\<Archive Root>\psPAS-master\psPAS) folder to your "Powershell Modules" directory of choice.

Verification

Validate Install:

Get-Module -ListAvailable psPAS

Import the module:

Import-Module psPAS

List Module Commands:

Get-Command -Module psPAS

Get detailed information on specific commands:

Get-Help New-PASUser -Full

Logo

Sponsorship

Please support continued psPAS development; consider sponsoring @pspete on GitHub Sponsors

Changelog

All notable changes to this project will be documented in the Changelog

Author

License

This project is licensed under the MIT License.

Contributing

Any and all contributions to this project are appreciated.

See the CONTRIBUTING.md for a few more details.

Support

psPAS is neither developed nor supported by CyberArk; any official support channels offered by the vendor are not appropriate for seeking help with the psPAS module.

Help and support should be sought by opening an issue, or emailing pspas@pspete.dev.

Priority support could be considered for sponsors of @pspete, contact us to discuss options.

Acknowledgements

Hat Tips:

Joe Garcia (infamousjoeg) for the unofficial API documentation, general API wizardry & knowledge sharing.

Jesse McWilliams (JesseMcWilliamss) For the information needed to add PKIPN authentication into New-PASSession

Wojciech Ossowski (Qrelis) For sharing the details of the account unlock API.

Allyn Lindsay (allynl93) for PS-SAML-Interactive

Assaf Miron (AssafMiron) For the JSON formatting assistance.

Warren Frame (RamblingCookieMonster) for Add-ObjectDetail.ps1.

Chapeau!

Logo