public/Add-VPASEPVUser.ps1
<#
.Synopsis ADD EPV USERS TO CYBERARK CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com .DESCRIPTION USE THIS FUNCTION TO ADD EPV USERS INTO CYBERARK .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER username Username that will be assigned to the new EPVUser .PARAMETER Description An explanation/details of the target resource Best practice states to leave informative descriptions to help identify the resource purpose .PARAMETER AddSafes VaultAuthorization permission that gives rights for an EPVUser to create safes .PARAMETER AuditUsers VaultAuthorization permission that gives rights for an EPVUser to view other EPVUser details .PARAMETER AddUpdateUsers VaultAuthorization permission that gives rights for an EPVUser to add new EPVUsers or update existing EPVUsers .PARAMETER ResetUsersPasswords VaultAuthorization permission that gives rights for an EPVUser to reset credentials for other EPVUsers .PARAMETER ActivateUsers VaultAuthorization permission that gives rights for an EPVUser to Activate other EPVUsers (if the EPVUser becomes inactive) .PARAMETER AddNetworkAreas VaultAuthorization permission that gives rights for an EPVUser to create Networking Areas Networking Areas limit where an account can be used from .PARAMETER ManageDirectoryMapping VaultAuthorization permission that gives rights for an EPVUser to create/edit/delete directory mappings created during LDAP integration .PARAMETER ManageServerFileCategories VaultAuthorization permission that gives rights for an EPVUser to create/modify/delete ServerFileCategories .PARAMETER BackupAllSafes VaultAuthorization permission that gives rights for an EPVUser to be able to backup an existing safe .PARAMETER RestoreAllSafes VaultAuthorization permission that gives rights for an EPVUser to be able to restore safes .PARAMETER UserType The user type of the EPVUser being created UserTypes are determined by the current license in the environment, as well as how many seats are available per UserType Possible values: EPVUser, AIMAccount, CPM, PVWA, PSMHTML5Gateway, PSM, AppProvider, OPMProvider, CCPEndpoints, PSMUser, IBVUser, AutoIBVUser, CIFS, FTP, SFE, DCAUser, DCAInstance, SecureEpClientUser, ClientlessUser, AdHocRecipient, SecureEmailUser, SEG, PSMPADBridge, PSMPServer, AllUsers, DR_USER, BizUser, PTA, DiscoveryApp, xRayAdminApp, PSMWeb, EPMUser, DAPService .PARAMETER Location Where the EPVUser will reside in terms of the directory structure within CyberArk .PARAMETER InitialPassword Temporary initial password of the EPVUser .PARAMETER PasswordNeverExpires If the password will ever expire or follow a scheduled expiry schedule .PARAMETER ChangePasswordOnTheNextLogon Change the password of the new EPVUser upon first time login .PARAMETER DisableUser Disable the the new EPVUser account Disabled accounts are NOT able to log into CyberArk .PARAMETER Street EPVUser Street value .PARAMETER City EPVUser City value .PARAMETER State EPVUser State value .PARAMETER Zip EPVUser Zip value .PARAMETER Country EPVUser Country value .PARAMETER Title EPVUser Title value .PARAMETER Organization EPVUser Organization value .PARAMETER Department EPVUser Department value .PARAMETER Profession EPVUser Profession value .PARAMETER FirstName EPVUser FirstName value .PARAMETER MiddleName EPVUser MiddleName value .PARAMETER LastName EPVUser LastName value .PARAMETER HomeNumber EPVUser HomeNumber value .PARAMETER BusinessNumber EPVUser BusinessNumber value .PARAMETER CellularNumber EPVUser CellularNumber value .PARAMETER FaxNumber EPVUser FaxNumber value .PARAMETER PagerNumber EPVUser PagerNumber value .PARAMETER HomePage EPVUser HomePage value .PARAMETER HomeEmail EPVUser HomeEmail value .PARAMETER BusinessEmail EPVUser BusinessEmail value .PARAMETER OtherEmail EPVUser OtherEmail value .PARAMETER WorkStreet EPVUser WorkStreet value .PARAMETER WorkCity EPVUser WorkCity value .PARAMETER WorkState EPVUser WorkState value .PARAMETER WorkZip EPVUser WorkZip value .PARAMETER WorkCountry EPVUser WorkCountry value .PARAMETER AuthenticationType Authentication method that the EPVUser will login with .PARAMETER DistinguishedName Users distinguished name, used for PKI authentication This should match the Certificate SubjectName or Domain Name .EXAMPLE $EPVUserJSON = Add-VPASEPVUser -Username {USERNAME VALUE} .OUTPUTS If successful: { "enableUser": true, "changePassOnNextLogon": false, "expiryDate": null, "suspended": false, "lastSuccessfulLoginDate": 1723779044, "unAuthorizedInterfaces": [ ], "authenticationMethod": [ "AuthTypePass" ], "passwordNeverExpires": false, "distinguishedName": "", "description": "New user for documentation", "businessAddress": { "workStreet": "", "workCity": "", "workState": "", "workZip": "", "workCountry": "" }, "internet": { "homePage": "", "homeEmail": "", "businessEmail": "", "otherEmail": "" }, "phones": { "homeNumber": "", "businessNumber": "", "cellularNumber": "", "faxNumber": "", "pagerNumber": "" }, "personalDetails": { "street": "", "city": "", "state": "", "zip": "", "country": "", "title": "", "organization": "", "department": "", "profession": "", "firstName": "", "middleName": "", "lastName": "" }, "id": 245, "username": "NewUser", "source": "CyberArk", "userType": "EPVUser", "componentUser": false, "groupsMembership": [ ], "vaultAuthorization": [ ], "location": "\\" } --- $false if failed #> function Add-VPASEPVUser{ [OutputType('System.Object',[bool])] [CmdletBinding()] Param( [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Enter username of new target EPVUser (for example: NewUser1)",Position=0)] [String]$Username, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)] [ValidateSet('EPVUser','AIMAccount','CPM','PVWA','PSMHTML5Gateway','PSM','AppProvider','OPMProvider','CCPEndpoints','PSMUser','IBVUser','AutoIBVUser','CIFS','FTP','SFE','DCAUser','DCAInstance','SecureEpClientUser','ClientlessUser','AdHocRecipient','SecureEmailUser','SEG','PSMPADBridge','PSMPServer','AllUsers','DR_USER','BizUser','PTA','DiscoveryApp','xRayAdminApp','PSMWeb','EPMUser','DAPService')] [String]$UserType, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)] [String]$Location, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)] [String]$InitialPassword, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=4)] [Switch]$PasswordNeverExpires, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=5)] [Switch]$ChangePasswordOnTheNextLogon, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=6)] [Switch]$DisableUser, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=7)] [String]$Description, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=8)] [hashtable]$token, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=9)] [String]$Street, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=10)] [String]$City, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=11)] [String]$State, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=12)] [String]$Zip, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=13)] [String]$Country, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=14)] [String]$Title, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=15)] [String]$Organization, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=16)] [String]$Department, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=17)] [String]$Profession, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=18)] [String]$FirstName, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=19)] [String]$MiddleName, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=20)] [String]$LastName, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=21)] [String]$HomeNumber, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=22)] [String]$BusinessNumber, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=23)] [String]$CellularNumber, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=24)] [String]$FaxNumber, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=25)] [String]$PagerNumber, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=26)] [String]$HomePage, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=27)] [String]$HomeEmail, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=28)] [String]$BusinessEmail, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=29)] [String]$OtherEmail, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=30)] [String]$WorkStreet, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=31)] [String]$WorkCity, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=32)] [String]$WorkState, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=33)] [String]$WorkZip, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=34)] [String]$WorkCountry, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=35)] [Switch]$AddSafes, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=36)] [Switch]$AuditUsers, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=37)] [Switch]$AddUpdateUsers, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=38)] [Switch]$ResetUsersPasswords, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=39)] [Switch]$ActivateUsers, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=40)] [Switch]$AddNetworkAreas, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=41)] [Switch]$ManageDirectoryMapping, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=42)] [Switch]$ManageServerFileCategories, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=43)] [Switch]$BackupAllSafes, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=44)] [Switch]$RestoreAllSafes, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=45)] [ValidateSet('AuthTypePass','AuthTypeRadius','AuthTypeLDAP')] [String]$AuthenticationType, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=46)] [String]$DistinguishedName ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ Write-Verbose "SUCCESSFULLY PARSED PVWA VALUE" Write-Verbose "SUCCESSFULLY PARSED TOKEN VALUE" Write-Verbose "SUCCESSFULLY PARSED USERNAME VALUE: $Username" $Params = @{} $Params += @{username = $Username} if([String]::IsNullOrEmpty($UserType)){ Write-Verbose "NO USERTYPE SPECIFIED, DEFAULT VALUE: EPVUser" $Params += @{userType = "EPVUser"} } else{ Write-Verbose "PARSING USERTYPE VALUE: $UserType" $Params += @{userType = $UserType} } $locationstr = "\" if([String]::IsNullOrEmpty($Location)){ Write-Verbose "NO LOCATION SPECIFIED, DEFAULT LOCATION: \" $Params += @{location = $locationstr} } else{ $locationstr += $Location Write-Verbose "PARSING LOCATION VALUE: $locationstr" $Params += @{location = $locationstr} } if($DisableUser){ Write-Verbose "PARSING ENABLE USER VALUE: false" $Params += @{enableUser = "false"} } else{ Write-Verbose "PARSING ENABLE USER DEFAULT: true" $Params += @{enableUser = "true"} } if($ChangePasswordOnTheNextLogon){ write-verbose "CHANGE PASSWORD ON THE NEXT LOGIN: true" $Params += @{changePassOnNextLogon = "true"} } else{ write-verbose "CHANGE PASSWORD ON THE NEXT LOGON: false" $Params += @{changePassOnNextLogon = "false"} } if($PasswordNeverExpires){ write-verbose "PASSWORD NEVER EXPIRE: true" $Params += @{passwordNeverExpires = "true"} } else{ write-verbose "PASSWORD NEVER EXPIRE: false" $Params += @{passwordNeverExpires = "false"} } $vaultauthstr = @() if($AddSafes){ write-verbose "ADDING VAULT PERMISSION: AddSafes" $vaultauthstr += "AddSafes" } if($AuditUsers){ write-verbose "ADDING VAULT PERMISSION: AuditUsers" $vaultauthstr += "AuditUsers" } if($AddUpdateUsers){ write-verbose "ADDING VAULT PERMISSION: AddUpdateUsers" $vaultauthstr += "AddUpdateUsers" } if($ResetUsersPasswords){ write-verbose "ADDING VAULT PERMISSION: ResetUsersPasswords" $vaultauthstr += "ResetUsersPasswords" } if($ActivateUsers){ write-verbose "ADDING VAULT PERMISSION: ActivateUsers" $vaultauthstr += "ActivateUsers" } if($AddNetworkAreas){ write-verbose "ADDING VAULT PERMISSION: AddNetworkAreas" $vaultauthstr += "AddNetworkAreas" } if($ManageDirectoryMapping){ write-verbose "ADDING VAULT PERMISSION: ManageDirectoryMapping" $vaultauthstr += "ManageDirectoryMapping" } if($ManageServerFileCategories){ write-verbose "ADDING VAULT PERMISSION: ManageServerFileCategories" $vaultauthstr += "ManageServerFileCategories" } if($BackupAllSafes){ write-verbose "ADDING VAULT PERMISSION: BackupAllSafes" $vaultauthstr += "BackupAllSafes" } if($RestoreAllSafes){ write-verbose "ADDING VAULT PERMISSION: RestoreAllSafes" $vaultauthstr += "RestoreAllSafes" } if($vaultauthstr.Count -gt 0){ write-verbose "ADDING VAULT AUTHORIZATIONS TO PARAMS: $vaultauthstr" $Params += @{vaultAuthorization = $vaultauthstr} } if(![String]::IsNullOrEmpty($Description)){ Write-Verbose "PARSING DESCRIPTION VALUE: $Description" $Params+=@{ description = $Description } } $personalDetails = @{} if(![String]::IsNullOrEmpty($Street)){ write-verbose "PARSING STREET VALUE: $Street" $personalDetails += @{street = $Street} } if(![String]::IsNullOrEmpty($City)){ write-verbose "PARSING CITY VALUE: $City" $personalDetails += @{city = $City} } if(![String]::IsNullOrEmpty($State)){ write-verbose "PARSING STATE VALUE: $State" $personalDetails += @{state = $State} } if(![String]::IsNullOrEmpty($Zip)){ write-verbose "PARSING ZIP VALUE: $Zip" $personalDetails += @{zip = $Zip} } if(![String]::IsNullOrEmpty($Country)){ write-verbose "PARSING COUNTRY VALUE: $Country" $personalDetails += @{country = $Country} } if(![String]::IsNullOrEmpty($Title)){ write-verbose "PARSING TITLE VALUE: $Title" $personalDetails += @{title = $Title} } if(![String]::IsNullOrEmpty($Organization)){ write-verbose "PARSING ORGANIZATION VALUE: $Organization" $personalDetails += @{organization = $Organization} } if(![String]::IsNullOrEmpty($Department)){ write-verbose "PARSING DEPARTMENT VALUE: $Department" $personalDetails += @{department = $Department} } if(![String]::IsNullOrEmpty($Profession)){ write-verbose "PARSING PROFESSION VALUE: $Profession" $personalDetails += @{profession = $Profession} } if(![String]::IsNullOrEmpty($FirstName)){ write-verbose "PARSING FIRSTNAME VALUE: $FirstName" $personalDetails += @{firstName = $FirstName} } if(![String]::IsNullOrEmpty($MiddleName)){ write-verbose "PARSING MIDDLENAME VALUE: $MiddleName" $personalDetails += @{middleName = $MiddleName} } if(![String]::IsNullOrEmpty($LastName)){ write-verbose "PARSING LASTNAME VALUE: $LastName" $personalDetails += @{lastName = $LastName} } if($personalDetails.Count -gt 0){ Write-Verbose "ADDING PERSONAL DETAILS TO PARAMS" $Params+= @{personalDetails = $personalDetails} } $phones = @{} if(![String]::IsNullOrEmpty($HomeNumber)){ write-verbose "PARSING HOME NUMBER VALUE: $HomeNumber" $phones += @{homeNumber = $HomeNumber} } if(![String]::IsNullOrEmpty($BusinessNumber)){ write-verbose "PARSING BUSINESS NUMBER VALUE: $BusinessNumber" $phones += @{businessNumber = $BusinessNumber} } if(![String]::IsNullOrEmpty($CellularNumber)){ write-verbose "PARSING CELLULAR NUMBER VALUE: $CellularNumber" $phones += @{cellularNumber = $CellularNumber} } if(![String]::IsNullOrEmpty($FaxNumber)){ write-verbose "PARSING FAX NUMBER VALUE: $FaxNumber" $phones += @{faxNumber = $FaxNumber} } if(![String]::IsNullOrEmpty($PagerNumber)){ write-verbose "PARSING PAGER NUMBER VALUE: $PagerNumber" $phones += @{pagerNumber = $PagerNumber} } if($phones.Count -gt 0){ Write-Verbose "ADDING PHONES TO PARAMS" $Params+= @{phones = $phones} } $internet = @{} if(![String]::IsNullOrEmpty($HomePage)){ write-verbose "PARSING HOME PAGE VALUE: $HomePage" $internet += @{homePage = $HomePage} } if(![String]::IsNullOrEmpty($HomeEmail)){ write-verbose "PARSING HOME EMAIL VALUE: $HomeEmail" $internet += @{homeEmail = $HomeEmail} } if(![String]::IsNullOrEmpty($BusinessEmail)){ write-verbose "PARSING BUSINESS EMAIL VALUE: $BusinessEmail" $internet += @{businessEmail = $BusinessEmail} } if(![String]::IsNullOrEmpty($OtherEmail)){ write-verbose "PARSING OTHER EMAIL VALUE: $OtherEmail" $internet += @{otherEmail = $OtherEmail} } if($internet.Count -gt 0){ Write-Verbose "ADDING INTERNET TO PARAMS" $Params+= @{internet = $internet} } $businessaddr = @{} if(![String]::IsNullOrEmpty($WorkStreet)){ write-verbose "PARSING WORK STREET VALUE: $WorkStreet" $businessaddr += @{workStreet = $WorkStreet} } if(![String]::IsNullOrEmpty($WorkCity)){ write-verbose "PARSING WORK CITY VALUE: $WorkCity" $businessaddr += @{workCity = $WorkCity} } if(![String]::IsNullOrEmpty($WorkState)){ write-verbose "PARSING WORK STATE VALUE: $WorkState" $businessaddr += @{workState = $WorkState} } if(![String]::IsNullOrEmpty($WorkZip)){ write-verbose "PARSING WORK ZIP VALUE: $WorkZip" $businessaddr += @{workZip = $WorkZip} } if(![String]::IsNullOrEmpty($WorkCountry)){ write-verbose "PARSING WORK COUNTRY VALUE: $WorkCountry" $businessaddr += @{workCountry = $WorkCountry} } if($businessaddr.Count -gt 0){ Write-Verbose "ADDING BUSINESS ADDRESS TO PARAMS" $Params+= @{businessAddress = $businessaddr} } if([String]::IsNullOrEmpty($AuthenticationType)){ Write-Verbose "NO AUTHENTICATION TYPE SPECIFIED, DEFAULT VALUE: AuthTypePass" $Params += @{authenticationMethod = @("AuthTypePass")} $AuthenticationType = "AuthTypePass" } else{ Write-Verbose "PARSING AUTHENTICATION TYPE VALUE: $AuthenticationType" $Params += @{authenticationMethod = @($AuthenticationType)} } if($AuthenticationType -eq "AuthTypePass"){ if([String]::IsNullOrEmpty($InitialPassword)){ Write-VPASOutput -str "AuthTypePass REQUIRES AN INITIAL PASSWORD: " -type Y $InitialPassword = Read-Host } } if(![String]::IsNullOrEmpty($InitialPassword)){ write-verbose "SETTING PASSWORD TO: $InitialPassword" $Params += @{initialPassword = $InitialPassword} } else{ write-verbose "NO PASSWORD SET" } if(![String]::IsNullOrEmpty($DistinguishedName)){ write-verbose "SETTING DISTINGUISHED NAME TO: $DistinguishedName" $Params += @{distinguishedName = $DistinguishedName} } else{ write-verbose "NO DISTINGUISHED NAME SET" } write-verbose "SETTING PARAMETERS FOR API CALL" $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS $Params = $Params | ConvertTo-Json try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/Users" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/Users" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $Params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $Params -ContentType "application/json" } Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "OPERATION COMPLETED SUCCESSFULLY, RETURNING JSON OBJECT" $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURN return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO ADD EPVUSER" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |