public/Add-VPASSafeMember.ps1
|
<#
.Synopsis ADD SAFE MEMBER CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO ADD A SAFE MEMBER TO AN EXISTING SAFE IN CYBERARK WITH SPECIFIED PERMISSIONS .LINK https://vpasmodule.com/commands/Add-VPASSafeMember .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER member Target unique safe member name .PARAMETER safe Target unique safe name .PARAMETER AllPerms Enables all safe permissions .PARAMETER AllAccess Enables all Access safe permissions (UseAccounts, RetrieveAccounts, ListAccounts) .PARAMETER AllAccountManagement Enables all AccountManagement safe permissions (AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts) .PARAMETER AllMonitor Enables all Monitor safe permissions (ViewAuditLog, ViewSafeMembers) .PARAMETER AllSafeManagement Enables all SafeManagement safe permissions (ManageSafe, ManageSafeMembers, BackupSafe) .PARAMETER AllWorkflow Enables all Workflow safe permissions (RequestsAuthorizationLevel1, AccessWithoutConfirmation) .PARAMETER AllAdvanced Enables all Advanced safe permissions (CreateFolders, DeleteFolders, MoveAccountsAndFolders) .PARAMETER UseAccounts Gives the ability use accounts in a safe (click the connect button) .PARAMETER RetrieveAccounts Gives the ability to pull accounts credentials in a safe (click the Show/Copy buttons) .PARAMETER ListAccounts Gives the ability to view accounts in a safe .PARAMETER AddAccounts Gives the ability to add accounts in a safe .PARAMETER UpdateAccountContent Gives the ability to manually update accounts secrets in a safe .PARAMETER UpdateAccountProperties Gives the ability to update account properties in a safe (username field, address field, etc) .PARAMETER InitiateCPMAccountManagementOperations Gives the ability to trigger the CPM to run a change, verify, or reconcile on accounts in a safe .PARAMETER SpecifyNextAccountContent Gives the ability to specify what the next password the CPM will push to accounts in a safe .PARAMETER RenameAccounts Gives the ability to modify the ObjectName of accounts in a safe .PARAMETER DeleteAccounts Gives the ability to delete accounts from a safe .PARAMETER UnlockAccounts Gives the ability to unlock or check-in locked account on someone else's behalf in a safe .PARAMETER ManageSafe Gives the ability to modify safe details (DaysRetention, VersionRetention, Description, etc) .PARAMETER ManageSafeMembers Gives the ability to add, remove, modify safe members on a safe .PARAMETER BackupSafe Gives the ability to backup a safe .PARAMETER ViewAuditLog Gives the ability to view the activities performed on accounts in a safe .PARAMETER ViewSafeMembers Gives the ability to view safe members on a safe .PARAMETER AccessWithoutConfirmation Gives the ability to access the safe without needing confirmation from an approver .PARAMETER CreateFolders Gives the ability to create folders in a safe .PARAMETER DeleteFolders Gives the ability to delete folders from a safe .PARAMETER MoveAccountsAndFolders Gives the ability to move accounts and folders from one safe to another .PARAMETER RequestsAuthorizationLevel1 Gives the ability to approve or deny users from using an account (Level1) in a safe .PARAMETER RequestsAuthorizationLevel2 Gives the ability to approve or deny users from using an account (Level2) in a safe .PARAMETER searchin Which directory to search in for the target safe member. This value is defined during LDAP integration. If searching for a user internally use the value "vault" .PARAMETER SafePermissionHashTable Hashtable that contains the set of safe permissions to be applied to a specific safe member. Hashtable has priority over the safe permission flags that are passed .PARAMETER MemberType Specify whether the target safe member is of type User, Group, or Role. This will save time querying for the targe safe member. Possible values: "User", "Group", "Role" .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .EXAMPLE $AddSafemember = Add-VPASSafeMember -member {MEMBER VALUE} -MemberType {MEMBERTYPE VALUE} -safe {SAFE VALUE} -UseAccounts -RetrieveAccounts -ListAccounts .EXAMPLE $AddSafemember = Add-VPASSafeMember -member {MEMBER VALUE} -MemberType {MEMBERTYPE VALUE} -safe {SAFE VALUE} -AllAccess -AllMonitor .EXAMPLE $InputParameters = @{ member = "TargetUser@vman.com" safe = "TargetSafe" MemberType = "User"|"Group"|"Role" AllPerms = $true|$false AllAccess = $true|$false AllAccountManagement = $true|$false AllMonitor = $true|$false AllSafeManagement = $true|$false AllWorkflow = $true|$false AllAdvanced = $true|$false UseAccounts = $true|$false RetrieveAccounts = $true|$false ListAccounts = $true|$false AddAccounts = $true|$false UpdateAccountContent = $true|$false UpdateAccountProperties = $true|$false InitiateCPMAccountManagementOperations = $true|$false SpecifyNextAccountContent = $true|$false RenameAccounts = $true|$false DeleteAccounts = $true|$false UnlockAccounts = $true|$false ManageSafe = $true|$false ManageSafeMembers = $true|$false BackupSafe = $true|$false ViewAuditLog = $true|$false ViewSafeMembers = $true|$false AccessWithoutConfirmation = $true|$false CreateFolders = $true|$false DeleteFolders = $true|$false MoveAccountsAndFolders = $true|$false RequestsAuthorizationLevel1 = $true|$false RequestsAuthorizationLevel2 = $true|$false } $AddSafemember = Add-VPASSafeMember -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ member = "TargetUser@vman.com" safe = "TargetSafe" MemberType = "User"|"Group"|"Role" SafePermissionHashTable = @{ UseAccounts = $true|$false RetrieveAccounts = $true|$false ListAccounts = $true|$false AddAccounts = $true|$false UpdateAccountContent = $true|$false UpdateAccountProperties = $true|$false InitiateCPMAccountManagementOperations = $true|$false SpecifyNextAccountContent = $true|$false RenameAccounts = $true|$false DeleteAccounts = $true|$false UnlockAccounts = $true|$false ManageSafe = $true|$false ManageSafeMembers = $true|$false BackupSafe = $true|$false ViewAuditLog = $true|$false ViewSafeMembers = $true|$false AccessWithoutConfirmation = $true|$false CreateFolders = $true|$false DeleteFolders = $true|$false MoveAccountsAndFolders = $true|$false RequestsAuthorizationLevel1 = $true|$false RequestsAuthorizationLevel2 = $true|$false } } $AddSafemember = Add-VPASSafeMember -InputParameters $InputParameters .OUTPUTS If successful: { "safeUrlId": "NewSafeVpas", "safeName": "NewSafeVpas", "safeNumber": 133, "memberId": "1dfc3edf-4564-4abf-9bc1-aa07b8c62afc", "memberName": "vadim@vman.pam", "memberType": "User", "membershipExpirationDate": null, "isExpiredMembershipEnable": false, "isPredefinedUser": false, "isReadOnly": false, "permissions": { "useAccounts": true, "retrieveAccounts": true, "listAccounts": true, "addAccounts": false, "updateAccountContent": false, "updateAccountProperties": false, "initiateCPMAccountManagementOperations": false, "specifyNextAccountContent": false, "renameAccounts": false, "deleteAccounts": false, "unlockAccounts": false, "manageSafe": false, "manageSafeMembers": false, "backupSafe": false, "viewAuditLog": false, "viewSafeMembers": false, "accessWithoutConfirmation": false, "createFolders": false, "deleteFolders": false, "moveAccountsAndFolders": false, "requestsAuthorizationLevel1": false, "requestsAuthorizationLevel2": false } } --- $false if failed #> function Add-VPASSafeMember{ [OutputType('System.Object',[bool])] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Target SafeMember to be added (for example: ADVaultAdmins)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Target SafeMember to be added (for example: ADVaultAdmins)")] [String]$member, [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Target safe to add target SafeMember to (for example: TestSafe1)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Target safe to add target SafeMember to (for example: TestSafe1)")] [String]$safe, [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Member Type being added to the safe (possible values: User, Group, Role)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Member Type being added to the safe (possible values: User, Group, Role)")] [ValidateSet("User","Group","Role")] [String]$MemberType, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$searchin, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllPerms, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllAccess, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllAccountManagement, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllMonitor, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllSafeManagement, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllWorkflow, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AllAdvanced, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$UseAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$RetrieveAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$ListAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AddAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$UpdateAccountContent, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$UpdateAccountProperties, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$InitiateCPMAccountManagementOperations, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$SpecifyNextAccountContent, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$RenameAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$DeleteAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$UnlockAccounts, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$ManageSafe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$ManageSafeMembers, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$BackupSafe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$ViewAuditLog, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$ViewSafeMembers, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$AccessWithoutConfirmation, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$CreateFolders, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$DeleteFolders, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$MoveAccountsAndFolders, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$RequestsAuthorizationLevel1, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Switch]$RequestsAuthorizationLevel2, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of valid safepermissions, refer to get-help -examples for valid inputs")] [hashtable]$SafePermissionHashTable, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("member","safe","searchin","AllPerms","AllAccess","AllAccountManagement","AllMonitor","AllSafeManagement","AllWorkflow","AllAdvanced","UseAccounts","RetrieveAccounts","ListAccounts","AddAccounts","UpdateAccountContent","UpdateAccountProperties","InitiateCPMAccountManagementOperations","SpecifyNextAccountContent","RenameAccounts","DeleteAccounts","UnlockAccounts","ManageSafe","ManageSafeMembers","BackupSafe","ViewAuditLog","ViewSafeMembers","AccessWithoutConfirmation","CreateFolders","DeleteFolders","MoveAccountsAndFolders","RequestsAuthorizationLevel1","RequestsAuthorizationLevel2","MemberType") MandatoryKeys = @("member","safe","MemberType") } set2 = @{ AcceptableKeys = @("member","safe","searchin","MemberType","SafePermissionHashTable") MandatoryKeys = @("member","safe","MemberType","SafePermissionHashTable") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED ADD SAFE MEMBER" Write-VPASOutput -str $_ -type E return $false } Write-Verbose "INITIALIZING PERMISSIONS" $pUseAccounts = $false $pRetrieveAccounts = $false $pListAccounts = $false $pAddAccounts = $false $pUpdateAccountContent = $false $pUpdateAccountProperties = $false $pInitiateCPMAccountManagementOperations = $false $pSpecifyNextAccountContent = $false $pRenameAccounts = $false $pDeleteAccounts = $false $pUnlockAccounts = $false $pManageSafe = $false $pManageSafeMembers = $false $pBackupSafe = $false $pViewAuditLog = $false $pViewSafeMembers = $false $pRequestsAuthorizationLevel1 = $false $pRequestsAuthorizationLevel2 = $false $pAccessWithoutConfirmation = $false $pCreateFolders = $false $pDeleteFolders = $false $pMoveAccountsAndFolders = $false $pAllPerms = $false $pAllAccess = $false $pAllAccountManagement = $false $pAllMonitor = $false $pAllWorkflow = $false $pAllAdvanced = $false Write-Verbose "INITIALIZING SET PERMISSIONS" $AllPermsChecked = 0 $AllAccessChecked = 0 $AllAccountManagementChecked = 0 $AllMonitorChecked = 0 $AllWorkflowChecked = 0 $AllAdvancedChecked = 0 $AllSafeManagementChecked = 0 if($SafePermissionHashTable.Count -eq 0){ #CHECKING SECTION PERMISSIONS Write-Verbose "CHECKING SET PERMISSIONS" if($AllPerms){$AllPermsChecked = 1}else{$AllPermsChecked = 0} if($AllAccess){$AllAccessChecked = 1}else{$AllAccessChecked = 0} if($AllAccountManagement){$AllAccountManagementChecked = 1}else{$AllAccountManagementChecked = 0} if($AllMonitor){$AllMonitorChecked = 1}else{$AllMonitorChecked = 0} if($AllWorkflow){$AllWorkflowChecked = 1}else{$AllWorkflowChecked = 0} if($AllAdvanced){$AllAdvancedChecked = 1}else{$AllAdvancedChecked = 0} if($AllSafeManagement){$AllSafeManagementChecked = 1}else{$AllSafeManagementChecked = 0} #SETTING SECTION PERMISSIONS if($AllPermsChecked -eq 1){ Write-Verbose "ALL PERMISSIONS CHECKED" $pUseAccounts = $true $pRetrieveAccounts = $true $pListAccounts = $true $pAddAccounts = $true $pUpdateAccountContent = $true $pUpdateAccountProperties = $true $pInitiateCPMAccountManagementOperations = $true $pSpecifyNextAccountContent = $true $pRenameAccounts = $true $pDeleteAccounts = $true $pUnlockAccounts = $true $pManageSafe = $true $pManageSafeMembers = $true $pBackupSafe = $true $pViewAuditLog = $true $pViewSafeMembers = $true $pRequestsAuthorizationLevel1 = $true $pRequestsAuthorizationLevel2 = $false $pAccessWithoutConfirmation = $true $pCreateFolders = $true $pDeleteFolders = $true $pMoveAccountsAndFolders = $true } if($AllAccessChecked -eq 1){ Write-Verbose "ALL ACCESS PERMISSIONS CHECKED" $pUseAccounts = $true $pRetrieveAccounts = $true $pListAccounts = $true } if($AllAccountManagementChecked -eq 1){ Write-Verbose "ALL ACCOUNT MANAGEMENT PERMISSIONS CHECKED" $pAddAccounts = $true $pUpdateAccountContent = $true $pUpdateAccountProperties = $true $pInitiateCPMAccountManagementOperations = $true $pSpecifyNextAccountContent = $true $pRenameAccounts = $true $pDeleteAccounts = $true $pUnlockAccounts = $true } if($AllSafeManagementChecked -eq 1){ Write-Verbose "ALL SAFE MANAGEMENT PERMISSIONS CHECKED" $pManageSafe = $true $pManageSafeMembers = $true $pBackupSafe = $true } if($AllMonitorChecked -eq 1){ Write-Verbose "ALL MONITOR PERMISSIONS CHECKED" $pViewAuditLog = $true $pViewSafeMembers = $true } if($AllWorkflowChecked -eq 1){ Write-Verbose "ALL WORKFLOW PERMISSIONS CHECKED" $pRequestsAuthorizationLevel1 = $true $pRequestsAuthorizationLevel2 = $false $pAccessWithoutConfirmation = $true } if($AllAdvancedChecked -eq 1){ Write-Verbose "ALL ADVANCED PERMISSIONS CHECKED" $pCreateFolders = $true $pDeleteFolders = $true $pMoveAccountsAndFolders = $true } #CHECKING SINGLE PERMISSIONS if($AllPermsChecked -eq 0 -and $AllAccessChecked -eq 0){ Write-Verbose "ANALYZING USE ACCOUNTS PERMISSION" if($UseAccounts){$pUseAccounts = $true}else{$pUseAccounts = $false} Write-Verbose "ANALYZING RETRIEVE ACCOUNTS PERMISSION" if($RetrieveAccounts){$pRetrieveAccounts = $true}else{$pRetrieveAccounts = $false} Write-Verbose "ANALYZING LIST ACCOUNTS PERMISSION" if($ListAccounts){$pListAccounts = $true}else{$pListAccounts = $false} } if($AllPermsChecked -eq 0 -and $AllAccountManagementChecked -eq 0){ Write-Verbose "ANALYZING ADD ACCOUNTS PERMISSION" if($AddAccounts){$pAddAccounts = $true}else{$pAddAccounts = $false} Write-Verbose "ANALYZING UPDATE ACCOUNT CONTENT PERMISSION" if($UpdateAccountContent){$pUpdateAccountContent = $true}else{$pUpdateAccountContent = $false} Write-Verbose "ANALYZING UPDATE ACCOUNT PROPERTIES PERMISSION" if($UpdateAccountProperties){$pUpdateAccountProperties = $true}else{$pUpdateAccountProperties = $false} Write-Verbose "ANALYZING INITIATE CPM ACCOUNT MANAGEMENT OPERATIONS PERMISSION" if($InitiateCPMAccountManagementOperations){$pInitiateCPMAccountManagementOperations = $true}else{$pInitiateCPMAccountManagementOperations = $false} Write-Verbose "ANALYZING SPECIFY NEXT ACCOUNT CONTENT PERMISSION" if($SpecifyNextAccountContent){ $pSpecifyNextAccountContent = $true if(!$pInitiateCPMAccountManagementOperations){ Write-VPASOutput -str "In order to enable `"SpecifyNextAccountContent`" permission, this command will also enable `"InitiateCPMAccountManagementOperations`" permission" -type M $pInitiateCPMAccountManagementOperations = $true } } else{ $pSpecifyNextAccountContent = $false } Write-Verbose "ANALYZING RENAME ACCOUNTS PERMISSION" if($RenameAccounts){$pRenameAccounts = $true}else{$pRenameAccounts = $false} Write-Verbose "ANALYZING DELETE ACCOUNTS PERMISSION" if($DeleteAccounts){$pDeleteAccounts = $true}else{$pDeleteAccounts = $false} Write-Verbose "ANALYZING UNLOCK ACCOUNTS PERMISSION" if($UnlockAccounts){$pUnlockAccounts = $true}else{$pUnlockAccounts = $false} } if($AllPermsChecked -eq 0 -and $AllSafeManagementChecked -eq 0){ Write-Verbose "ANALYZING MANAGE SAFE PERMISSION" if($ManageSafe){$pManageSafe = $true}else{$pManageSafe = $false} Write-Verbose "ANALYZING MANAGE SAFE MEMBERS PERMISSION" if($ManageSafeMembers){$pManageSafeMembers = $true}else{$pManageSafeMembers = $false} Write-Verbose "ANALYZING BACKUP SAFE PERMISSION" if($BackupSafe){$pBackupSafe = $true}else{$pBackupSafe = $false} } if($AllPermsChecked -eq 0 -and $AllMonitorChecked -eq 0){ Write-Verbose "ANALYZING VIEW AUDIT LOG PERMISSION" if($ViewAuditLog){$pViewAuditLog = $true}else{$pViewAuditLog = $false} Write-Verbose "ANALYZING VIEW SAFE MEMBERS PERMISSION" if($ViewSafeMembers){$pViewSafeMembers = $true}else{$pViewSafeMembers = $false} } if($AllPermsChecked -eq 0 -and $AllWorkflowChecked -eq 0){ Write-Verbose "ANALYZING ACCESS WITHOUT CONFIRMATION PERMISSION" if($AccessWithoutConfirmation){$pAccessWithoutConfirmation = $true}else{$pAccessWithoutConfirmation = $false} Write-Verbose "ANALYZING REQUESTS AUTHORIZATION LEVEL PERMISSION" if($RequestsAuthorizationLevel1){$pRequestsAuthorizationLevel1 = $true}else{$pRequestsAuthorizationLevel1 = $false} if($RequestsAuthorizationLevel2){$pRequestsAuthorizationLevel2 = $true}else{$pRequestsAuthorizationLevel2 = $false} if($pRequestsAuthorizationLevel1 -and $pRequestsAuthorizationLevel2){$pRequestsAuthorizationLevel2 = $false} } if($AllPermsChecked -eq 0 -and $AllAdvancedChecked -eq 0){ Write-Verbose "ANALYZING CREATE FOLDERS PERMISSION" if($CreateFolders){$pCreateFolders = $true}else{$pCreateFolders = $false} Write-Verbose "ANALYZING DELETE FOLDERS PERMISSION" if($DeleteFolders){$pDeleteFolders = $true}else{$pDeleteFolders = $false} Write-Verbose "ANALYZING MOVE ACCOUNTS AND FOLDERS PERMISSION" if($MoveAccountsAndFolders){$pMoveAccountsAndFolders = $true}else{$pMoveAccountsAndFolders = $false} } } else{ $AcceptableKeys = @("useaccounts","retrieveaccounts","listaccounts","addaccounts","updateaccountcontent","updateaccountproperties","initiatecpmaccountmanagementoperations","specifynextaccountcontent","renameaccounts","deleteaccounts","unlockaccounts","managesafe","managesafemembers","backupsafe","viewauditlog","viewsafemembers","accesswithoutconfirmation","createfolders","deletefolders","moveaccountsandfolders","requestsauthorizationlevel1","requestsauthorizationlevel2") foreach($key in $SafePermissionHashTable.Keys){ $tempkey = $key.toLower() if(!$AcceptableKeys.Contains($tempkey)){ $log = Write-VPASTextRecorder -inputval "UNKNOWN KEY IN SafePermissionHashTable: $key" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "PLEASE PROVIDE A HASHTABLE WITH THESE POSSIBLE KEY VALUES: useAccounts,retrieveAccounts,listAccounts,addAccounts,updateAccountContent,updateAccountProperties,initiateCPMAccountManagementOperations,specifyNextAccountContent,renameAccounts,deleteAccounts,unlockAccounts,manageSafe,manageSafeMembers,backupSafe,viewAuditLog,viewSafeMembers,accessWithoutConfirmation,createFolders,deleteFolders,moveAccountsAndFolders,requestsAuthorizationLevel1,requestsAuthorizationLevel2" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO ADD SAFE MEMBER TO SAFE" Write-Verbose "UNKNOWN KEY IN SafePermissionHashTable: $key" Write-VPASOutput -str "UNKNOWN KEY IN SafePermissionHashTable: $key" -type E Write-VPASOutput -str "PLEASE PROVIDE A HASHTABLE WITH THESE POSSIBLE KEY VALUES: useAccounts,retrieveAccounts,listAccounts,addAccounts,updateAccountContent,updateAccountProperties,initiateCPMAccountManagementOperations,specifyNextAccountContent,renameAccounts,deleteAccounts,unlockAccounts,manageSafe,manageSafeMembers,backupSafe,viewAuditLog,viewSafeMembers,accessWithoutConfirmation,createFolders,deleteFolders,moveAccountsAndFolders,requestsAuthorizationLevel1,requestsAuthorizationLevel2" -type E return $false } } if($SafePermissionHashTable.useAccounts){$pUseAccounts = $true}else{$pUseAccounts = $false} if($SafePermissionHashTable.retrieveAccounts){$pRetrieveAccounts = $true}else{$pRetrieveAccounts = $false} if($SafePermissionHashTable.listAccounts){$pListAccounts = $true}else{$pListAccounts = $false} if($SafePermissionHashTable.addAccounts){$pAddAccounts = $true}else{$pAddAccounts = $false} if($SafePermissionHashTable.updateAccountContent){$pUpdateAccountContent = $true}else{$pUpdateAccountContent = $false} if($SafePermissionHashTable.updateAccountProperties){$pUpdateAccountProperties = $true}else{$pUpdateAccountProperties = $false} if($SafePermissionHashTable.initiateCPMAccountManagementOperations){$pInitiateCPMAccountManagementOperations = $true}else{$pInitiateCPMAccountManagementOperations = $false} if($SafePermissionHashTable.specifyNextAccountContent){ $pSpecifyNextAccountContent = $true if(!$pInitiateCPMAccountManagementOperations){ Write-VPASOutput -str "In order to enable `"SpecifyNextAccountContent`" permission, this command will also enable `"InitiateCPMAccountManagementOperations`" permission" -type M $pInitiateCPMAccountManagementOperations = $true } }else{ $pSpecifyNextAccountContent = $false } if($SafePermissionHashTable.renameAccounts){$pRenameAccounts = $true}else{$pRenameAccounts = $false} if($SafePermissionHashTable.deleteAccounts){$pDeleteAccounts = $true}else{$pDeleteAccounts = $false} if($SafePermissionHashTable.unlockAccounts){$pUnlockAccounts = $true}else{$pUnlockAccounts = $false} if($SafePermissionHashTable.manageSafe){$pManageSafe = $true}else{$pManageSafe = $false} if($SafePermissionHashTable.manageSafeMembers){$pManageSafeMembers = $true}else{$pManageSafeMembers = $false} if($SafePermissionHashTable.backupSafe){$pBackupSafe = $true}else{$pBackupSafe = $false} if($SafePermissionHashTable.viewAuditLog){$pViewAuditLog = $true}else{$pViewAuditLog = $false} if($SafePermissionHashTable.viewSafeMembers){$pViewSafeMembers = $true}else{$pViewSafeMembers = $false} if($SafePermissionHashTable.requestsAuthorizationLevel1){$pRequestsAuthorizationLevel1 = $true}else{$pRequestsAuthorizationLevel1 = $false} if($SafePermissionHashTable.requestsAuthorizationLevel2){$pRequestsAuthorizationLevel2 = $true}else{$pRequestsAuthorizationLevel2 = $false} if($SafePermissionHashTable.accessWithoutConfirmation){$pAccessWithoutConfirmation = $true}else{$pAccessWithoutConfirmation = $false} if($SafePermissionHashTable.createFolders){$pCreateFolders = $true}else{$pCreateFolders = $false} if($SafePermissionHashTable.deleteFolders){$pDeleteFolders = $true}else{$pDeleteFolders = $false} if($SafePermissionHashTable.moveAccountsAndFolders){$pMoveAccountsAndFolders = $true}else{$pMoveAccountsAndFolders = $false} if($pRequestsAuthorizationLevel1 -and $pRequestsAuthorizationLevel2){$pRequestsAuthorizationLevel2 = $false} } Write-Verbose "INITIALIZING PARAMETERS FOR API CALL" $permissions = @{ UseAccounts = $pUseAccounts RetrieveAccounts = $pRetrieveAccounts ListAccounts = $pListAccounts AddAccounts = $pAddAccounts UpdateAccountContent = $pUpdateAccountContent UpdateAccountProperties = $pUpdateAccountProperties InitiateCPMAccountManagementOperations = $pInitiateCPMAccountManagementOperations SpecifyNextAccountContent = $pSpecifyNextAccountContent RenameAccounts = $pRenameAccounts DeleteAccounts = $pDeleteAccounts UnlockAccounts = $pUnlockAccounts ManageSafe = $pManageSafe ManageSafeMembers = $pManageSafeMembers BackupSafe = $pBackupSafe ViewAuditLog = $pViewAuditLog ViewSafeMembers = $pViewSafeMembers AccessWithoutConfirmation = $pAccessWithoutConfirmation CreateFolders = $pCreateFolders DeleteFolders = $pDeleteFolders MoveAccountsAndFolders = $pMoveAccountsAndFolders RequestsAuthorizationLevel1 = $pRequestsAuthorizationLevel1 RequestsAuthorizationLevel2 = $pRequestsAuthorizationLevel2 } if($ISPSS){ if([String]::IsNullOrEmpty($MemberType)){ Write-VPASOutput -str "ENTER MEMBER TYPE (User, Group, Role): " -type Y $MemberType = read-host } $params = @{ MemberName = $member Permissions = $permissions memberType = $MemberType } if(![String]::IsNullOrEmpty($searchin)){ $params += @{ SearchIn = $searchin } } $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS $params = $params | ConvertTo-Json } else{ $params = @{ MemberName = $member Permissions = $permissions } if(![String]::IsNullOrEmpty($searchin)){ $params += @{ SearchIn = $searchin } } $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS $params = $params | ConvertTo-Json } try{ Write-Verbose "MAKING API CALL TO CYBERARK" if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/Safes/$safe/Members" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/Safes/$safe/Members" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval $response -token $token -LogType RETURN Write-Verbose "PARSING DATA FROM CYBERARK" Write-Verbose "RETURNING JSON OBJECT" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO ADD SAFE MEMBER TO SAFE" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |