public/Remove-VPASMemberEPVGroup.ps1
|
<#
.Synopsis DELETE MEMBER FROM EPV GROUP CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO DELETE A MEMBER FROM AN EPV GROUP .LINK https://vpasmodule.com/commands/Remove-VPASMemberEPVGroup .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER GroupName Target EPV group name that a user will be added to .PARAMETER GroupID Target EPV group ID that a user will be added to .PARAMETER EPVUserName Target EPVUserName that will be removed from target EPVGroup .PARAMETER WhatIf Run code simulation to see what is affected by running the command as well as any possible implications This is a code simulation flag, meaning the command will NOT actually run .PARAMETER HideWhatIfOutput Suppress any code simulation output from the console .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .EXAMPLE $WhatIfSimulation = Remove-VPASMemberEPVGroup -GroupName {GROUPNAME VALUE} -EPVUserName {USERNAME VALUE} -WhatIf .EXAMPLE $DeleteMemberEPVGroupStatus = Remove-VPASMemberEPVGroup -GroupName {GROUPNAME VALUE} -EPVUserName {USERNAME VALUE} .EXAMPLE $DeleteMemberEPVGroupStatus = Remove-VPASMemberEPVGroup -GroupID {GROUPID VALUE} -EPVUserName {USERNAME VALUE} .EXAMPLE $InputParameters = @{ GroupName = "TargetEPVGroupName" EPVUserName = "TargetEPVUser" WhatIf = $true|$false HideWhatIfOutput = $true|$false } $DeleteMemberEPVGroupStatus = Remove-VPASMemberEPVGroup -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ GroupID = "22" EPVUserName = "TargetEPVUser" WhatIf = $true|$false HideWhatIfOutput = $true|$false } $DeleteMemberEPVGroupStatus = Remove-VPASMemberEPVGroup -InputParameters $InputParameters .OUTPUTS $true if successful --- $false if failed #> function Remove-VPASMemberEPVGroup{ [OutputType([bool],'System.Object')] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Perform search on target EPVGroup via GroupName")] [String]$GroupName, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Perform search on target EPVGroup via GroupID")] [String]$GroupID, [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter EPVUser to remove from EPVGroup")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter EPVUser to remove from EPVGroup")] [String]$EPVUserName, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Switch]$WhatIf, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Switch]$HideWhatIfOutput, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("GroupName","EPVUserName","WhatIf","HideWhatIfOutput") MandatoryKeys = @("GroupName","EPVUserName") } set2 = @{ AcceptableKeys = @("GroupID","EPVUserName","WhatIf","HideWhatIfOutput") MandatoryKeys = @("GroupID","EPVUserName") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO RETRIEVE EPV GROUP" Write-VPASOutput -str $_ -type E return $false } try{ if($GroupID){ write-verbose "SUPPLIED GROUPID, SKIPPING HELPER FUNCTION" } else{ Write-Verbose "CONSTRUCTING SEARCH STRING TO QUERY CYBERARK" $searchQuery = "$GroupName" Write-Verbose "INVOKING HELPER FUNCTION TO RETRIEVE GROUPID" $GroupID = Get-VPASEPVGroupIDHelper -token $token -GroupName $GroupName } if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/api/UserGroups/$GroupID/Members/$EPVUserName/" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/api/UserGroups/$GroupID/Members/$EPVUserName/" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "DELETE" -token $token -LogType METHOD Write-Verbose "MAKING API CALL TO CYBERARK" if($WhatIf){ $log = Write-VPASTextRecorder -token $token -LogType WHATIF1 $WhatIfHash = @{} Write-Verbose "INITIATING COMMAND SIMULATION" $WhatIfInfo = Get-VPASAllEPVGroups -IncludeMembers -token $token foreach($WhatIfGroup in $WhatIfInfo.value){ $WhatIfGroupID = $WhatIfGroup.id $WhatIfGroupGroupType = $WhatIfGroup.groupType $WhatIfGroupGroupName = $WhatIfGroup.groupName $WhatIfGroupDescription = $WhatIfGroup.description $WhatIfGroupLocation = $WhatIfGroup.location $WhatIfGroupTargetUser = $false $WhatIfGroupTargetID = $false $WhatIfGroupMembers = $WhatIfGroup.members if($WhatIfGroupID -eq $GroupID){ #AFFECTED MEMBER foreach($mem in $WhatIfGroupMembers){ $targetuser = $mem.username $targetid = $mem.id if($targetuser -eq $EPVUserName){ $WhatIfGroupTargetUser = $targetuser $WhatIfGroupTargetID = $targetid } } if(!$WhatIfGroupTargetUser){ $log = Write-VPASTextRecorder -inputval "UNABLE TO FIND $EPVUserName IN GROUP ID" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC $log = Write-VPASTextRecorder -token $token -LogType WHATIF2 Write-Verbose "UNABLE TO FIND $EPVUserName IN GROUP ID...RETURNING FALSE" Write-VPASOutput "UNABLE TO FIND $EPVUserName IN GROUP ID...RETURNING FALSE" -type E return $false } #AFFECTED SAFES $WhatIfAffectedSafesCount = 0 $WhatIfAffectedSafes = @() $CheckSafes = Get-VPASAllSafes -token $token foreach($safe in $CheckSafes.value){ $CheckSafeName = $safe.safeName $CheckTargetGroup = Get-VPASSafeMemberSearch -safe $CheckSafeName -member $WhatIfGroupGroupName -token $token 6> $null if($CheckTargetGroup){ $WhatIfAffectedSafesCount += 1 $WhatIfAffectedSafes += $CheckSafeName } } #AFFECTED ACCOUNTS $WhatIfAffectedAccountsCounter = 0 $WhatIfAffectedAccounts = @() foreach($safe in $WhatIfAffectedSafes){ $miniHash = @{} $AffectedAccounts = Get-VPASAccountDetails -safe $safe -token $token -HideWarning foreach($AffectedAcct in $AffectedAccounts.value){ $AffectedAcctSafe = $AffectedAcct.safeName if($AffectedAcctSafe -eq $safe){ $WhatIfAffectedAccountsCounter += 1 $miniHash = @{ SafeName = $AffectedAcct.safeName ID = $AffectedAcct.id Address = $AffectedAcct.address Username = $AffectedAcct.userName Name = $AffectedAcct.name } $WhatIfAffectedAccounts += $miniHash } } } if(!$HideWhatIfOutput){ Write-VPASOutput -str "====== BEGIN COMMAND SIMULATION ======" -type S Write-VPASOutput -str "THE FOLLOWING EPV USER WILL BE REMOVED FROM THIS EPV GROUP:" -type S Write-VPASOutput -str "ID : $WhatIfGroupID" -type S Write-VPASOutput -str "GroupType : $WhatIfGroupGroupType" -type S Write-VPASOutput -str "GroupName : $WhatIfGroupGroupName" -type S Write-VPASOutput -str "EPVUser : $WhatIfGroupTargetUser" -type S Write-VPASOutput -str "EPVUserID : $WhatIfGroupTargetID" -type S Write-VPASOutput -str "Description : $WhatIfGroupDescription" -type S Write-VPASOutput -str "Location : $WhatIfGroupLocation" -type S Write-VPASOutput -str "NumberOfAffectedAccounts : $WhatIfAffectedAccountsCounter" -type S Write-VPASOutput -str "AffectedAccounts : $WhatIfAffectedAccounts" -type S Write-VPASOutput -str "NumberOfAffectedSafes : $WhatIfAffectedSafesCount" -type S Write-VPASOutput -str "AffectedSafes : $WhatIfAffectedSafes" -type S Write-VPASOutput -str "---" -type S Write-VPASOutput -str "URI : $uri" -type S Write-VPASOutput -str "METHOD : DELETE" -type S Write-VPASOutput -str " " -type S Write-VPASOutput -str "======= END COMMAND SIMULATION =======" -type S } $WhatIfHash = @{ WhatIf = @{ ID = $WhatIfGroupID GroupType = $WhatIfGroupGroupType EPVUser = $WhatIfGroupTargetUser EPVUserID = $WhatIfGroupTargetID GroupName = $WhatIfGroupGroupName Description = $WhatIfGroupDescription Location = $WhatIfGroupLocation NumberOfAffectedSafes = $WhatIfAffectedSafesCount AffectedSafes = $WhatIfAffectedSafes NumberOfAffectedAccounts = $WhatIfAffectedAccountsCounter AffectedAccounts = $WhatIfAffectedAccounts RestURI = $uri RestMethod = "DELETE" Disclaimer = "THIS EPV USER WILL BE REMOVED FROM THIS EPV GROUP IF -WhatIf FLAG IS REMOVED" Disclaimer2 = "THIS CODE SIMULATION DOES NOT DIG INTO NESTED GROUPS...YET..." } } $WhatIfJSON = $WhatIfHash | ConvertTo-Json | ConvertFrom-Json $log = Write-VPASTextRecorder -inputval $WhatIfJSON -token $token -LogType RETURNARRAY $log = Write-VPASTextRecorder -token $token -LogType WHATIF2 return $WhatIfJSON } } $log = Write-VPASTextRecorder -inputval "UNABLE TO FIND TARGET EPV GROUP ID" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC $log = Write-VPASTextRecorder -token $token -LogType WHATIF2 Write-Verbose "UNABLE TO FIND TARGET EPV GROUP ID...RETURNING FALSE" Write-VPASOutput "UNABLE TO FIND TARGET EPV GROUP ID" -type E return $false } else{ if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method DELETE -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method DELETE -ContentType "application/json" } $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: TRUE" -token $token -LogType MISC Write-Verbose "SUCCESSFULLY DELETED $EPVUserName FROM EPVGroup" return $true } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO DELETE $EPVUserName FROM EPVGroup" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |