public/Add-VPASAccountRequest.ps1
|
<#
.Synopsis CREATE A NEW ACCOUNT REQUEST CREATED BY: Vadim Melamed, EMAIL: vpasmodule@gmail.com .DESCRIPTION USE THIS FUNCTION TO CREATE A NEW ACCOUNT REQUEST THAT UTILIZES DUAL CONTROL .LINK https://vpasmodule.com/commands/Add-VPASAccountRequest .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER safe Safe name that will be used to query for the target account if no AcctID is passed .PARAMETER username Username that will be used to query for the target account if no AcctID is passed .PARAMETER platform PlatformID that will be used to query for the target account if no AcctID is passed .PARAMETER address Address that will be used to query for the target account if no AcctID is passed .PARAMETER AcctID Unique ID that maps to a single account, passing this variable will skip any query functions .PARAMETER Reason Purpose for opening this account request .PARAMETER MultipleAccess MultipleAccess type request gives the ability to use the account multiple times within a requested time frame .PARAMETER FromDateTime Start of the date range for the account request Value should follow this format: MM/dd/yyyy HH:mm:ss .PARAMETER ToDateTime End of the date range for the account request Value should follow this format: MM/dd/yyyy HH:mm:ss .PARAMETER UseConnect Gives this account request the ability to connect via PSM if approved .PARAMETER ConnectionComponent Specify the connection component that will be used if UseConnect is enabled Example value: PSM-RDP, PSM-SSH, PSM-vSphere .PARAMETER Hostname Specify the hostname that will be connected to if the account request is for a domain account This value will populate the PSMRemoteMachine parameter .PARAMETER InputParameters HashTable of values containing the parameters required to make the API call .EXAMPLE $AddAccountRequestJSON = Add-VPASAccountRequest -AcctID {ACCTID VALUE} -Reason {REASON VALUE} -MultipleAccess -FromDateTime "03/12/2024 9:00:00" -ToDateTime "03/12/2024 13:00:00" -UseConnect -ConnectionComponent PSM-RDP .EXAMPLE $AddAccountRequestJSON = Add-VPASAccountRequest -safe {SAFE VALUE} -username {USERNAME VALUE} -address {ADDRESS VALUE} -Reason {REASON VALUE} .EXAMPLE $InputParameters = @{ safe = "TargetAcctSafe" username = "TargetAcctUsername" address = "TargetAcctAddress" Reason = "Reason for requesting account" } $AddAccountRequestJSON = Add-VPASAccountRequest -InputParameters $InputParameters .EXAMPLE $InputParameters = @{ AcctID = "120_3" Reason = "Reason for requesting account" MultipleAccess = $true|$false UseConnect = $true|$false ConnectionComponent = "PSM-RDP" Hostname = "ServerHere.vman.com" } $AddAccountRequestJSON = Add-VPASAccountRequest -InputParameters $InputParameters .OUTPUTS If successful: { "RequestID": "VPASRequestSafe_19", "SafeName": "VPASRequestSafe", "RequestorUserName": "vadim@vman.com", "RequestorReason": "(ConnectionClient=PSM-RDP) Testing Account Request", "UserReason": "Testing Account Request", "CreationDate": 1723776151, "Operation": "Connect to VPASDualControl-DomainAdmin011-vman.com", "ExpirationDate": 1726368151, "OperationType": 4, "AccessType": "ManyTimes", "ConfirmationsLeft": 1, "AccessFrom": 1723813200, "AccessTo": 1723827600, "Status": 1, "StatusTitle": "Waiting: 1 more user(s) must confirm the request", "InvalidRequestReason": 0, "CurrentConfirmationLevel": 1, "RequiredConfirmersCountLevel2": 1, "TicketingSystemProperties": { "Name": null, "Number": null, "Status": null }, "AdditionalInfo": { }, "AccountDetails": { "AccountID": "120_3", "Properties": { "Address": "vman.com", "Safe": "VPASRequestSafe", "Folder": "Root", "Name": "Operating System-VPASDualControl-vman.com-DomainAdmin01", "PolicyID": "VPASDualControl", "PlatformName": "VPASDualControl", "DeviceType": "Operating System", "LastModifiedDate": "1715222718000", "LastModifiedBy": "vadim@vman.pam", "LastUsedDate": "1715222731000", "LastUsedBy": "vadim@vman.com", "UserName": "DomainAdmin011", "LockedBy": "", "CPMDisabled": "", "CPMStatus": "NoAction", "ManagedByCPM": "True", "DeletedBy": "", "DeletionDate": "0", "ImmediateCPMTask": "NoTask", "LastCPMTask": "NoTask", "CreationDate": "1715222718", "IsSSHKey": "False", "IsIrregularPlatform": "False", "CreationMethod": "PVWA" } }, "Confirmers": [ { "Type": 1, "ID": 41, "Name": "vadim@vman.com", "Action": 2, "Reason": "", "ActionDate": 0, "AdditionalDetails": "@{fullname=Vadim Melamed; email=vadim@vman.com; phone=1234567890}", "Members": null } ] } --- $false if failed #> function Add-VPASAccountRequest{ [OutputType([bool])] [CmdletBinding(DefaultParameterSetName='Set1')] Param( [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$safe, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$platform, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$username, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [String]$address, [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Unique AccountID of the target account (for example: 22_123)")] [String]$AcctID, [Parameter(Mandatory=$true,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter reason for requesting the account (for example: I need this account to access the database to view the transaction logs)")] [Parameter(Mandatory=$true,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true,HelpMessage="Enter reason for requesting the account (for example: I need this account to access the database to view the transaction logs)")] [String]$Reason, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [Switch]$MultipleAccess, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$FromDateTime, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$ToDateTime, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [switch]$UseConnect, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$ConnectionComponent, [Parameter(Mandatory=$false,ParameterSetName='Set1',ValueFromPipelineByPropertyName=$true)] [Parameter(Mandatory=$false,ParameterSetName='Set2',ValueFromPipelineByPropertyName=$true)] [String]$Hostname, [Parameter(Mandatory=$true,ParameterSetName='InputParameters',ValueFromPipelineByPropertyName=$true,HelpMessage="Hashtable of parameters required to make API call, refer to get-help -examples for valid inputs")] [hashtable]$InputParameters, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain,$EnableTroubleshooting = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ try{ if($PSCmdlet.ParameterSetName -eq "InputParameters"){ $KeyHash = @{ set1 = @{ AcceptableKeys = @("safe","platform","username","address","Reason","MultipleAccess","FromDateTime","ToDateTime","UseConnect","ConnectionComponent","Hostname") MandatoryKeys = @("Reason") } set2 = @{ AcceptableKeys = @("AcctID","Reason","MultipleAccess","FromDateTime","ToDateTime","UseConnect","ConnectionComponent","Hostname") MandatoryKeys = @("AcctID","Reason") } } $CheckSet = Test-VPASHashtableKeysHelper -InputHash $InputParameters -KeyHash $KeyHash if(!$CheckSet){ $log = Write-VPASTextRecorder -inputval "FAILED TO FIND TARGET PARAMETER SET" -token $token -LogType MISC Write-Verbose "FAILED TO FIND TARGET PARAMETER SET" Write-VPASOutput -str "FAILED TO FIND TARGET PARAMETER SET...VIEW EXAMPLES BELOW:" -type E $examples = Write-VPASExampleHelper -CommandName $CommandName return $false } else{ foreach($key in $InputParameters.Keys){ Set-Variable -Name $key -Value $InputParameters.$key } } } }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "FAILED TO CREATE ACCOUNT REQUEST" Write-VPASOutput -str $_ -type E return $false } try{ $params = @{} if([String]::IsNullOrEmpty($AcctID)){ Write-Verbose "NO ACCTID SUPPLIED, INVOKING ACCTID HELPER" $AcctID = Get-VPASAccountIDHelper -token $token -safe $safe -platform $platform -username $username -address $address write-verbose "ADDING ACCTID: $AcctID TO API PARAMETERS" $params += @{accountId = "$AcctID"} } else{ Write-Verbose "ACCTID SUPPLIED, SKIPPING ACCOUNTID HELPER" Write-Verbose "ADDING ACCTID: $AcctID TO API PARAMETERS" $params += @{accountId = "$AcctID"} } if(![String]::IsNullOrEmpty($FromDateTime) -and ![String]::IsNullOrEmpty($ToDateTime)){ $FromDateTimeObj = $FromDateTime -as [DateTime] if(!$FromDateTimeObj){ $log = Write-VPASTextRecorder -inputval "INVALID FromTime, SHOULD BE - MM/dd/yyyy HH:mm:ss" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC write-verbose "INVALID FromTime, SHOULD BE - MM/dd/yyyy HH:mm:ss...RETURNING FALSE" Write-VPASOutput -str "INVALID FromTime, SHOULD BE - MM/dd/yyyy HH:mm:ss...RETURNING FALSE" -type E return $false } else{ $FromTimeEpoch = [int][double]::Parse((Get-Date ($FromDateTimeObj).touniversaltime() -UFormat %s)) $params += @{FromDate = $FromTimeEpoch} } $ToDateTimeObj = $ToDateTime -as [DateTime] if(!$ToDateTimeObj){ $log = Write-VPASTextRecorder -inputval "INVALID ToTime, SHOULD BE - MM/dd/yyyy HH:mm:ss" -token $token -LogType MISC $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC write-verbose "INVALID ToTime, SHOULD BE - MM/dd/yyyy HH:mm:ss...RETURNING FALSE" Write-VPASOutput -str "INVALID ToTime, SHOULD BE - MM/dd/yyyy HH:mm:ss...RETURNING FALSE" -type E return $false } else{ $ToTimeEpoch = [int][double]::Parse((Get-Date ($ToDateTimeObj).touniversaltime() -UFormat %s)) $params += @{ToDate = $ToTimeEpoch} } } $connectionparams = @{} $params += @{ reason = "$Reason" } if($MultipleAccess){ $params += @{MultipleAccessRequired = $true} } if($UseConnect){ $params += @{UseConnect = $true} } if(![String]::IsNullOrEmpty($ConnectionComponent)){ $params += @{ConnectionComponent = $ConnectionComponent} } if(![String]::IsNullOrEmpty($Hostname)){ $connectionparams += @{ PSMRemoteMachine = @{ value = $Hostname } } } $params += @{ ConnectionParams = $connectionparams } $log = Write-VPASTextRecorder -inputval $params -token $token -LogType PARAMS $params = $params | ConvertTo-Json if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/MyRequests" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/MyRequests" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "POST" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method POST -Body $params -ContentType "application/json" } $outputlog = $response $log = Write-VPASTextRecorder -inputval $outputlog -token $token -LogType RETURN Write-Verbose "RETURNING REQUEST DETAILS" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO CREATE AN APPROVAL REQUEST" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |