
# Helpers
function Resolve-SafeguardUserObject

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($User.Id -as [int])
        $User = $User.Id

    if (-not ($User -as [int]))
        $local:Filter = "Name ieq '$User'"
        $local:Pair = ($User -split "\\")
        if ($local:Pair.Length -eq 2)
            $local:Filter = "IdentityProviderName ieq '$($local:Pair[0])' and Name ieq '$($local:Pair[1])'"
            $local:Users = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
                                -Parameters @{ filter = $local:Filter })
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Users = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
                                -Parameters @{ q = $User })
        if (-not $local:Users)
            throw "Unable to find user matching '$User'"
        if ($local:Users.Count -ne 1)
            throw "Found $($local:Users.Count) users matching '$User'"
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "Users/$User"
function Resolve-SafeguardUserId

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($User.Id -as [int])
        $User = $User.Id

    if (-not ($User -as [int]))
        $local:Filter = "Name ieq '$User'"
        $local:Pair = ($User -split "\\")
        if ($local:Pair.Length -eq 2)
            $local:Filter = "IdentityProviderName ieq '$($local:Pair[0])' and Name ieq '$($local:Pair[1])'"
            $local:Users = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
                                -Parameters @{ filter = $local:Filter })
            Write-Verbose $_
            Write-Verbose "Caught exception with ieq filter, trying with q parameter"
            $local:Users = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
                                -Parameters @{ q = $User })
        if (-not $local:Users)
            throw "Unable to find user matching '$User'"
        if ($local:Users.Count -ne 1)
            throw "Found $($local:Users.Count) users matching '$User'"

Get identity providers configured in Safeguard via the Web API.
Get the identity providers that have been configured in Safeguard. Based on
these identity providers you can add users that can log into Safeguard. All
users can request access to passwords or sessions based on policy. Depending
on permissions (admin roles) some users can manage different aspects of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER ProviderToGet
An integer containing an ID or a string containing the name of the identity provider to return.
An array of the identity provider property names to return.
JSON response from Safeguard Web API.
Get-SafeguardIdentityProvider test.example.domain

function Get-SafeguardIdentityProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = @{}
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

    if ($PSBoundParameters.ContainsKey("ProviderToGet"))
        if ($ProviderToGet -as [int])
            Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "IdentityProviders/$ProviderToGet" `
                -Parameters $local:Parameters
                $local:Parameters["filter"] = "Name ieq '$ProviderToGet'"
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
                    -Parameters $local:Parameters
                Write-Verbose $_
                Write-Verbose "Caught exception with ieq filter, trying with q parameter"
                $local:Parameters["q"] = $ProviderToGet
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
                    -Parameters $local:Parameters
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET IdentityProviders `
            -Parameters $local:Parameters

Get authentication providers configured in Safeguard via the Web API.
Get the authentication providers that have been configured in Safeguard. Based on
these authentication providers you can configure authentication in Safeguard. All
users can request access to passwords or sessions based on policy. Depending
on permissions (admin roles) some users can manage different aspects of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER ProviderToGet
An integer containing an ID or a string containing the name of the identity provider to return.
An array of the authentication provider property names to return.
JSON response from Safeguard Web API.
Get-SafeguardAuthenticationProvider subdomain.example.domain

function Get-SafeguardAuthenticationProvider

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = @{}
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

    if ($PSBoundParameters.ContainsKey("ProviderToGet"))
        if ($ProviderToGet -as [int])
            Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "AuthenticationProviders/$ProviderToGet" `
                -Parameters $local:Parameters
                $local:Parameters["filter"] = "Name ieq '$ProviderToGet'"
                $local:Provider = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET AuthenticationProviders `
                                                          -Parameters $local:Parameters)
                Write-Verbose $_
                Write-Verbose "Caught exception with ieq filter"
            if ($local:Provider)
                Write-Verbose "Trying with q parameter"
                $local:Parameters["q"] = $ProviderToGet
                Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET AuthenticationProviders `
                    -Parameters $local:Parameters
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET AuthenticationProviders `
            -Parameters $local:Parameters

Set authentication provider as default in Safeguard.
This cmdlet will set the specified authentication provider as the default. The login page will not display a drop down list
of all available providers. Instead, the end user will be defaulted in to using the specified provider. Only one provider
can be marked as the default at a time. When updating the specified provider, any previously set default will be cleared.
If a default provider is set and you need to log in using some other provider, like the Safeguard Local provider in order
to log in as a local administrator user, a query string parameter can be appended to the login page URL, 'primaryProviderID',
where the value is set to the 'RstsProviderId' you need.
For example, "https://<safeguard>/RSTS/Login?response_type=token&redirect_uri=https%3A%2F%2F<safeguard>%2F&primaryProviderID=local".
You cannot set a provider that is used for two-factor authentication as the default.
This functionality is only applicable to web browser based logins, not programmatic API/OAuth2 logins.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER ProviderToGet
An integer containing an ID or a string containing the name of the identity provider to set.
JSON response from Safeguard Web API.
Set-SafeguardAuthenticationProviderAsDefault "Starling"
Set-SafeguardAuthenticationProviderAsDefault "Azure AD"

function Set-SafeguardAuthenticationProviderAsDefault

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Provider = (Get-SafeguardAuthenticationProvider -Appliance $Appliance -AccessToken $AccessToken -Insecure:$Insecure -ProviderToGet $ProviderToSet)
    if ($local:Provider)
        if ($local:Provider.Count -ne 1)
            throw "More than one authentication provider matched '$ProviderToSet'"
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "AuthenticationProviders/$($local:Provider.Id)/ForceAsDefault"
        throw "Unable to find authentication provider '$ProviderToSet'"

Clear any authentication provider from being default in Safeguard.
This cmdlet will clear any authentication provider from being the default. This will restore the normal
provider selection behavior of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
JSON response from Safeguard Web API.

function Clear-SafeguardAuthenticationProviderAsDefault

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "AuthenticationProviders/ClearDefault"

Get users in Safeguard via the Web API.
Get the users that have been added to Safeguard. Users can log into Safeguard. All
users can request access to passwords or sessions based on policy. Depending
on permissions (admin roles) some users can manage different aspects of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user to return.
An array of the user property names to return.
JSON response from Safeguard Web API.
Get-SafeguardUser -AccessToken $token -Appliance -Insecure
Get-SafeguardUser petrsnd -Fields IdentityProviderId,Id,Name
Get-SafeguardUser 123

function Get-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:Parameters = $null
    if ($Fields)
        $local:Parameters = @{ fields = ($Fields -join ",")}

    if ($PSBoundParameters.ContainsKey("UserToGet"))
        $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToGet)
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "Users/$local:UserId" `
            -Parameters $local:Parameters
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
            -Parameters $local:Parameters

Search for a user in Safeguard via the Web API.
Search for a user in Safeguard for any string fields containing
the SearchString.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
.PARAMETER SearchString
A string to search for in the user.
.PARAMETER QueryFilter
A string to pass to the -filter query parameter in the Safeguard Web API.
An array of the user property names to return.
An array of the user property names to order by.
JSON response from Safeguard Web API.
Find-SafeguardUser -AccessToken $token -Appliance -Insecure
Find-SafeguardUser "Peterson"
Find-SafeguardUser -QueryFilter "SecondaryAuthenticationProviderId eq null" | ft Id,PrimaryAuthenticationProviderName,Name,EmailAddress

function Find-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PSCmdlet.ParameterSetName -eq "Search")
        $local:Parameters = @{ q = $SearchString }
        $local:Parameters = @{ filter = $QueryFilter }

    if ($Fields)
        $local:Parameters["fields"] = ($Fields -join ",")
    if ($OrderBy)
        $local:Parameters["orderby"] = ($OrderBy -join ",")

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET Users `
            -Parameters $local:Parameters

Create a new user in Safeguard via the Web API.
Create a new user in Safeguard. Users can log into Safeguard. All
users can request access to passwords or sessions based on policy. Depending
on permissions (admin roles) some users can manage different aspects of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the identity provider.
A string containing the name to give to the new user. Names must be unique per identity provider.
A string containing the first name of the user. Combined with last name to form a user's DisplayName.
A string containing the last name of the user. Combined with first name to form a user's DisplayName.
.PARAMETER Description
A string containing a description for the user.
A string containing the DNS name of the domain this user is in.
.PARAMETER EmailAddress
A string containing a email address for the user.
A string containing a work phone number for the user.
.PARAMETER MobilePhone
A string containing a mobile phone number for the user.
An array of strings containing the permissions (admin roles) to assign to the members of this directory
group. You may also specify 'All' to grant all permissions. Other permissions are: 'GlobalAdmin',
'ApplicationAuditor', 'SystemAuditor', 'Auditor', 'AssetAdmin', 'ApplianceAdmin', 'PolicyAdmin', 'UserAdmin',
'HelpdeskAdmin', 'OperationsAdmin'.
SecureString containing the password.
Do not promprt for a password for new local user
.PARAMETER Thumbprint
String containing a SHA-1 thumbprint of certificate to use for authentication.
JSON response from Safeguard Web API.
New-SafeguardUser -AccessToken $token -Appliance -Insecure
New-SafeguardUser local petrsnd -AdminRoles 'AssetAdmin','ApplianceAdmin'

function New-SafeguardUser
        [string]$FirstName = $null,
        [string]$LastName = $null,
        [string]$Description = $null,
        [string]$DomainName = $null,
        [string]$EmailAddress = $null,
        [string]$WorkPhone = $null,
        [string]$MobilePhone = $null,
        [string[]]$AdminRoles = $null,
        [switch]$NoPassword = $false,

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:AllProviders = (Get-SafeguardIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure)
    $local:LocalProviderId = ($AllProviders | Where-Object { $_.Name -eq "Local" }).Id
    $local:CertificateProviderId = ($AllProviders | Where-Object { $_.Name -eq "Certificate" }).Id
    if (-not $PSBoundParameters.ContainsKey("Provider"))
        Write-Host "Identity providers:"
        Write-Host "["
        $local:AllProviders | ForEach-Object {
            Write-Host (" {0,3} - {1}" -f $_.Id,$_.Name)
        Write-Host "]"
        $Provider = (Read-Host "Select an identity provider")
    if (-not ($Provider -as [int]))
        $local:ProviderResolved = (Get-SafeguardIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $Provider)[0].Id
        if (-not $local:ProviderResolved)
            $local:ProviderResolved = (Get-SafeguardDirectoryIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $Provider)[0].Id
            if (-not $local:ProviderResolved)
                throw "Unable to find identity provider that matches '$Provider'"
        $local:ProviderResolved = ([int]$Provider)

    if ($local:ProviderResolved -eq $local:CertificateProviderId -and -not ($PSBoundParameters.ContainsKey("Thumbprint")))
        $Thumbprint = (Read-Host "Thumbprint")

    if ($AdminRoles -contains "All")
        Import-Module -Name "$PSScriptRoot\sg-utilities.psm1" -Scope Local
        if (Test-SafeguardMinVersionInternal -Appliance $Appliance -Insecure:$Insecure -MinVersion "2.7")
            $AdminRoles = @('GlobalAdmin','Auditor','AssetAdmin','ApplianceAdmin','PolicyAdmin','UserAdmin','HelpdeskAdmin','OperationsAdmin')
            $AdminRoles = @('GlobalAdmin','DirectoryAdmin','Auditor','AssetAdmin','ApplianceAdmin','PolicyAdmin','UserAdmin','HelpdeskAdmin','OperationsAdmin')

    if ($local:ProviderResolved -eq $local:LocalProviderId -and $PSBoundParameters.ContainsKey("Password"))
        # Check the password complexity before creating the user so you don't end up with a user without a password
            $local:PasswordPlainText = [System.Net.NetworkCredential]::new("", $Password).Password
            Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST "Users/ValidatePassword" -Body `
            $local:PasswordPlainText = ""
            Write-Warning "Password for the new user failed to meet requirements"
            throw $_.Exception

    if ($local:ProviderResolved -eq $local:LocalProviderId -or $local:ProviderResolved -eq $local:CertificateProviderId)
        $local:Body = @{
            PrimaryAuthenticationProvider = @{ Id = $local:ProviderResolved };
            Name = $NewUserName;
            AdminRoles = $AdminRoles
        if ($PSBoundParameters.ContainsKey("FirstName")) { $local:Body.FirstName = $FirstName }
        if ($PSBoundParameters.ContainsKey("LastName")) { $local:Body.LastName = $LastName }
        if ($PSBoundParameters.ContainsKey("Description")) { $local:Body.Description = $Description }
        if ($PSBoundParameters.ContainsKey("EmailAddress")) { $local:Body.EmailAddress = $EmailAddress }
        if ($PSBoundParameters.ContainsKey("WorkPhone")) { $local:Body.WorkPhone = $WorkPhone }
        if ($PSBoundParameters.ContainsKey("MobilePhone")) { $local:Body.MobilePhone = $MobilePhone }
        if ($local:ProviderResolved -eq $local:CertificateProviderId)
            $local:Body.PrimaryAuthenticationIdentity = $Thumbprint
        $local:NewUser = (Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST Users -Body $local:Body)
        if ($local:ProviderResolved -eq $local:LocalProviderId)
            Write-Host "Setting password for new user..."
            if ($PSBoundParameters.ContainsKey("Password"))
                Set-SafeguardUserPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:NewUser.Id $Password
                if (-not $NoPassword)
                    Set-SafeguardUserPassword -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:NewUser.Id
        if (-not $PSBoundParameters.ContainsKey("DomainName"))
            Import-Module -Name "$PSScriptRoot\sg-utilities.psm1" -Scope Local
            $DomainName = (Resolve-DomainNameFromIdentityProvider -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $Provider)
        if (-not $DomainName)
            $DomainName = (Read-Host "DomainName")
        # For directory accounts, lots of attributes are mapped from the directory
        Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core POST Users -Body @{
            PrimaryAuthenticationProvider = @{ Id = $local:ProviderResolved };
            Name = $NewUserName;
            AdminRoles = $AdminRoles;
            DirectoryProperties = @{ DomainName = $DomainName }

Delete a user from Safeguard via the Web API.
Delete a user from Safeguard. The user will no longer be able tolog into Safeguard.
All audit history for that user will be retained.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user to delete.
JSON response from Safeguard Web API.
Remove-SafeguardUser -AccessToken $token -Appliance -Insecure
Remove-SafeguardUser petrsnd
Remove-SafeguardUser 123

function Remove-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("UserToDelete"))
        $UserToDelete = (Read-Host "UserToDelete")

    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToDelete)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "Users/$($local:UserId)"

Set the password for a user in Safeguard via the Web API.
Set the password for a user in Safeguard. This operation only works for
users from the local identity provider.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user.
SecureString containing the password.
JSON response from Safeguard Web API.
Set-SafeguardUserPassword -AccessToken $token -Appliance -Insecure
Set-SafeguardUserPassword petrsnd
Set-SafeguardUserPassword 123 $newpassword

function Set-SafeguardUserPassword

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("UserToEdit"))
        $UserToEdit = (Read-Host "UserToEdit")
    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)
    if (-not $PSBoundParameters.ContainsKey("Password") -or $null -eq $Password)
        $Password = (Read-Host "Password" -AsSecureString)

    $local:PasswordPlainText = [System.Net.NetworkCredential]::new("", $Password).Password

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($local:UserId)/Password" `
        -Body $local:PasswordPlainText

Edit an existing user in Safeguard via the Web API.
Edit an existing user in Safeguard. Users can log into Safeguard. All
users can request access to passwords or sessions based on policy. Depending
on permissions (admin roles) some users can manage different aspects of Safeguard.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user.
A string containing the first name of the user. Combined with last name to form a user's DisplayName.
A string containing the last name of the user. Combined with first name to form a user's DisplayName.
.PARAMETER Description
A string containing a description for the user.
.PARAMETER EmailAddress
A string containing a email address for the user.
A string containing a work phone number for the user.
.PARAMETER MobilePhone
A string containing a mobile phone number for the user.
An array of strings containing the permissions (admin roles) to assign to the members of this directory
group. You may also specify 'All' to grant all permissions. Other permissions are: 'GlobalAdmin',
'ApplicationAuditor', 'SystemAuditor', 'Auditor', 'AssetAdmin', 'ApplianceAdmin', 'PolicyAdmin', 'UserAdmin',
'HelpdeskAdmin', 'OperationsAdmin'.
An object containing the existing user with desired properties set.
JSON response from Safeguard Web API.
Edit-SafeguardUser -AccessToken $token -Appliance -Insecure
Edit-SafeguardUser petrsnd -AdminRoles 'AssetAdmin','ApplianceAdmin' -FirstName 'Dan'
Edit-SafeguardUser -UserObject $obj

function Edit-SafeguardUser
        [string]$FirstName = $null,
        [string]$LastName = $null,
        [string]$Description = $null,
        [string]$EmailAddress = $null,
        [string]$WorkPhone = $null,
        [string]$MobilePhone = $null,
        [string]$AuthProvider = $null,
        [string[]]$AdminRoles = $null,

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if ($PsCmdlet.ParameterSetName -eq "Object" -and -not $UserObject)
        throw "UserObject must not be null"

    if ($PsCmdlet.ParameterSetName -eq "Attributes")
        if (-not $PSBoundParameters.ContainsKey("UserToEdit"))
            $UserToEdit = (Read-Host "UserToEdit")
        $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)

    if (-not ($PsCmdlet.ParameterSetName -eq "Object"))
        $UserObject = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:UserId)

        if ($PSBoundParameters.ContainsKey("FirstName")) { $UserObject.FirstName = $FirstName }
        if ($PSBoundParameters.ContainsKey("LastName")) { $UserObject.LastName = $LastName }
        if ($PSBoundParameters.ContainsKey("Description")) { $UserObject.Description = $Description }
        if ($PSBoundParameters.ContainsKey("EmailAddress")) { $UserObject.EmailAddress = $EmailAddress }
        if ($PSBoundParameters.ContainsKey("WorkPhone")) { $UserObject.WorkPhone = $WorkPhone }
        if ($PSBoundParameters.ContainsKey("MobilePhone")) { $UserObject.MobilePhone = $MobilePhone }
        if ($PSBoundParameters.ContainsKey("AuthProvider")) { $UserObject.PrimaryAuthenticationProviderId = $AuthProvider }

        if ($PSBoundParameters.ContainsKey("AdminRoles"))
            if ($AdminRoles -contains "All")
                $AdminRoles = @('GlobalAdmin','Auditor','AssetAdmin','ApplianceAdmin','PolicyAdmin','UserAdmin','HelpdeskAdmin','OperationsAdmin')
            $UserObject.AdminRoles = $AdminRoles

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($UserObject.Id)" -Body $UserObject

Enable a user in Safeguard via the Web API.
Enable a user in Safeguard. This operation only works for
users from the local and certificate identity providers.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user.
JSON response from Safeguard Web API.
Enable-SafeguardUser -AccessToken $token -Appliance -Insecure
Enable-SafeguardUser petrsnd
Enable-SafeguardUser 123

function Enable-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("UserToEdit"))
        $UserToEdit = (Read-Host "UserToEdit")
    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)
    $local:UserObject = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:UserId)
    $local:UserObject.Disabled = $false
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($UserObject.Id)" -Body $local:UserObject

Disable a user in Safeguard via the Web API.
Disable a user in Safeguard. This operation only works for
users from the local and certificate identity providers.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user.
JSON response from Safeguard Web API.
Disable-SafeguardUser -AccessToken $token -Appliance -Insecure
Disable-SafeguardUser petrsnd
Disable-SafeguardUser 123

function Disable-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("UserToEdit"))
        $UserToEdit = (Read-Host "UserToEdit")
    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)
    $local:UserObject = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:UserId)
    $local:UserObject.Disabled = $true
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($UserObject.Id)" -Body $local:UserObject

Rename a user in Safeguard via the Web API.
Rename a user in Safeguard. This operation only works for
users from the local and certificate identity providers.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user.
A string containing the new name for the user.
JSON response from Safeguard Web API.
Rename-SafeguardUser -AccessToken $token -Appliance -Insecure
Rename-SafeguardUser petrsnd dpeterso
Rename-SafeguardUser 123 "bob jackson"

function Rename-SafeguardUser

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    if (-not $PSBoundParameters.ContainsKey("UserToEdit"))
        $UserToEdit = (Read-Host "UserToEdit")
    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)
    if (-not $PSBoundParameters.ContainsKey("NewUserName") -or -not $NewUserName)
        $NewUserName = (Read-Host "NewUserName")

    $local:UserObject = (Get-SafeguardUser -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $local:UserId)
    $local:UserObject.Name = $NewUserName
    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($local:UserObject.Id)" -Body $local:UserObject

Get user's Preference in Safeguard via the Web API.
Get the users Preference. UserAdmins and GlobalAdmins can use this to get the preferences of a user.
The PreferenceName parameter includes tab completion to easily specify the most common preferences.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user to get the preference from.
You may specify the user as <identityprovidername>\<username>.
.PARAMETER PreferenceName
An string of the user's Preference to return.
Common preferences are settings.myrequests.calculate_in_use, settings.myrequests.userPreviousVersion,
settings.myrequests.show_web_launch_button, and settings.myrequests.show_launch_button
JSON response from Safeguard Web API.
Get-SafeguardUserPreference petrsnd.corp\petrsnd settings.myrequests.show_launch_button
Get-SafeguardUserPreference bob.ross settings.myrequests.show_launch_button

function Get-SafeguardUserPreference
            Param($CommandName, $ParameterName, $WordToComplete, $CommandAst, $FakeBoundParameters)
            return @("settings.myrequests.calculate_in_use",

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToGet)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core GET "Users/$($local:UserId)/Preferences/$($local:PreferenceName)" -Parameters $local:Parameters

Set the Preference in Safeguard for a user in Safeguard via the Web API.
Set the Preference for a user in Safeguard. This operation only works for
users from the local identity provider. The PreferenceName parameter includes
tab completion to easily specify the most common preferences.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user to update.
You may specify the user as <identityprovidername>\<username>.
.PARAMETER PreferenceName
An string of the user's Preference to set.
Common preferences are settings.myrequests.calculate_in_use, settings.myrequests.userPreviousVersion,
settings.myrequests.show_web_launch_button, and settings.myrequests.show_launch_button
.PARAMETER PreferenceValue
An string of the value to set a user's Preference to.
JSON response from Safeguard Web API.
Set-SafeguardUserPreference petrsnd.corp\petrsnd settings.myrequests.show_launch_button true
Set-SafeguardUserPreference bob.ross settings.myrequests.show_launch_button false

function Set-SafeguardUserPreference
            Param($CommandName, $ParameterName, $WordToComplete, $CommandAst, $FakeBoundParameters)
            return @("settings.myrequests.calculate_in_use",

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)

    if (-not $PSBoundParameters.ContainsKey("PreferenceValue"))
        $PreferenceValue = (Read-Host "PreferenceValue" -AsSecureString)
    $local:Body = @{
        "Name" = $PreferenceName;
        "Value" = $PreferenceValue;

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core PUT "Users/$($local:UserId)/Preferences/$($local:PreferenceName)" -Body $local:Body

Delete a Preference from a user from Safeguard via the Web API.
Delete a Preference from a user from Safeguard. The user will no longer have that Preference.
All audit history for that Preference will be retained. The PreferenceName parameter includes
tab completion to easily specify the most common preferences.
.PARAMETER Appliance
IP address or hostname of a Safeguard appliance.
.PARAMETER AccessToken
A string containing the bearer token to be used with Safeguard Web API.
Ignore verification of Safeguard appliance SSL certificate.
An integer containing an ID or a string containing the name of the user to delete a preference from.
You may specify the user as <identityprovidername>\<username>.
.PARAMETER PreferenceName
An string of the user's Preference to delete.
Common preferences are settings.myrequests.calculate_in_use, settings.myrequests.userPreviousVersion,
settings.myrequests.show_web_launch_button, and settings.myrequests.show_launch_button
JSON response from Safeguard Web API.
Remove-SafeguardUserPreference bob.ross settings.myrequests.show_launch_button
Remove-SafeguardUserPreference petrsnd.corp\petrsnd settings.myrequests.show_launch_button

function Remove-SafeguardUserPreference
            Param($CommandName, $ParameterName, $WordToComplete, $CommandAst, $FakeBoundParameters)
            return @("settings.myrequests.calculate_in_use",

    if (-not $PSBoundParameters.ContainsKey("ErrorAction")) { $ErrorActionPreference = "Stop" }
    if (-not $PSBoundParameters.ContainsKey("Verbose")) { $VerbosePreference = $PSCmdlet.GetVariableValue("VerbosePreference") }

    $local:UserId = (Resolve-SafeguardUserId -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure $UserToEdit)

    Invoke-SafeguardMethod -AccessToken $AccessToken -Appliance $Appliance -Insecure:$Insecure Core DELETE "Users/$($local:UserId)/Preferences/$($local:PreferenceName)"