Skip to content

Latest commit

 

History

History
437 lines (330 loc) · 27.4 KB

README.md

File metadata and controls

437 lines (330 loc) · 27.4 KB

psPAS

PowerShell Module for CyberArk Privileged Account Security

Use PowerShell to manage CyberArk via the Web Services REST API.

Contains all published methods of the API up to CyberArk v10.5.


Module Status

Master Branch Code Coverage PowerShell Gallery License
appveyor coveralls psgallery license
Latest Build (All Branches)
tests

Usage

It all starts with a Logon

New-PASSession

The output of New-PASSession can be used as input for subsequent commands.

Logon

In the below examples, the $token variable contains the values for the
sessionToken & baseURI parameters, which are mandatory for all functions.

Get-PASAccount

Use the pipeline to allow multiple successive commands to be executed.

Example Pipeline

Save time on repetitive support tasks...

Unlock Users:

Unblock-PASUser

Problem Exists Between Keyboard and Chair

Add Users as Group Members:

Add-PASGroupMember

Streamline your safe creation process...

Add-PASSafe

Safe Creation

Achieve consistent safe permissions...

Add-PASSafeMember

Enact changes across multiple safes, with speed...

Set-PASSafeMember

Set-PASSafe

Set Safe Permissions

Onboard a User Account...

Add-PASAccount

Onboard User Accounts, in bulk...

Bulk Add Accounts

Check-In locked accounts...

Unlock-PASAccount

Make changes to multiple managed accounts...

Set-PASAccount

Edit Accounts

See the module in action in the below "CyberArk REST API: From Start-to-Finish" video:

YouTube Demo

Module Functions

Your version of CyberArk determines which functions of psPAS will be supported.

Check the below table to determine what is available for you to use.

The CyberArk Version listed is the minimum required to use the function.

The module will attempt to confirm that your version of CyberArk meets the minimum

version requirement (if you are using version 9.7+, and the function being invoked

requires version 9.8+).

Function Name CyberArk Version Description
New-PASSession 9.0 Authenticates a user to
CyberArk Vault
Close-PASSession 9.0 Logoff from CyberArk Vault.
New-PASSAMLSession 9.7 Authenticates a user to
CyberArk Vault using SAML
Close-PASSAMLSession 9.7 Logoff from CyberArk
Vault SAML Session.
New-PASSharedSession 9.7 Authenticates a user to
CyberArk Vault.
Close-PASSharedSession 9.7 Logoff from CyberArk
Vault shared user.
Add-PASPublicSSHKey 9.6 Adds an authorised
public SSH key for a
specific user in the
Vault.
Get-PASPublicSSHKey 9.6 Retrieves a user's
SSH Keys.
Remove-PASPublicSSHKey 9.6 Deletes a specific
Public SSH Key from
a specific vault user
Add-PASAccountACL 9.0 Adds a new privileged
command rule to an
account.
Get-PASAccountACL 9.0 Lists privileged
commands rule for an
account
Remove-PASAccountACL 9.0 Deletes privileged
commands rule from
an account
Add-PASAccountGroupMember 9.95 Adds an account as a
member of an account group.
Get-PASAccountGroup 9.10 Returns all the account
groups in a specific Safe.
Get-PASAccountGroupMember 9.10 Returns all the members
of a specific account group.
New-PASAccountGroup 9.95 Adds a new account group
to the Vault
Remove-PASAccountGroupMember 9.10 Deletes a member of an
account group
Add-PASAccount 9.0 Adds a new privileged
account to the Vault
Add-PASPendingAccount 9.7 Adds discovered account
or SSH key as
a pending account in
the accounts feed.
Get-PASAccount 9.3 Returns information
about accounts.
Get-PASAccountActivity 9.7 Returns activities
for an account.
Get-PASAccountPassword 9.7 Returns password
for an account.
Invoke-PASCredChange 9.10 Initiate CPM password
change to new random
or specified value.
Invoke-PASCredReconcile 9.10 Initiates password reconcile
by the CPM to a new
random password.
Invoke-PASCredVerify 9.10 Marks account for immediate
verification by the CPM.
Remove-PASAccount 9.3 Deletes an account
Set-PASAccount 9.5 Updates an existing
accounts details.
Start-PASCredChange 9.3 Initiates an immediate
password change by the
CPM to a new random
password.
Start-PASCredVerify 9.7 Marks account for
immediate verification
by the CPM
Unlock-PASAccount 9.10 Checks in an exclusive
account in to the Vault.
Add-PASApplication 9.1 Adds a new application
to the Vault
Add-PASApplicationAuthenticationMethod 9.1 Adds an authentication
method to an application.
Get-PASApplication 9.1 Returns details of
applications in the Vault
Get-PASApplicationAuthenticationMethod 9.1 Returns all of the
authentication methods of a
specific application.
Remove-PASApplication 9.1 Deletes an application
Remove-PASApplicationAuthenticationMethod 9.1 Deletes an authentication
method from an application
Import-PASConnectionComponent 10.3 Imports a Connection Component
Get-PASPSMConnectionParameter 9.10 Get required parameters to
connect through PSM
Get-PASPSMRecording 9.10 Get details of PSM
Recording
Get-PASPSMSession 9.10 Get details of Live PSM
Sessions
Resume-PASPSMSession 10.2 Resumes a Suspended PSM
Session.
Stop-PASPSMSession 10.1 Terminates a Live PSM
Session.
Suspend-PASPSMSession 10.2 Suspends a Live PSM
Session.
Get-PASOnboardingRule 9.7 Gets all automatic
on-boarding rules
New-PASOnboardingRule 9.7 Adds a new on-boarding
rule to the Vault
Remove-PASOnboardingRule 9.7 Deletes an automatic
on-boarding rule
Get-PASPlatform 9.10 Retrieves details of a
specified platform from
the Vault.
Import-PASPlatform 10.2 Import a new platform
Export-PASPlatform 10.4 Export a platform
Add-PASPolicyACL 9.0 Adds a new privileged
command rule
Get-PASPolicyACL 9.0 Lists OPM Rules for
a policy
Remove-PASPolicyACL 9.0 Delete all privileged
commands on policy
Approve-PASRequest 9.10 Confirm a single request
Deny-PASRequest 9.10 Reject a single request
Get-PASRequest 9.10 List requests
Get-PASRequestDetail 9.10 Get request details
New-PASRequest 9.10 Creates an access request
for a specific account
Remove-PASRequest 9.10 Deletes a request from
the Vault
Add-PASSafeMember 9.3 Adds a Safe Member to
a safe
Get-PASSafeMember 9.7 Lists the members of a
Safe
Remove-PASSafeMember 9.3 Removes a member from
a safe
Set-PASSafeMember 9.3 Updates a Safe Member's
Permissions
Add-PASSafe 9.2 Adds a new safe to the
Vault
Get-PASSafe 9.7 Returns safe details
from the vault.
Remove-PASSafe 9.3 Deletes a safe from the
Vault
Set-PASSafe 9.3 Updates a safe in the
Vault
Get-PASSafeShareLogo 9.7 Returns details of
SafeShare Logo
Get-PASServer 9.7 Returns details of the
Web Service Server
Get-PASServerWebService 9.7 Returns details of
the Web Service
Get-PASComponentDetail 10.1 Returns details & health
information about CyberArk
component instances.
Get-PASComponentSummary 10.1 Returns consolidated
information about
CyberArk Components.
Add-PASGroupMember 9.7 Adds a vault user as
a group member
Get-PASLoggedOnUser 9.7 Returns details of
the logged on user
Get-PASUserLoginInfo 10.4 Returns login details of
the current user
Get-PASUser 9.7 Returns details of a user
New-PASUser 9.7 Creates a new vault user
Remove-PASUser 9.7 Deletes a vault user
Set-PASUser 9.7 Updates a vault user
Unblock-PASUser 9.7 Activates a suspended user
Get-PASDirectory 10.4 Get configured LDAP
directories
Add-PASDirectory 10.4 Add a new LDAP directory
Add-PASDirectoryMapping 10.4 Add a new LDAP directory
mapping
Add-PASPTARule 10.4 Add a new Risky Command
rule to PTA
Get-PASPTAEvent 10.3 Get security events
from PTA
Get-PASPTARemediation 10.4 Get automatic response
config from PTA
Get-PASPTARule 10.4 List all new Risky
Command rules from PTA
Set-PASPTARemediation 10.4 Update automatic
response config in PTA
Set-PASPTARule 10.4 Update a Risky Command
rule in PTA
Get-PASGroup 10.5 Return vault group information
Remove-PASGroupMember 10.5 Remove vault group members
Set-PASOnboardingRule 10.5 Update Onboarding Rules
Add-PASDiscoveredAccount 10.5 Add of discovered accounts
to the accounts feed
Connect-PASPSMSession 10.5 Get required parameters to
connect to live PSM Sessions

Installation

Prerequisites

  • Requires Powershell v3 (minimum)
  • CyberArk PAS REST API/Web Service
  • A user with which to authenticate, with appropriate Vault/Safe permissions.

Install Options

This repository contains a folder named psPAS.

The folder needs to be copied to one of your PowerShell Module Directories.

Use one of the following methods:

Option 1: Install from PowerShell Gallery

PowerShell 5.0 or above & Administrator rights are required.

To download the module from the PowerShell Gallery,
from an elevated PowerShell prompt, run:

Install-Module -Name psPAS -Scope CurrentUser

Option 2: Manual Install

Find your PowerShell Module Paths with the following command:

$env:PSModulePath.split(';')

Download the master branch

Extract the archive

Copy the psPAS folder to your "Powershell Modules" directory of choice.

Verification

Validate Module Exists on your local machine:

Get-Module -ListAvailable psPAS

Import the module:

Import-Module psPAS

List Module Commands:

Get-Command -Module psPAS

Get detailed information on specific commands:

Get-Help Add-PASUser -Full

Changelog

All notable changes to this project will be documented in the Changelog

Author

License

This project is licensed under the MIT License.

Contributing

Any and all contributions to this project are appreciated.

The SAML authentication capability needs testing, no federation service is
available to me to confirm that the functionality works as required...

See the CONTRIBUTING.md for a few more details.

Acknowledgements

Hat Tips:

Assaf Miron (AssafMiron) For the JSON formatting assistance.

Warren Frame (RamblingCookieMonster) for the borrowed Add-ObjectDetail.ps1 &
New-DynamicParam.ps1 helper functions.

Joe Garcia (infamousjoeg) for the unofficial API documentation.

Chapeau!