pspete/psPASPublic

NotificationsYou must be signed in to change notification settings
Fork92
Star306

PowerShell module for CyberArk Privileged Access Security REST API

License

MIT license

306 stars 92 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,299 Commits
.github		.github
Tests		Tests
build		build
docs		docs
psPAS		psPAS
.gitattributes		.gitattributes
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE.md		LICENSE.md
README.md		README.md
appveyor.yml		appveyor.yml

Repository files navigation

psPAS: PowerShell Module for the CyberArk API

Through the PVWA REST API, administer CyberArk PAS with PowerShell.

Contains all of the documented API capabilities up to CyberArk v14.0.

Docs:https://pspas.pspete.dev

Module Status

Master Branch	Latest Build	CodeFactor	Coverage	PowerShell Gallery	License

Usage

Authenticate

Everything begins with aLogon:

To submit a logon request to the CyberArk API, use the psPAS New-PASSession command.

All subsequent operations are carried out bypsPAS utilises the input data provided for theNew-PASSession request (URL, Certificate), as well as data received from the API after successful authentication (Authentication Token, PVWA Version).

CyberArk Authentication

Use a PowerShell credential object containing a valid vault username and password.

$cred=Get-CredentialPowerShell credential requestEnter your credentials.User: safeadminPasswordfor user safeadmin:**********New-PASSession-Credential$cred-BaseURI https://pvwa.somedomain.com

LDAP Authentication

Specify LDAP credentials allowed to authenticate to the vault.

$cred=Get-CredentialPowerShell credential requestEnter your credentials.User: xApprover_1Passwordfor user xApprover_1:**********New-PASSession-Credential$cred-BaseURI https://pvwa.somedomain.com-type LDAPGet-PASLoggedOnUserUserName    Source UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------xApprover_1 LDAP   EPVUser      False     False   False    False

RADIUS Authentication

$cred=Get-CredentialPowerShell credential requestEnter your credentials.User: DuoUserPasswordfor user DuoUser:**********New-PASSession-Credential$cred-BaseURI https://pvwa.somedomain.com-type RADIUS-OTP123456Get-PASLoggedOnUserUserName Source UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------DuoUser  LDAP   EPVUser      False     False   False    False

SAML Authentication

SAML SSO authentication using IWA and ADFS can be performed

New-PASSession-BaseURI$url-SAMLAuth

Where IWA SSO is not possible, thePS-SAML-Interactive module can be used to get the SAMLResponse from an authentication service.

The SAMLResponse received from the IdP is sent to complete saml authentication to the API.

import-module-name'C:\PS-SAML-Interactive.psm1'$loginURL='https://company.okta.com/home/app1/0oa11xddwdzhvlbiZ5d7/aln1k2HsUl5d7'$baseURL='https://pvwa.mycompany.com'$loginResponse=New-SAMLInteractive-LoginIDP$loginURLNew-PASSession-SAMLAuth-concurrentSession$true-BaseURI$baseURL-SAMLResponse$loginResponse

Certificate Authentication

Where PVWA/IIS requires client certificates, 'psPAS' will use any specified certificates for the duration of the session.

PKI Authentication Example:

Add-Type-AssemblyName System.Security# Get Valid Certs$MyCerts= [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)# Select Cert$Cert= [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection($MyCerts,'Choose a certificate','Choose a certificate','SingleSelection')| select-First1New-PASSession-Credential$cred-BaseURI$url-type PKI-Certificate$Cert

Shared Authentication Example:

$Cert="0E199489C57E666115666D6E9990C2ACABDB6EDB"New-PASSession-UseSharedAuthentication-BaseURI https://pvwa.somedomain.com-CertificateThumbprint$Cert

Shared Services Authentication

Privilege Cloud Shared Services authentication flows require the pspeteIdentityCommand module, available from thePowershell Gallery &GitHub.

Identity User

Provide Identity User credentials and tenant details for authentication to CyberArk Identity for Privilege Cloud Shared Services:

#using URLNew-PASSession -IdentityTenantURL https://SomeTenantName.id.cyberark.cloud -PrivilegeCloudURL https://SomeTenant.privilegecloud.cyberark.cloud -Credential $Cred -IdentityUser

#using subdomainNew-PASSession -TenantSubdomain SomeTenantName -Credential $Cred -IdentityUser

Service User

Provide tenant ID and non-interactive API User credentials for authentication via CyberArk Identity for Privilege Cloud Shared Services:

New-PASSession -TenantSubdomain YourPrivilegeCloudTenantID -Credential $ServiceUserCreds -ServiceUser

Consult the vendor documentation for guidance on setting up a dedicated API Service user for non-interactive API use.

Basic Operations

Search

Safes

Get information relating to Safes you have access to:

Get-PASSafe-search _YZOSafeName           ManagingCPM     NumberOfDaysRetention NumberOfVersionsRetention Description----------------------------------------------------------------------------1_TestSafe_096_YZO PasswordManager3                         TestSafe: 1_TestSafe_096_YZO1_TestSafe_100_YZO PasswordManager3                         TestSafe: 1_TestSafe_100_YZO3_TestSafe_058_YZO PasswordManager3                         TestSafe: 3_TestSafe_058_YZO3_TestSafe_068_YZO PasswordManager3                         TestSafe: 3_TestSafe_068_YZO3_TestSafe_069_YZO PasswordManager3                         TestSafe: 3_TestSafe_069_YZO2_TestSafe_090_YZO PasswordManager3                         TestSafe: 2_TestSafe_090_YZO1_TestSafe_067_YZO PasswordManager3                         TestSafe: 1_TestSafe_067_YZO

Safe Members

Find Safe Members:

Get-PASSafeMember-SafeName 1_TestSafe_067_YZO-search UsrUserName                     SafeName           Permissions---------------------------ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO@{useAccounts=True;retrieveAccounts=True;listAccounts=True;addAccounts=False;.....

Users

Query for Vault Users:

Get-PASUser-Search xapID  UserName    Source UserType ComponentUser Location---------------------------------------------657 xApprover_A LDAP   EPVUser  False         \psPETE\Users658 xApprover_1 LDAP   EPVUser  False         \psPETE\Users659 xApprover_B LDAP   EPVUser  False         \psPETE\Users660 xApprover_2 LDAP   EPVUser  False         \psPETE\Users661 xApprover_C LDAP   EPVUser  False         \psPETE\Users662 xApprover_3 LDAP   EPVUser  False         \psPETE\Users

Accounts

Return Account data:

Get-PASAccount-SafeName"3_TestSafe_028_XYJ"-search sbwudlovAccountID                 :286_4Safe                      : 3_TestSafe_028_XYJaddress                   :SOMEDOMAIN.COMuserName                  : sbwudlovname                      : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlovplatformId                : Z_WINDOMAIN_OFFsecretType                : passwordplatformAccountProperties :@{LogonDomain= SOMEDOMAIN }secretManagement          :@{automaticManagementEnabled= True;lastModifiedTime=1559864222 }createdTime               :06/06/201923:37:02

1st Gen API

Thekeywords &safe parameters ofGet-PASAccount force use of the 1st gen API:

Get-PASAccount-Safe 3_TestSafe_028_XYJWARNING:2 matching accounts found. Only the first result will be returnedAccountID          :286_3Safe               : 3_TestSafe_028_XYJFolder             : RootName               : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebfUserName           : kmgrsebfPlatformID         : Z_WINDOMAIN_OFFDeviceType         : Operating SystemAddress            :SOMEDOMAIN.COMInternalProperties :@{CreationMethod= PVWA }

Only details of the first found account will be returned.
More results can be returned by specifying alternative parameters to avoid sending the request via the 1st gen API

PS>Get-PASAccount-SafeName"3_TestSafe_028_XYJ"AccountID                 :286_3Safe                      : 3_TestSafe_028_XYJaddress                   :SOMEDOMAIN.COMuserName                  : kmgrsebfname                      : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebfplatformId                : Z_WINDOMAIN_OFFsecretType                : passwordplatformAccountProperties :@{LogonDomain= SOMEDOMAIN }secretManagement          :@{automaticManagementEnabled= True;lastModifiedTime=1559864221 }createdTime               :06/06/201923:37:01AccountID                 :286_4Safe                      : 3_TestSafe_028_XYJaddress                   :SOMEDOMAIN.COMuserName                  : sbwudlovname                      : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlovplatformId                : Z_WINDOMAIN_OFFsecretType                : passwordplatformAccountProperties :@{LogonDomain= SOMEDOMAIN }secretManagement          :@{automaticManagementEnabled= True;lastModifiedTime=1559864222 }createdTime               :06/06/201923:37:02

Administration

Add An Account

Add an account to manage:

#Convert Password to SecureString$Password=ConvertTo-SecureString-String"Secret1337$"-AsPlainText-Force#Additional account details$platformAccountProperties=@{"LOGONDOMAIN"="domain.com""Notes"="Demo Account. Owner:psPete""Classification"="1F"}#Add AccountAdd-PASAccount-secretType Password-secret$Password-SafeName"YourSafe"-PlatformID"YourPlatform"`-Address"domain"-Username SomeUsername-platformAccountProperties$platformAccountProperties

Create Safes

Simple safe creation:

Add-PASSafe-SafeName NewSafe-Description"New Safe"-ManagingCPM PasswordManager-NumberOfVersionsRetention10SafeName ManagingCPM     NumberOfDaysRetention NumberOfVersionsRetention Description----------------------------------------------------------------------------NewSafe  PasswordManager10                        New Safe

Add Safe Members

Consistent safe membership:

Add-PASSafeMember-SafeName NewSafe-MemberName NewMember-UseAccounts$false-ListAccounts$true`-RetrieveAccounts$false-ViewAuditLog$true-ViewSafeMembers$trueUserName  SafeName Permissions---------------------------NewMember NewSafe@{useAccounts=False;retrieveAccounts=False;listAccounts=True;addAccounts=False;...

Update Accounts

Update values for individual account properties:

Set-PASAccount-AccountID286_4-op replace-path/address-valueNEWDOMAIN.COMAccountID                 :286_4Safe                      : 3_TestSafe_028_XYJaddress                   :NEWDOMAIN.COMuserName                  : sbwudlovname                      : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlovplatformId                : Z_WINDOMAIN_OFFsecretType                : passwordplatformAccountProperties :@{LogonDomain=SOMEDOMAIN}secretManagement          :@{automaticManagementEnabled=True;lastModifiedTime=1559864222}createdTime               :06/06/201923:37:02Set-PASAccount-AccountID286_4-op replace-path/platformAccountProperties/LogonDomain-value NEWDOMAINAccountID                 :286_4Safe                      : 3_TestSafe_028_XYJaddress                   :NEWDOMAIN.COMuserName                  : sbwudlovname                      : OperatingSystem-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlovplatformId                : Z_WINDOMAIN_OFFsecretType                : passwordplatformAccountProperties :@{LogonDomain=NEWDOMAIN}secretManagement          :@{automaticManagementEnabled=True;lastModifiedTime=1559864222}createdTime               :06/06/201923:37:02

CPM Operations

Verify

Verify passwords

# immediate verificationInvoke-PASCPMOperation-AccountID$ID-VerifyTask

Change

Change passwords for accounts or account groups

# immediate changeInvoke-PASCPMOperation-AccountID$ID-ChangeTask# immediate change to a specific password valueInvoke-PASCPMOperation-AccountID$ID-ChangeTask-ChangeImmediately$true-NewCredentials$SecureString# change password in the Vault onlyInvoke-PASCPMOperation-AccountID$ID-ChangeTask-NewCredentials$SecureString# change password for account groupInvoke-PASCPMOperation-AccountID$ID-ChangeTask-ChangeEntireGroup$true# change password for account group to a specific password valueInvoke-PASCPMOperation-AccountID$ID-ChangeTask-ChangeEntireGroup$true-NewCredentials$SecureString

Reconcile

Reconcile passwords

# immediate reconcileInvoke-PASCPMOperation-AccountID$ID-ReconcileTask

Import a Connection Component

Import Custom Connection Components:

Import-PASConnectionComponent-ImportFile C:\Temp\ConnectionComponent.zip

Platforms

Import & Export of CPM Platforms:

#Import a PlatformImport-PASPlatform-ImportFile C:\Temp\Platform.zip#Export a PlatformExport-PASPlatform-PlatformID"Some-SSH-Platform"-Path C:\Temp

Pipeline Operations

Work with the PowerShell pipeline:

#Find directory groups assigned to safesGet-PASSafe-search YZO|Get-PASSafeMember-memberType group-includePredefinedUsers$false|Where-Object {Get-PASGroup-search$_.UserName-groupType Directory }UserName                     SafeName           Permissions---------------------------ACC-G-1_TestSafe_096_YZO-Usr 1_TestSafe_096_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-1_TestSafe_096_YZO-Adm 1_TestSafe_096_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-1_TestSafe_100_YZO-Usr 1_TestSafe_100_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-1_TestSafe_100_YZO-Adm 1_TestSafe_100_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_058_YZO-Usr 3_TestSafe_058_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_058_YZO-Adm 3_TestSafe_058_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_068_YZO-Usr 3_TestSafe_068_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_068_YZO-Adm 3_TestSafe_068_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_069_YZO-Usr 3_TestSafe_069_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_069_YZO-Adm 3_TestSafe_069_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-2_TestSafe_090_YZO-Usr 2_TestSafe_090_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-2_TestSafe_090_YZO-Adm 2_TestSafe_090_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-1_TestSafe_067_YZO-Adm 1_TestSafe_067_YZO@{useAccounts=True;retrieveAccounts=True; lis...

MultiplepsPAS commands can be used together, along with standard PowerShell CmdLets:

#Add all "admin" users in the root location to the PVWAMonitor groupGet-PASUser-UserType EPVUser-Search Admin|Where-Object {$_.location-eq"\" }|Add-PASGroupMember-GroupName PVWAMonitor#Find an account, then find the members of the account's safe.Get-PASAccount-id283_3|Get-PASSafeMemberUserName                     SafeName           Permissions---------------------------SafeAdmin                    3_TestSafe_100_OWZ@{useAccounts=True;retrieveAccounts=True; lis...PSMAppUsers                  3_TestSafe_100_OWZ@{useAccounts=False;retrieveAccounts=False; lis...PasswordManager              3_TestSafe_100_OWZ@{useAccounts=True;retrieveAccounts=True; lis...SafeAdmin3                   3_TestSafe_100_OWZ@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_100_OWZ-Usr 3_TestSafe_100_OWZ@{useAccounts=True;retrieveAccounts=True; lis...ACC-G-3_TestSafe_100_OWZ-Adm 3_TestSafe_100_OWZ@{useAccounts=True;retrieveAccounts=True; lis...Prov_ZZSRV01                 3_TestSafe_100_OWZ@{useAccounts=False;retrieveAccounts=True; lis...psPAS                        3_TestSafe_100_OWZ@{useAccounts=False;retrieveAccounts=True; lis...

Advanced Examples

Bulk Operations

The standard features of PowerShell which allow creation of and iterations through collections of objects, can be used to perform bulk operations:

Example 1 - On-board Multiple Accounts

$Accounts=Import-Csv-Path C:\Temp\Accounts.csvNew-PASSession-Credential$creds-BaseURI https://your.pvwa.urlforeach($Accountin$Accounts){$Password=ConvertTo-SecureString-String$Account.Password-AsPlainText-ForceAdd-PASAccount-secretType Password`-secret$Password`-platformAccountProperties@{"LOGONDOMAIN"=$Account.LogonDomain}`-SafeName$Account.SafeName`-PlatformID$Account.PlatformID`-Address$Account.Address`-Username$Account.Username}Close-PASSession

Example 2 - Delete Multiple Safes

#Specify Vault Logon Credentials$LogonCredential=Get-Credential#LogonNew-PASSession-Credential$LogonCredential-BaseURI https://your.pvwa.url$Safes=Get-PASSafe-search TestSafe#Delete Safesforeach ($Safein$Safes){Remove-PASSafe-SafeName$Safe.SafeName-WhatIf}#LogoffClose-PASSession

Example 3 - Move a List of Users to a New Location

#Vault Logon Credentials$LogonCredential=Get-Credential#LogonNew-PASSession-Credential$LogonCredential-BaseURI https://your.pvwa.url#get list of users$users=Get-Content .\userlist.txt#move users$users|foreach{Set-PASUser-UserName$_-Location"\New\Location\Path"-WhatIf}#LogoffClose-PASSession

Safe Permissions

Define Safe Roles and assign to safe members:

$Role1= [PSCustomObject]@{UseAccounts=$trueListAccounts=$trueViewAuditLog=$falseViewSafeMembers=$false}$Role2= [PSCustomObject]@{UseAccounts=$falseListAccounts=$trueRetrieveAccounts=$falseAddAccounts=$trueUpdateAccountContent=$trueUpdateAccountProperties=$trueInitiateCPMAccountManagementOperations=$trueSpecifyNextAccountContent=$falseRenameAccounts=$trueDeleteAccounts=$trueUnlockAccounts=$trueManageSafe=$trueManageSafeMembers=$trueBackupSafe=$falseViewAuditLog=$trueViewSafeMembers=$truerequestsAuthorizationLevel1=$falserequestsAuthorizationLevel2=$falseAccessWithoutConfirmation=$trueCreateFolders=$trueDeleteFolders=$trueMoveAccountsAndFolders=$true}$Role1|Add-PASSafeMember-SafeName NewSafe-MemberName a032485-SearchIn VaultUserName SafeName Permissions---------------------------a032485  NewSafe@{useAccounts=True;retrieveAccounts=False;listAccounts=True;...$Role2|Add-PASSafeMember-SafeName NewSafe-MemberName SafeAdmin1-SearchIn VaultUserName   SafeName Permissions---------------------------SafeAdmin1 NewSafe@{useAccounts=False;retrieveAccounts=False;listAccounts=Tr...

PSM Sessions

Terminate all Active PSM Sessions on a PSM Server

#Find Active Sessions for a PSM Server IP#Terminate the SessionsGet-PASPSMSession|Where-Object{  ($_.RawProperties.ProviderID-eq$(Get-PASComponentDetail-ComponentID SessionManagement|Where-Object{$_.ComponentIP-eq"192.168.60.20"}|    Select-ExpandProperty ComponentUserName))-and ($_.IsLive)-and ($_.CanTerminate)}|Stop-PASPSMSession

Updating Multiple Properties of an Account

Multiple updates can be performed in a single request:

[array]$operations+=@{"op"="remove";"path"="/platformAccountProperties/LogonDomain"}[array]$operations+=@{"op"="replace";"path"="/name";"value"="SomeNewName"}[array]$operations+=@{"op"="replace";"path"="/address";"value"="domain.co.uk"}Set-PASAccount-AccountID286_4-operations$operationsAccountID        :286_4Safe             : 3_TestSafe_028_XYJaddress          : domain.co.ukuserName         : sbwudlovname             : SomeNewNameplatformId       : Z_WINDOMAIN_OFFsecretType       : passwordsecretManagement :@{automaticManagementEnabled=True;lastModifiedTime=1559864222}createdTime      :06/06/201923:37:02

Using Methods

Methods present on objects returned from psPAS functions can be leveraged to get the data you need with ease.

ThepsPAS.CyberArk.Vault.Safe object returned byGet-PASSafe has a ScriptMethod (SafeMembers()), which will run a query for the members of the safe:

#List all safes where AppUser is not a memberGet-PASSafe|Where-Object{ ($_.safemembers()|Select-Object-ExpandProperty UserName)-notcontains"AppUser"}

Retrieved credentials can be immediately converted into Secure Strings or into a PsCredential object:

#Returns a Secure String(Get-PASAccount-id330_5|Get-PASAccountPassword).ToSecureString()#Returns a PsCredential Object(Get-PASAccount-id330_5|Get-PASAccountPassword).ToPsCredential()#Returns a PsCredential Object with a custom username (to include a domain for example)(Get-PASAccount-id330_5|Get-PASAccountPassword).ToPsCredential("MyDomain\MyAccount")

API Sessions

If actions are required to be performed under the context of different user accounts, it is possible to work with different authenticated sessions:

#Start first session$VaultAdmin=Get-CredentialPowerShell credential requestEnter your credentials.User: VaultAdminPasswordfor user VaultAdmin:**********New-PASSession-Credential$VaultAdmin-BaseURI https://pvwa.somedomain.comGet-PASLoggedOnUserUserName   Source   UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------VaultAdmin Internal EPVUser      False     False   False    False#Save first session data$FirstSession=Get-PASSession#Start second session$SafeAdmin=Get-CredentialPowerShell credential requestEnter your credentials.User: SafeAdminPasswordfor user SafeAdmin:**********New-PASSession-Credential$SafeAdmin-BaseURI https://pvwa.somedomain.comGet-PASLoggedOnUserUserName  Source   UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------SafeAdmin Internal EPVUser      False     False   False    False#Save second session data$SecondSession=Get-PASSession#Switch back to first sessionUse-PASSession-Session$FirstSessionGet-PASLoggedOnUserUserName   Source   UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------VaultAdmin Internal EPVUser      False     False   False    False#End first sessionClose-PASSession#Switch to second sessionUse-PASSession-Session$SecondSessionGet-PASLoggedOnUserUserName  Source   UserTypeName AgentUser Expired Disabled Suspended-----------------------------------------------------------SafeAdmin Internal EPVUser      False     False   False    False#End second sessionClose-PASSession

Sample Scripts

A selection of psPAS sample scripts can be found in thepsPAS-Examples repository.

psPAS Functions

This section lists the commands available in psPAS as well as any relevant version requirements.

Depending on your version of CyberArk, different psPAS commands and parameters are available.

The most recent psPAS version should work with your particular CyberArk version and be able to be used with it.

The version requirements for certain parameters are described in greater detail in the command's documentation.

The module will take steps to verify that your version of CyberArk meets any psPAS command's minimum version requirement.

If version requirement criteria are not met, operations may be prevented.

To learn more about the parameters that may be used and the required version, consult the output of the 'Get-Help' command for the 'psPAS' functions.

Click the below dropdown to view the current list of psPAS functions and their minimum version requirements:

List of Functions

Function Name	CyberArk Version	Description
`New-PASSession`	9.0	Authenticates a user to CyberArk Vault
`Close-PASSession`	9.0	Logoff from CyberArk Vault.
`Get-PASSession`	---	Get`psPAS` Session Data.
`Use-PASSession`	---	Set`psPAS` Session Data.
`Add-PASPublicSSHKey`	9.6	Adds an authorised public SSH key for a user.
`Get-PASPublicSSHKey`	9.6	Retrieves a user's SSH Keys.
`Remove-PASPublicSSHKey`	9.6	Deletes a Public SSH Key from a user
`Add-PASAccountACL`	9.0	Adds a new privileged command rule to an account.
`Get-PASAccountACL`	9.0	Lists privileged commands rule for an account
`Remove-PASAccountACL`	9.0	Deletes privileged commands rule from an account
`Add-PASAccountGroupMember`	9.95	Adds an account as a member of an account group.
`Get-PASAccountGroup`	9.10	Returns account groups in a Safe.
`Get-PASAccountGroupMember`	9.10	Returns members of an account group.
`New-PASAccountGroup`	9.95	Adds a new account group
`Remove-PASAccountGroupMember`	9.10	Deletes a member of an account group
`Add-PASAccount`	9.0	Adds a new account.
`Add-PASPendingAccount`	9.7	Adds discovered account or SSH key as a pending account.
`Get-PASAccount`	9.3	Returns information about accounts.
`Get-PASAccountActivity`	9.7	Returns activities for an account.
`Get-PASAccountPassword`	9.7	Returns password for an account.
`Remove-PASAccount`	9.3	Deletes an account
`Set-PASAccount`	9.5	Updates details of an account.
`Invoke-PASCPMOperation`	9.7	Invoke CPM verify, change & reconcile tasks.
`Unlock-PASAccount`	9.10	Checks in an exclusive-use account.
`Add-PASApplication`	9.1	Adds a new application
`Add-PASApplicationAuthenticationMethod`	9.1	Add authentication method to an application
`Get-PASApplication`	9.1	Returns details of applications
`Get-PASApplicationAuthenticationMethod`	9.1	Returns application authentication methods
`Remove-PASApplication`	9.1	Deletes an application
`Remove-PASApplicationAuthenticationMethod`	9.1	Delete auth method from an application
`Import-PASConnectionComponent`	10.3	Imports a Connection Component
`New-PASPSMSession`	9.10	Get required parameters to connect through PSM
`Get-PASPSMRecording`	9.10	Get details of PSM Recording
`Get-PASPSMSession`	9.10	Get details of PSM Sessions
`Resume-PASPSMSession`	10.2	Resumes a Suspended PSM Session.
`Stop-PASPSMSession`	10.1	Terminates a PSM Session.
`Suspend-PASPSMSession`	10.2	Suspends a PSM Session.
`Get-PASOnboardingRule`	9.7	Gets automatic on-boarding rules
`New-PASOnboardingRule`	9.7	Adds a new on-boarding rule
`Remove-PASOnboardingRule`	9.7	Deletes an automatic on-boarding rule
`Get-PASPlatform`	9.10	Retrieves details of a specified platform.
`Import-PASPlatform`	10.2	Import a new platform
`Export-PASPlatform`	10.4	Export a platform
`Add-PASPolicyACL`	9.0	Adds a new privileged command rule
`Get-PASPolicyACL`	9.0	Lists OPM Rules for a policy
`Remove-PASPolicyACL`	9.0	Delete privileged commands from policy
`Approve-PASRequest`	9.10	Confirm a single request
`Deny-PASRequest`	9.10	Reject a single request
`Get-PASRequest`	9.10	List requests
`Get-PASRequestDetail`	9.10	Get request details
`New-PASRequest`	9.10	Creates an access request for an account
`Remove-PASRequest`	9.10	Deletes a request
`Add-PASSafeMember`	9.3	Adds a Safe Member to a safe
`Get-PASSafeMember`	9.7	Lists the members of a Safe
`Remove-PASSafeMember`	9.3	Removes a member from a safe
`Set-PASSafeMember`	9.3	Updates a Safe Member's Permissions
`Add-PASSafe`	9.2	Adds a new safe
`Get-PASSafe`	9.7	Returns safe details
`Remove-PASSafe`	9.3	Deletes a safe
`Set-PASSafe`	9.3	Updates a safe
`Get-PASSafeShareLogo`	9.7	Returns details of SafeShare Logo
`Get-PASServer`	9.7	Returns details of the Web Service Server
`Get-PASServerWebService`	9.7	Returns details of the Web Service
`Get-PASComponentDetail`	10.1	Returns details about component instances.
`Get-PASComponentSummary`	10.1	Returns consolidated information about components.
`Add-PASGroupMember`	9.7	Adds a user as a group member
`Get-PASLoggedOnUser`	9.7	Returns details of the logged on user
`Get-PASUserLoginInfo`	10.4	Returns login details of the current user
`Get-PASUser`	9.7	Returns details of a user
`New-PASUser`	9.7	Creates a new user
`Remove-PASUser`	9.7	Deletes a user
`Set-PASUser`	9.7	Updates a user
`Unblock-PASUser`	9.7	Activates a suspended user
`Get-PASDirectory`	10.4	Get configured LDAP directories
`Add-PASDirectory`	10.4	Add a new LDAP directory
`New-PASDirectoryMapping`	10.4	Create a new LDAP directory mapping
`Add-PASPTARule`	10.4	Add a new Risky Commandrule to PTA
`Get-PASPTAEvent`	10.3	Get security events from PTA
`Set-PASPTAEvent`	11.3	Set PTA security event status
`Get-PASPTARemediation`	10.4	Get automatic response config from PTA
`Get-PASPTARule`	10.4	List Risky Command rules from PTA
`Set-PASPTARemediation`	10.4	Update automaticresponse config in PTA
`Set-PASPTARule`	10.4	Update a Risky Commandrule in PTA
`Get-PASAccountDetail`	10.4	Returns information about accounts.
`Get-PASGroup`	10.5	Return group information
`Remove-PASGroupMember`	10.5	Remove group members
`Set-PASOnboardingRule`	10.5	Update Onboarding Rules
`Add-PASDiscoveredAccount`	10.5	Add discovered accounts to the Accounts Feed
`Connect-PASPSMSession`	10.5	Get required parameters to connect to a PSM Session
`Get-PASPSMSessionActivity`	10.6	Get activity details from an active PSM Session.
`Get-PASPSMSessionProperty`	10.6	Get property details from an active PSM Session.
`Get-PASPSMRecordingActivity`	10.6	Get activity details from a PSM Recording.
`Get-PASPSMRecordingProperty`	10.6	Get property details from a PSM Recording.
`Export-PASPSMRecording`	10.6	Save PSM Session Recording to a file.
`Request-PASJustInTimeAccess`	10.6	Request temporary access to a server.
`Revoke-PASJustInTimeAccess`	12.0	Revoke temporary server access.
`Get-PASDirectoryMapping`	10.7	Get details of configured directory mappings.
`Set-PASDirectoryMapping`	10.7	Update a configured directory mapping.
`Remove-PASDirectory`	10.7	Delete a directory configuration.
`Find-PASSafe`	10.1 -11.7	List or Search Safes by name.
`Set-PASDirectoryMappingOrder`	10.10	Reorder Directory Mappings
`Set-PASUserPassword`	10.10	Reset a User's Password
`New-PASGroup`	11.1	Create a new CyberArk group
`Get-PASPlatformSafe`	11.1	List details for all platforms
`Remove-PASDirectoryMapping`	11.1	Deletes a Directory Mapping
`Enable-PASCPMAutoManagement`	10.4	Enables Automatic CPM Management for an account
`Disable-PASCPMAutoManagement`	10.4	Disables Automatic CPM Management for an account
`Test-PASPSMRecording`	11.2	Determine validity of PSM Session Recording
`Copy-PASPlatform`	11.4	Duplicate a platform
`Enable-PASPlatform`	11.4	Enable a platform
`Disable-PASPlatform`	11.4	Disable a platform
`Remove-PASPlatform`	11.4	Delete a platform
`Remove-PASGroup`	11.5	Delete a user group
`Get-PASAllowedReferrer`	11.5	List PVWA Allowed Referrer
`Add-PASAllowedReferrer`	11.5	Add PVWA Allowed Referrer
`Get-PASAccountSSHKey`	11.5	Get Private SSH Key value of Account
`Get-PASAuthenticationMethod`	11.5	List authentication methods
`Add-PASAuthenticationMethod`	11.5	Add authentication method
`Set-PASAuthenticationMethod`	11.5	Update authentication method
`Get-PASConnectionComponent`	11.5	List configured connection components
`Get-PASPSMServer`	11.5	List configured PSM Servers
`Get-PASPlatformPSMConfig`	11.5	List Platform PSM configuration
`Set-PASPlatformPSMConfig`	11.5	Update Platform PSM configuration
`Start-PASAccountImportJob`	11.6	Add multiple accounts to existing Safes.
`Get-PASAccountImportJob`	11.6	Get status of account import
`New-PASAccountObject`	---	Format an object to include in an import list
`Get-PASDiscoveredAccount`	11.6	List discovered accounts
`Add-PASOpenIDConnectProvider`	11.7	Adds an OIDC Authentication Provider
`Get-PASOpenIDConnectProvider`	11.7	Gets details of configured OIDC Authentication Providers
`Remove-PASOpenIDConnectProvider`	11.7	Deletes an OIDC Authentication Provider
`Set-PASOpenIDConnectProvider`	11.7	Updates an OIDC Authentication Provider
`Remove-PASAuthenticationMethod`	11.7	Delete an authentication method
`Clear-PASDiscoveredAccountList`	12.1	Clear all discovered accounts from the pending account list
`Get-PASAccountPasswordVersion`	12.1	Get details of previous password versions
`New-PASAccountPassword`	12.0	Generate new password values based on platform policy
`Set-PASLinkedAccount`	12.1	Associate logon and reconcile accounts
`Clear-PASLinkedAccount`	12.2	Clear associated linked accounts
`Clear-PASPrivateSSHKey`	12.1	Remove all MFA caching SSH Keys
`New-PASPrivateSSHKey`	12.1	Generate MFA caching SSH Keys
`Remove-PASPrivateSSHKey`	12.1	Delete MFA caching SSH Keys
`Set-PASGroup`	12.0	Update CyberArk groups
`Get-PASPlatformSummary`	12.2	Get information on platform system types
`Enable-PASUser`	12.6	Enable CyberArk Users
`Disable-PASUser`	12.6	Disable CyberArk Users
`Publish-PASDiscoveredAccount`	12.6	Onboard Discovered Accounts
`Get-PASLinkedAccount`	12.2	Get details of linked accounts
`Get-PASLinkedGroup`	12.2	Get details of linked groups
`Add-PASPersonalAdminAccount`	12.6	Add Personal Admin Account (Privilege Cloud Only).
`Get-PASPTAGlobalCatalog`	13.0	Get Global Catalog connectivity details for PTA.
`Add-PASPTAGlobalCatalog`	13.0	Add Global Catalog connectivity details to PTA.
`Get-PASUserTypeInfo`	13.2	Get User Type Info
`Get-PASPTARiskEvent`	13.2	Get PTA Risk Events
`Set-PASPTARiskEvent`	13.2	Update PTA Risk Events
`Get-PASPTARiskSummary`	13.2	Get PTA Risk Summary
`New-PASRequestObject`	---	Format an object to include in an request list
`Add-PASPTAIncludedTarget`	14.0	Includes a PTA Monitored Target
`Add-PASPTAExcludedTarget`	14.0	Excludes a PTA Monitored Target
`Add-PASPTAPrivilegedGroup`	14.0	Configures a PTA Privileged Group
`Add-PASPTAPrivilegedUser`	14.0	Configures a PTA Privileged User
`Get-PASPTAExcludedTarget`	14.0	Get PTA Excluded Target
`Get-PASPTAIncludedTarget`	14.0	Get PTA Included target
`Get-PASPTAPrivilegedGroup`	14.0	Get PTA Privileged Group
`Get-PASPTAPrivilegedUser`	14.0	Get PTA Privileged User
`Remove-PASPTAExcludedTarget`	14.0	Remove PTA Excluded Target
`Remove-PASPTAIncludedTarget`	14.0	Remove PTA Included Target
`Remove-PASPTAPrivilegedGroup`	14.0	Remove PTA Privileged Group
`Remove-PASPTAPrivilegedUser`	14.0	Remove PTA Privileged User
`Set-PASIPAllowList`	P Cloud Only	Set P Cloud IP Allow List
`Get-PASIPAllowList`	P Cloud Only	Get P Cloud IP Allow List
`Get-PASBYOKConfig`	P Cloud Only	Get P Cloud BYOK Config
`Publish-PASDiscoveredLocalAccount`	P Cloud Only	Publish P Cloud Discovered Local Account
`Remove-PASDiscoveredLocalAccount`	P Cloud Only	Delete P Cloud Discovered Local Account
`Get-PASDiscoveredLocalAccountActivity`	P Cloud Only	Get P Cloud Discovered Local Account Activity
`Get-PASDiscoveredLocalAccount`	P Cloud Only	Get P Cloud Discovered Local Account
`Clear-PASDiscoveredLocalAccount`	P Cloud Only	Clear all P Cloud Discovered Local Accounts
`Add-PASDiscoveredLocalAccount`	P Cloud Only	Add P Cloud Discovered Local Account

Installation

Prerequisites

PowerShell Core, or Windows Powershell v5 (minimum)
CyberArk PAS REST API/PVWA Web Service (available and accessible over HTTPS using TLS 1.2)
A user who can authenticate and has the necessary Vault/Safe permissions.

Install Options

Users can download psPAS from GitHub or the PowerShell Gallery.

Choose any of the following ways to download the module and install it:

Option 1: Install from PowerShell Gallery

This is the easiest and most popular way to install the module.

PowerShell 5.0 or above must be used to download the module from thePowerShell Gallery.

Open a PowerShell prompt
Execute the following command:

Install-Module-Name psPAS-Scope CurrentUser

Option 2: Manual Install

The module files can be manually copied to one of your PowerShell module directories.

Use the following command to get the paths to your local PowerShell module folders:

$env:PSModulePath.split(';')

The module files must be placed in one of the listed directories, in a folder calledpsPAS.

More:about_PSModulePath

The module files are available to download using a variety of methods:

PowerShell Gallery

Download from the module from thePowerShell Gallery:
- Run the PowerShell commandSave-Module -Name psPAS -Path C:\temp
- Copy theC:\temp\psPAS folder to your "Powershell Modules" directory of choice.

psPAS Release

Download the latest GitHub release
- Unblock & Extract the archive
- Rename the extractedpsPAS-v#.#.# folder topsPAS
- Copy thepsPAS folder to your "Powershell Modules" directory of choice.

psPAS Branch

DownloadGitHub Branch
- Unblock & Extract the archive
- Copy thepsPAS (\<Archive Root>\psPAS-master\psPAS) folder to your "Powershell Modules" directory of choice.

Verification

Validate Install:

Get-Module-ListAvailable psPAS

Import the module:

Import-Module psPAS

List Module Commands:

Get-Command-Module psPAS

Get detailed information on specific commands:

Get-HelpNew-PASUser-Full

Sponsorship

Please support continued psPAS development; consider sponsoring @pspete on GitHub Sponsors

Changelog

All notable changes to this project will be documented in theChangelog

Author

Pete Maan -pspete

License

This project islicensed under the MIT License.

Contributing

Any and all contributions to this project are appreciated.

See theCONTRIBUTING.md for a few more details.

Support

psPAS is neither developed nor supported by CyberArk; any official support channels offered by the vendor are not appropriate for seeking help with the psPAS module.

Help and support should be sought byopening an issue, or emailing pspas@pspete.dev.

Priority support could be considered forsponsors of @pspete,contact us to discuss options.