OneIdentity / safeguard-ps

One Identity Safeguard PowerShell scripting resources
Apache License 2.0
22 stars 27 forks source link

Edit-SafeguardUserGroup cannot remove members #526

Open itd-walli opened 4 months ago

itd-walli commented 4 months ago

Hello,

There is a problem removing member from a Safeguard user group. Adding of members is ok, removing is not working and doesn't throw any exception. The member is still in the group after removal.

I can fix the issue by removing the whole fields parameter in the following line.

https://github.com/OneIdentity/safeguard-ps/blob/071e54e5635e0c1d5c4cbe64519268ea2b5d30bb/src/groups.psm1#L637

It looks like the delete operation needs more data of the user.

JeffHarkavy commented 3 months ago

@itd-walli Thank you for contacting us.

I am not able to reproduce this behavior when using the current of safeguard-ps (v7.5.146913 in PowerShell v7.4.4). Could you provide more details including versions of safeguard-ps and powershell you're using, and maybe a sample command line and results?

My results below: Initial group membership

PS  C:\git\safeguard-ps > (get-safeguardusergroup "Dev Provisioned Users").Members.Name
approver
requester
reviewer
certificate

Add new users and retrieve membership. Both new users show as members.

PS  C:\git\safeguard-ps > $results = edit-safeguardusergroup -GroupToEdit "Dev Provisioned Users" -Operation Add -UserList sgadmin,auditor
PS  C:\git\safeguard-ps > (get-safeguardusergroup "Dev Provisioned Users").Members.Name
sgadmin
approver
requester
reviewer
certificate
auditor

Remove the newly added users and relist. User membership for both users has been removed.

PS  C:\git\safeguard-ps > $results = edit-safeguardusergroup -GroupToEdit "Dev Provisioned Users" -Operation Remove -UserList sgadmin,auditor
PS  C:\git\safeguard-ps > (get-safeguardusergroup "Dev Provisioned Users").Members.Name
approver
requester
reviewer
certificate
itd-walli commented 3 months ago

@JeffHarkavy Thank you for the check.

Looks like a problem with the Safeguard-Version. Tried two different version. One working the other failed.

Added the verbose output for the remove to the command. For me the request to safeguard looks similar.

Test1 (not working)

Tool Version
Powershell 5.1.20348.2227
safeguard-ps Module 7.4.126553
Appliance version 7.5.0.20689

Problem occures:

PS C:\Users\tw> Edit-SafeguardUserGroup -GroupToEdit 28 -Operation Add -UserList 8

Id                           : 28
Name                         : LUG_Enterprise Admins
Description                  :
IdentityProvider             : @{Id=-1; Name=Local; TypeReferenceName=Local; IdentityId=LUG_Enterprise Admins}
IsReadOnly                   : False
CreatedDate                  : 2024-07-04T13:40:30Z
CreatedByUserId              : 8
CreatedByUserDisplayName     : tw
ModifiedDate                 : 2024-08-01T09:11:41Z
ModifiedByUserId             : 8
ModifiedByUserDisplayName    : tw
DirectoryProperties          :
Members                      : {@{AdminRoles=System.Object[]; Id=8; Name=tw; Description=; DisplayName=tw; LastName=;
                               FirstName=tw; EmailAddress=; WorkPhone=; MobilePhone=; PrimaryAuthenticationProvider=;
                               SecondaryAuthenticationProvider=; IdentityProvider=; Disabled=False; TimeZoneId=UTC;
                               TimeZoneDisplayName=(UTC) Coordinated Universal Time; TimeZoneIanaName=Etc/UTC;
                               IsPartitionOwner=False; DirectoryProperties=; CloudAssistantApproveEnabled=False;
                               CloudAssistantRecipientId=; AllowPersonalAccounts=True; Locked=False;
                               PasswordNeverExpires=True; ChangePasswordAtNextLogin=False; Base64PhotoData=;
                               IsSystemOwned=False; LastLoginDate=; CreatedDate=2024-03-18T15:37:42Z; CreatedByUserId=1;
                               CreatedByUserDisplayName=pam-admin; ModifiedDate=2024-03-18T15:37:42Z; ModifiedByUserId=1;
                               ModifiedByUserDisplayName=pam-admin; RequireCertificateAuthentication=False;
                               DirectoryRequireCertificateAuthentication=False; LinkedAccountsCount=4}}
DirectoryGroupSyncProperties : @{PrimaryAuthenticationProviderId=; PrimaryAuthenticationProviderTypeReferenceName=Unknown;
                               PrimaryAuthenticationProviderName=; RequireCertificateAuthentication=False;
                               SecondaryAuthenticationProviderId=;
                               SecondaryAuthenticationProviderTypeReferenceName=Unknown;
                               SecondaryAuthenticationProviderName=; LinkDirectoryAccounts=False;
                               AllowPersonalAccounts=False; AdminRoles=System.Object[]}

PS C:\Users\tw> Edit-SafeguardUserGroup -GroupToEdit 28 -Operation Remove -UserList 8
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://spp1-demo48.demo48.reportit.at/service/core/v4/Users/8?fields=Id%2CName%2CPrimaryAuthenticationProvider.Id
VERBOSE: Parameters={
    "fields":  "Id,Name,PrimaryAuthenticationProvider.Id"
}
VERBOSE: GET https://spp1-demo48.demo48.reportit.at/service/core/v4/Users/8?fields=Id,Name,PrimaryAuthenticationProvider.Id with 0-byte payload
VERBOSE: received 61-byte response of content type application/json; charset=utf-8
VERBOSE: Enabling SSL on Windows platform
VERBOSE: Removing the trust everything callback
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://spp1-demo48.demo48.reportit.at/service/core/v4/UserGroups/28/Members/Remove
VERBOSE: Parameters=
VERBOSE: ---Request Body---
VERBOSE: [
    {
        "Id":  8,
        "Name":  "tw",
        "PrimaryAuthenticationProvider":  {
                                              "Id":  1
                                          }
    }
]
VERBOSE: POST https://spp1-demo48.demo48.reportit.at/service/core/v4/UserGroups/28/Members/Remove with -1-byte payload
VERBOSE: received 2-byte response of content type application/json; charset=utf-8
VERBOSE: Enabling SSL on Windows platform
VERBOSE: Removing the trust everything callback
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://spp1-demo48.demo48.reportit.at/service/core/v4/UserGroups/28
VERBOSE: Parameters=
VERBOSE: GET https://spp1-demo48.demo48.reportit.at/service/core/v4/UserGroups/28 with 0-byte payload
VERBOSE: received 2500-byte response of content type application/json; charset=utf-8

Id                           : 28
Name                         : LUG_Enterprise Admins
Description                  :
IdentityProvider             : @{Id=-1; Name=Local; TypeReferenceName=Local; IdentityId=LUG_Enterprise Admins}
IsReadOnly                   : False
CreatedDate                  : 2024-07-04T13:40:30Z
CreatedByUserId              : 8
CreatedByUserDisplayName     : tw
ModifiedDate                 : 2024-08-01T09:11:50Z
ModifiedByUserId             : 8
ModifiedByUserDisplayName    : tw
DirectoryProperties          :
Members                      : {@{AdminRoles=System.Object[]; Id=8; Name=tw; Description=; DisplayName=tw; LastName=;
                               FirstName=tw; EmailAddress=; WorkPhone=; MobilePhone=; PrimaryAuthenticationProvider=;
                               SecondaryAuthenticationProvider=; IdentityProvider=; Disabled=False; TimeZoneId=UTC;
                               TimeZoneDisplayName=(UTC) Coordinated Universal Time; TimeZoneIanaName=Etc/UTC;
                               IsPartitionOwner=False; DirectoryProperties=; CloudAssistantApproveEnabled=False;
                               CloudAssistantRecipientId=; AllowPersonalAccounts=True; Locked=False;
                               PasswordNeverExpires=True; ChangePasswordAtNextLogin=False; Base64PhotoData=;
                               IsSystemOwned=False; LastLoginDate=; CreatedDate=2024-03-18T15:37:42Z; CreatedByUserId=1;
                               CreatedByUserDisplayName=pam-admin; ModifiedDate=2024-03-18T15:37:42Z; ModifiedByUserId=1;
                               ModifiedByUserDisplayName=pam-admin; RequireCertificateAuthentication=False;
                               DirectoryRequireCertificateAuthentication=False; LinkedAccountsCount=4}}
DirectoryGroupSyncProperties : @{PrimaryAuthenticationProviderId=; PrimaryAuthenticationProviderTypeReferenceName=Unknown;
                               PrimaryAuthenticationProviderName=; RequireCertificateAuthentication=False;
                               SecondaryAuthenticationProviderId=;
                               SecondaryAuthenticationProviderTypeReferenceName=Unknown;
                               SecondaryAuthenticationProviderName=; LinkDirectoryAccounts=False;
                               AllowPersonalAccounts=False; AdminRoles=System.Object[]}

Test2 (working)

Tool Version
Powershell 5.1.20348.2110
safeguard-ps Module 7.4.126553
Appliance version 7.4.1.20309

working:

PS C:\Users\tw> Edit-SafeguardUserGroup -GroupToEdit 3 -Operation Add -UserList 1

Id                           : 3
Name                         : Test
Description                  :
IdentityProvider             : @{Id=-1; Name=Local; TypeReferenceName=Local; IdentityId=Test}
IsReadOnly                   : False
CreatedDate                  : 2024-08-01T09:04:40Z
CreatedByUserId              : 2
CreatedByUserDisplayName     : svc_idm
ModifiedDate                 : 2024-08-01T09:09:03Z
ModifiedByUserId             : 2
ModifiedByUserDisplayName    : svc_idm
DirectoryProperties          :
Members                      : {@{AdminRoles=System.Object[]; Id=1; Name=tw; Description=; DisplayName=tw; LastName=;
                               FirstName=; EmailAddress=; WorkPhone=; MobilePhone=; PrimaryAuthenticationProvider=;
                               SecondaryAuthenticationProvider=; IdentityProvider=; Disabled=False; TimeZoneId=UTC;
                               TimeZoneDisplayName=(UTC) Coordinated Universal Time; TimeZoneIanaName=Etc/UTC;
                               IsPartitionOwner=False; DirectoryProperties=; CloudAssistantApproveEnabled=False;
                               CloudAssistantRecipientId=; AllowPersonalAccounts=False; Locked=False;
                               PasswordNeverExpires=True; ChangePasswordAtNextLogin=False; Base64PhotoData=;
                               IsSystemOwned=False; LastLoginDate=; CreatedDate=2024-07-23T14:08:11Z;
                               CreatedByUserId=-2; CreatedByUserDisplayName=Bootstrap Administrator;
                               ModifiedDate=2024-07-23T14:56:45Z; ModifiedByUserId=-3;
                               ModifiedByUserDisplayName=Automated System; RequireCertificateAuthentication=False;
                               DirectoryRequireCertificateAuthentication=False; LinkedAccountsCount=0}}
DirectoryGroupSyncProperties : @{PrimaryAuthenticationProviderId=;
                               PrimaryAuthenticationProviderTypeReferenceName=Unknown;
                               PrimaryAuthenticationProviderName=; RequireCertificateAuthentication=False;
                               SecondaryAuthenticationProviderId=;
                               SecondaryAuthenticationProviderTypeReferenceName=Unknown;
                               SecondaryAuthenticationProviderName=; LinkDirectoryAccounts=False;
                               AllowPersonalAccounts=False; AdminRoles=System.Object[]}

PS C:\Users\tw> Edit-SafeguardUserGroup -GroupToEdit 3 -Operation Remove -UserList 1
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://192.168.50.40/service/core/v4/Users/1?fields=Id%2CName%2CPrimaryAuthenticationProvider.Id
VERBOSE: Parameters={
    "fields":  "Id,Name,PrimaryAuthenticationProvider.Id"
}
VERBOSE: GET https://192.168.50.40/service/core/v4/Users/1?fields=Id,Name,PrimaryAuthenticationProvider.Id with 0-byte payload
VERBOSE: received 62-byte response of content type application/json; charset=utf-8
VERBOSE: Enabling SSL on Windows platform
VERBOSE: Removing the trust everything callback
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://192.168.50.40/service/core/v4/UserGroups/3/Members/Remove
VERBOSE: Parameters=
VERBOSE: ---Request Body---
VERBOSE: [
    {
        "Id":  1,
        "Name":  "tw",
        "PrimaryAuthenticationProvider":  {
                                              "Id":  -1
                                          }
    }
]
VERBOSE: POST https://192.168.50.40/service/core/v4/UserGroups/3/Members/Remove with -1-byte payload
VERBOSE: received 2-byte response of content type application/json; charset=utf-8
VERBOSE: Enabling SSL on Windows platform
VERBOSE: Removing the trust everything callback
VERBOSE: Insecure=True
VERBOSE: Configuring SSL version support to be secure
VERBOSE: Disabling SSL on Windows platform
VERBOSE: Adding the trust everything callback
VERBOSE: ---Request---
VERBOSE: Headers={
    "Accept":  "application/json",
    "Content-type":  "application/json"
}
VERBOSE: Url=https://192.168.50.40/service/core/v4/UserGroups/3
VERBOSE: Parameters=
VERBOSE: GET https://192.168.50.40/service/core/v4/UserGroups/3 with 0-byte payload
VERBOSE: received 817-byte response of content type application/json; charset=utf-8

Id                           : 3
Name                         : Test
Description                  :
IdentityProvider             : @{Id=-1; Name=Local; TypeReferenceName=Local; IdentityId=Test}
IsReadOnly                   : False
CreatedDate                  : 2024-08-01T09:04:40Z
CreatedByUserId              : 2
CreatedByUserDisplayName     : svc_idm
ModifiedDate                 : 2024-08-01T09:09:06Z
ModifiedByUserId             : 2
ModifiedByUserDisplayName    : svc_idm
DirectoryProperties          :
Members                      : {}
DirectoryGroupSyncProperties : @{PrimaryAuthenticationProviderId=;
                               PrimaryAuthenticationProviderTypeReferenceName=Unknown;
                               PrimaryAuthenticationProviderName=; RequireCertificateAuthentication=False;
                               SecondaryAuthenticationProviderId=;
                               SecondaryAuthenticationProviderTypeReferenceName=Unknown;
                               SecondaryAuthenticationProviderName=; LinkDirectoryAccounts=False;
                               AllowPersonalAccounts=False; AdminRoles=System.Object[]}
Kevin-Andrew commented 2 months ago

After running the script against the appliance that doesn't work (the 7.5.0.20689 appliance), what does the Safeguard Audit Log (Activity Center Reports) say happened? Is there an audit of the member being removed?