search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
293 stars 91 forks source link

How to read and update/add File Categories using psPAS? #312

Closed tronatore closed 4 years ago

tronatore commented 4 years ago

Your Environment

PreProduction

Expected Behaviour

Is there any command in psPAS that allows (as with PoshPACLI's XXX-PVFileCategory) to read and modify/add a Category (such as CPMStatus or ResetImmediately)?

I have been using PoshPACLI for Cyberbark v9.9.5 and one of the tasks I execute is Account Reconciliation through updating or removing flags such as CPMStatus, LastTask, ResetImmediately, RetriesCount and CPMDisabled, so the modified account will be flagged for reconciliation.

Now I am using Rest API and psPAS but I cannot see where or how to update these categories. I cannot find anything that resembles PoshPACLI's Add-PVFileCategory / Set-PVFileCategory.

Maybe on Cyberark v11+ these operations cannot be executed or is this a thing with Rest API works differently?

Current Behaviour

No similar to XXX-PVFileCategory command seems to exist in psPAS

Possible Solution

Is there any complement or add-on I can work with in order to execute XXX-PVFileCategory type-of operations with psPAS?

Steps to Reproduce (for bug reports)

NA

1 .

2 .

3 .

4 .

Sample Output

Context

Besides automating the Reconciliation of Accounts, based on the PoshPACLI experience, I try to Change/Reconcile accounts in cyberark v11 using psPAS. I know that to flag accounts to be reconciled, certain categories can be updated/removed (see above). With psPAS I can not find a substitute of command to update/remove these categories (not just to reconcile accounts, furthermore, to set and modify categories and other attributes based on the client's request

pspete commented 4 years ago

Hi @tronatore

For Reconcile (and verify/change), use Invoke-PASCPMOperation

For updating account properties, use Set-PASAccount

Keep in mind, REST API does not have an equivalent command for every PACLI capability.

tronatore commented 4 years ago

Thx for the information. Allow me to understand all these topics:

  1. Regarding the Reconcile: just by issuing one "Invoke-PASCPMOperation" , the account needs nothing else to be flagged to get reconciled? Is that it?

  2. Regarding the Categories, I know attributes/properties such as "Address" can be updated using "Set-PASAccount" as you mentioned. But, does this means I cannot change any of the "other" categories of an account (such as CPMDisabled, RetriesCount, LastFailDate, CPMStatus, LastTask, etc.)?

pspete commented 4 years ago
  1. Yes, just: Invoke-PASCPMOperation -AccountID 123_4 -ReconcileTask
  2. You can change the file categories relevant to the account/platform.

psPAS has Enable-PASCPMAutoManagement available to enable cpm management where it has been disabled by a user. if its disabled by cpm, you are right, with PACLI you could just remove the "CPMStatus","RetriesCount","CPMDisabled" & "LastTask" categories - with the API, you can issue a reconcile to achieve the same.

tronatore commented 4 years ago

Ok. Perfect!

So Invoke-PASCPMOperation includes all flags necessary for the accounts to get reconciled. (Awesome!)

And, I understand that from now on, by using REST API/psPAS, with Enable-PASCPMAutoManagement, I could change one of those categories that you listed before. Otherwise, these categories are not accessible to the programmer (unless PACLI is involved).

tronatore commented 4 years ago

Thank you Pete for your help! Much appreciated.

pspete commented 4 years ago

No problem - closing for now