Invoke-PASRestMethod failure to execute when passing SafeMember to Get-PASSafeMember

[vhd7241]

Describe the issue When trying to update a powershell script used to retrieve SafeMembers and all of their permissions, Get-PASSafeMember fails to execute when using the -SafeMember option.

To Reproduce Steps to reproduce the behavior:

1. Sucessfully receive PASSession token
2. Run Get-PASSafeMember with known safe name
3. Run Get-PASSafeMember with -Safemember ""

Expected behavior Expected to receive permissions data similar to when not using the -SafeMember option, but including 'Access Safe Without Confirmation' & 'Authorize Access Requests'

Screenshots & Console Output

Console Output Code Block:

#Failure to run with MemberName option
C:\Windows\system32> Get-PASSafeMember -SafeName "SafeName" -MemberName "SafeManager"
Invoke-PASRestMethod : [403] 
At line:139 char:13
+         $result = Invoke-PASRestMethod @Request
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"C...rorMessage":""}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : CAWS00001E,Invoke-PASRestMethod

#Runs successfully without
C:\Windows\system32> Get-PASSafeMember -SafeName "SafeName"

UserName                 SafeName     Permissions                                                        
--------                 --------     -----------                                                        
Master                   SafeName {Add, AddRenameFolder, BackupSafe, Delete...}                      
Batch                    SafeName {Add, AddRenameFolder, BackupSafe, Delete...}                      
Backup Users             SafeName BackupSafe                                                         
Auditors                 SafeName {ListContent, ViewAudit, ViewMembers}                              
Operators                SafeName {AddRenameFolder, DeleteFolder, ManageSafe, MoveFilesAndFolders...}
DR Users                 SafeName BackupSafe

Your Environment Include relevant details about your environment

• PowerShell Version: 5.1.14393.3866
• psPAS Version: 3.2.37
• CyberArk Version: 11.2

Additional context

[pspete]

From the help text/documentation for the MemberName parameter: -MemberName Specify the name of a safe member to return their safe permissions in full.

    An empty PUT request (update) is sent to retrieve full safe permissions for a user, as such: - You cannot
    report on the permissions of the user authenticated to the API.

    - Reporting on the permissions of the Quota Owner is expected to fail.

Is "SafeManager" the user being used to run the command? Is "SafeManager" the quota owner? In both cases, the expected result is a failure. The error code received is 403 (forbidden); the user running the command is required to be able to update member permissions on the safe as specifying MemberName requires a PUT request to be invoked: https://cyberark-customers.force.com/s/article/00005189

[vhd7241]

Hi Pete, SafeMember is an internal Vault account. A separate ActiveDirectory account is being used to run the command(s). Apologies, but what do you mean by "quota owner"?

Thank you for the clarification that it is using a PUT request for pulling this information from a safe.

[vhd7241]

I have since found a KB describing that the quota owner is the safe owner in summary. I can confirm the ActiveDirectory account running the command is not the quota owner of the safe that is being called for.

[pspete]

You are left with solving the returned 403 status code. It points to a permissions issue. The version of the module you are using is 18 months out of date - newer versions provide much more detailed error messages which may help in determining the cause. Forewarning - breaking changes for Get-PASSafeMember were introduced in version 4.0.0 of psPAS (the output of the function was changed) so if you have scripts which rely on the output as it was in the 3.2.37 version of the module you currenlty use, they will need updating. See changelog for details of all updates: https://github.com/pspete/psPAS/blob/master/CHANGELOG.md#3237-sept-17th-2019

[vhd7241]

Thank you for the clarification Pete. I will update our module in a test environment and work to resolve the 403 error on my side. I appreciate the quick responses and help very much.