search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
291 stars 91 forks source link

Issue with CPM permissions in Add-PASSafeMember.ps1 script #349

Closed Wim-Dams closed 3 years ago

Wim-Dams commented 3 years ago

Describe the issue I really love this PsPas module but when we upgrade to version 5.0.0 suddenly all new created safes didn't have the CPM permissions anymore. When we just use the Add-PASSafeMember script like below it set's all permissions, except InitiateCPMAccountManagementOperations=True; SpecifyNextAccountContent=True;

CommandUsed = $result = $PermissionObject.Permissions | Add-PASSafeMember -SafeName $SafeName -MemberName $UserName -SearchIn $SearchInValue -ErrorAction Stop

Possible fix My current quickfix was to add the following to these 2 parameters. [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )]

In the script itself it uses "{ $PSItem -match '^Gen2' }" so everything that starts with Gen2, like Gen2-CPM is excepted so I guess the issue is in command "ConvertTo-SortedPermission -Gen2" where you only to a case check on the complete value and discard all the rest.

I'm not sure my quickfix was a good one.

Your Environment Include relevant details about your environment

pspete commented 3 years ago

Thanks for the report @Wim-Dams , will find some time to take a look.

Wim-Dams commented 3 years ago

Hi Pete,

Thank you very much for looking into this.

Issue only happens when you pipe your object to the Add-PASSafeMember command. When you really specify the individual parameters it indeed works.

Connect-ScriptAccount

Remove-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300"

$SafePermissions = [PSCustomObject]@{

     UseAccounts                            = $True

     ListAccounts                           = $True

     RetrieveAccounts                       = $True

     InitiateCPMAccountManagementOperations = $True

     SpecifyNextAccountContent              = $True

}

$SafeType = get-DefaultSafePermissions | where SafeType -eq Personal | where userobject -eq "0005_GS_CSKPERS"

$SafePermissions = $Safetype.permissions

$SafePermissions | Add-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300" -SearchIn "ActiveDirectory" | Select-Object -ExpandProperty Permissions

Add-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300" -UseAccounts $True -InitiateCPMAccountManagementOperations $True -SpecifyNextAccountContent $True | Select-Object -ExcludeProperty Permissions

Get-PASSafeMember -SafeName "PERS_U30300" | where UserName -eq U30300

useAccounts : True

retrieveAccounts : True

listAccounts : True

addAccounts : False

updateAccountContent : False

updateAccountProperties : False

initiateCPMAccountManagementOperations : False

specifyNextAccountContent : False

renameAccounts : False

deleteAccounts : False

unlockAccounts : False

manageSafe : False

manageSafeMembers : False

backupSafe : False

viewAuditLog : False

viewSafeMembers : False

accessWithoutConfirmation : False

createFolders : False

deleteFolders : False

moveAccountsAndFolders : False

requestsAuthorizationLevel1 : False

requestsAuthorizationLevel2 : False

safeUrlId : PERS_U30300

safeName : PERS_U30300

safeNumber : 54

memberId : 106

memberName : U30300

memberType : User

membershipExpirationDate :

isExpiredMembershipEnable : False

isPredefinedUser : False

permissions : @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False; updateAccountContent=False; updateAccountProperties=False; initiateCPMAccountManagementOperations=False; specifyNextAccountContent=False; 

                        renameAccounts=False; deleteAccounts=False; unlockAccounts=False; manageSafe=False; manageSafeMembers=False; backupSafe=False; viewAuditLog=False; viewSafeMembers=False; accessWithoutConfirmation=False; createFolders=False; 

                        deleteFolders=False; moveAccountsAndFolders=False; requestsAuthorizationLevel1=False; requestsAuthorizationLevel2=False}

UserName : U30300

Van: Pete Maan @.> Verzonden: zaterdag 22 mei 2021 2:07 Aan: pspete/psPAS @.> CC: Wim-Dams @.>; Mention @.> Onderwerp: Re: [pspete/psPAS] Issue with CPM permissions in Add-PASSafeMember.ps1 script (#349)

Hi @Wim-Dams https://github.com/Wim-Dams - the issue is not reproducible here.

Add-PASSafeMember -SafeName issue_349 -MemberName pspete -InitiateCPMAccountManagementOperations $true -SpecifyNextAccountContent $true | Select-Object -ExpandProperty Permissions

useAccounts : False retrieveAccounts : False listAccounts : False addAccounts : False updateAccountContent : False updateAccountProperties : False initiateCPMAccountManagementOperations : True specifyNextAccountContent : True renameAccounts : False deleteAccounts : False unlockAccounts : False manageSafe : False manageSafeMembers : False backupSafe : False viewAuditLog : False viewSafeMembers : False accessWithoutConfirmation : False createFolders : False deleteFolders : False moveAccountsAndFolders : False requestsAuthorizationLevel1 : False requestsAuthorizationLevel2 : False

Can you provide more information? Do the permissions get added if the -UseGen1API switch is specified? What is the content of $PermissionObject.Permissions?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/issues/349#issuecomment-846315973 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AUEUM2JZF4IB6GVCF4GTW2TTO3YS7ANCNFSM45GUIQMQ . https://github.com/notifications/beacon/AUEUM2O3MUFJX3BNKBC75EDTO3YS7A5CNFSM45GUIQM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGJY4DRI.gif

pspete commented 3 years ago

Hi @Wim-Dams - yes, initially I couldn't replicate, but then noticed the same regarding piping an object into the function. Fix incoming (already present in the issue-349 branch).

Thanks for reporting this, very much appreciated!