Closed keagylabs closed 3 years ago
pspete
commented
3 years ago Does the same happen outside of the module?
#after New-PASSession
$s = Get-PASSession
$GroupID= "1536"
$Member= "username@domain.com"
$Request = @{
"Method" = "DELETE"
"Uri" = "$($s.BaseUri)/API/UserGroups/$GroupID/members/$Member"
"WebSession" = $s.WebSession
"ContentType" = "application/json"
}
Invoke-RestMethod @Request@keagylabs report back If you can successfully remove the member using a REST call outside of the module, as then a fix for the module's code can be worked on.
keagylabs
commented
3 years ago @pspete Hello! Thank you for your swift response. I was out due to holiday.
I tried the REST call outside of the module above and we are still receiving the same error:
Invoke-RestMethod :
404 - File or directory not found.
Server Error
404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
At line:1 char:1
+ Invoke-RestMethod @Request
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommandI verified that I am able to add another user via AddPASGroupMember and performing the test again on the new user no luck....
Is there a reason why using the AddPASGroupMember module we do not use ID but we use the group name? I know this is a separate question from this issue so feel free to ignore... was just curious.
Let me know if you need anything else from me
pspete
commented
3 years ago Is there a reason why using the AddPASGroupMember module we do not use ID but we use the group name?
Using group name is specific to the Gen 1 API. You can specify a groupId to direct the request to the Gen 2 API (requires 10.6+). The available syntax is detailed in the docs: https://pspas.pspete.dev/commands/Add-PASGroupMember#syntax
As the group member removal is not working when attempted outside the module, it appears to not relate to the module's code, it is perhaps something to raise via your usual support channels.
Remove-PASGroupMember is coded against the following specification from the vendor: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/RemoveUserFromGroup.htm?tocpath=Developer%7CREST%20APIs%7CUser%20management%7CGroups%7C_____6
pspete
commented
3 years ago @keagylabs - I had some time to look into this a bit further. Issue was able to be replicated when attempting removal of a group member which has an '@' symbol in the username. (Users without an '@' symbol did not exhibit the issue)
Based on the detail from this article: https://cyberark-customers.force.com/s/article/Error-404-for-PVWA-API-when-username-with-period-character-is-used
A fix has now been applied to the dev branch and will be included in the next release of the module.
Thanks for the report 👍🏼
Your Environment
Expected Behaviour
Removing an active vault user from a vault group
Current Behaviour
Invoke-PASRestMethod : 404 File or directory not found Server Error 404 File or directory not found The resource you are looking for might have been removed had its name changed or is temporarily unavailable
Possible Solution
Steps to Reproduce (for bug reports)
1 . Open PowerShell as administrator
2 . New-PASSession as a Vault Admin
3 . Remove-PASGroupMember -GroupID 1536 -Member username@domain.com
4 . Receive 404 error
Context
We are able to add users to the appropriate vault groups using the Add-PASGroupMember... But when we try to delete the user from the group it gives us a 404 error.
We have tried using the GroupName as well as the GroupID but no luck. What's strange is we can add the user to the group but when removing it says it cannot find (404)
Please help!