remove-PASSafeMember returns 404 error when membername contains at-sign

[putnyx-zz]

Describe the issue A concise summary of the issue remove-PASSafeMember returns 404 error when membername contains at-sign

Steps to reproduce the behavior:

1. get-PASSafeMember -SafeName "ILOADMIN"
2. remove-PASSafeMember -SafeName "ILOADMIN" -membername DLG-ILOADMIN_Owners@mydomain.local

Expected behavior The member of the safe should be removed from the safe.

Screenshots & Console Output

NOTE: Actual safe names and member names have been redacted/altered for this posting.

1. get-PASSafeMember -SafeName "ILOADMIN" -verbose
UserName                                 SafeName
--------------------------------------------------
DLG-ILOADMIN_Owners@mydomain.local       ILOADMIN
DLG-ILOADMIN_Readers@mydomain.local      ILOADMIN
DLG-ILOADMIN_Auditors@mydomain.local     ILOADMIN
DLG-ILOADMIN_Creators@mydomain.local     ILOADMIN
DLG-ILOADMIN_SafeManagers@mydomain.local     ILOADMIN

2. remove-PASSafeMember -SafeName "ILOADMIN" -membername DLG-ILOADMIN_Owners@mydomain.local -Verbose
VERBOSE: Performing the operation "Remove Safe Member 'DLG-ILOADMIN_Owners@mydomain.local'" on target "ILOADMIN".
VERBOSE: DELETE https://secvault.fenetwork.com/PasswordVault/api/Safes/ILOADMIN/members/DLG-ILOADMIN_Owners%40mydomain.local with 0-byte payload
Invoke-PASRestMethod :  404 File or directory not found Server Error 404 File or directory not found The resource you are looking for might have been removed had its name changed or is temporarily 
unavailable 
At line:58 char:4
+             Invoke-PASRestMethod -Uri $URI -Method DELETE -WebSession ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (
404 - F...ble.

:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : 404,Invoke-PASRestMethod
>

Your Environment Windows client with PowerShell

• PowerShell Version: PSVersion 5.1.19041.1237
• psPAS Version: 5.2.59
• CyberArk Version: (12.2.1.18)

Additional context I am able to delete members (groups) that have no domain-name (no at-sign).

[pspete]

Hi @putnyx

Can you confirm if you are able to see success executing the process outside of the module, either in native powershell or using an alternative tool?

• https://pspas.pspete.dev/docs/troubleshooting/#manual-api-command-testing
  • The method & url being targeted is shown in the verbose output from the command you are attempting to run.
• This is the documentation the function is based on:
  • https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Delete%20Safe%20Member.htm

Is the same issue observed using the Gen1 API?

Remove-PASSafeMember -SafeName "ILOADMIN" -membername DLG-ILOADMIN_Owners@mydomain.local -UseGen1API

[putnyx-zz]

Hello @pspete I am not much of a programmer but I tried to use the URL from the debug output, in a browser, and observed that PVWA returns the 404 error. I tried various methods to 'escape' the at-sign, without success. I would not be surprised if the issue exists in the API not psPAS.

Having a limited time window, I resorted back to running PACLI.exe and deleting the groups through a series of PACLI commands.

I'm not able to try further debugging because my maintenance window is closed. If I have a need to do cleanup in the future I'll try again with the Gen1 API.

[pspete]

ok - I'll close this for now - feel free to reopen if there is other data to include