Get-PASSafeMember -MemberName UPN format issue

[OptimusPrimo]

Describe the issue Unable to enumerate Member permissions of a chosen Safe when the username is in UPN format (where the username contains a period). Would like to get permissions of the current logged on user against a safe, even if they were in a group.

Thanks in advance

To Reproduce Steps to reproduce the behavior: Get-PASSafeMember -SafeName 'SafeName' -MemberName "LocalUserAccount" This works Get-PASSafeMember -SafeName 'SafeName' -MemberName "InvalidUsername" This returns [404] Owner InvalidUsername was not found in safe SafeName and therefore also works

However Get-PASSafeMember -SafeName 'SafeName' -MemberName "User@domain.com" This returns 404 File or directory not found Server Error 404 File or directory not found The resource you are looking for might have been removed had its name changed or is temporarily unavailable

Removing the period from the above Cmdlet returns This returns [404] Owner User@domaincom was not found in safe SafeName and therefore also works.

Even attempted the following, however this also failed:

$AdminUser = (Get-PASSession).User
Get-PASSafeMember -SafeName 'SafeName' -MemberName $AdminUser

Expected behavior Return current Logged on user permissions against a Safe

Screenshots & Console Output Your Environment Include relevant details about your environment

• PowerShell Version: 5.1
• psPAS Version: 5.2.59
• CyberArk Version: 12.2

[pspete]

Hi @OptimusPrimo,

In 12.2 using the Gen2-MemberFilter parameterset, the safe member should be returned:

 > Get-PASSafeMember -SafeName 1_SomeSafe_001_OXW -search user@domain.com

UserName        SafeName           Permissions                                                                        
--------        --------           -----------                                                                        
user@domain.com 1_SomeSafe_001_OXW @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False;...

Am also seeing success using the Gen1-MemberPermissions parameterset:

 > Get-PASSafeMember -SafeName 1_SomeSafe_001_OXW -MemberName user@domain.com -UseGen1API

UserName        SafeName           Permissions                                                                        
--------        --------           -----------                                                                        
user@domain.com 1_SomeSafe_001_OXW @{UseAccounts=True; RetrieveAccounts=True; ListAccounts=True; AddAccounts=False;...

If you want to investigate further the issue with querying any safe member present in UPN format, would suggest to first confirm that you can perform the action outside of the module:

• https://pspas.pspete.dev/docs/troubleshooting/#manual-api-command-testing
  • Above link contains overview instructions to test outside of the module.
  • The method & url being targeted is shown in the verbose output from the Get-PASSafeMember command you are attempting to run.
• This is the documentation the function is based on:
  • https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SDK/Safe%20Members%20WS%20-%20List%20Safe%20Member.htm?tocpath=Developer%7CREST%20APIs%7CSafes%7CSafe%20members%7C_____4

Issue #388 is slightly similar.

If any findings you come across which may be able to be included in the module, let us know here or submit a PR 👍