search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

Give same results of Get-PASUser independently on ID/Username/Search #393

Closed redboyhun closed 2 years ago

redboyhun commented 2 years ago

Get-PASUser shows different values using the ID than using the Username or Search parameters. ID shows much more, but to get the ID first I have to use Username or Search.

It would be nice if using Username or Search, the same level of details would be shown. Example: Email address of the user is only shown using ID, but not with the other 2.

Sample data: Using ID

Get-PASUser -id 3637 | fl

id                      : 3637
username                : User4545@domain88
source                  : LDAP
userType                : EPVUser
componentUser           : False
vaultAuthorization      : {}
location                : \Company
suspended               : False
lastSuccessfulLoginDate : 03.03.2022 04:41:27
enableUser              : True
ExpiryDate              :
passwordNeverExpires    : False
changePassOnNextLogon   : False
authenticationMethod    : {AuthTypeRadius}
userDN                  : CN=User4545,OU=Users,OU=Company,OU=OEs,DC=domain88,DC=net
description             :
distinguishedName       :
personalDetails         : @{street=; city=; state=; zip=; country=LA; title=; organization=company;department=company; profession=; firstName=some; middleName=;lastName=user}
groupsMembership        : {@{groupID=3318; groupName=group;Vault}, @{groupID=3379;groupName=group;Vault}, @{groupID=3383;groupName=group;Vault}, @{groupID=3328;groupName=group;Vault}}
businessAddress         : @{workStreet=; workCity=; workState=; workZip=; workCountry=}
internet                : @{homePage=; homeEmail=; businessEmail=User4545_domain88@company.mail.com;otherEmail=}
phones                  : @{homeNumber=; businessNumber=1234; cellularNumber=; faxNumber=456; pagerNumber=}
unAuthorizedInterfaces  : {WINCLIENT, PACLI, XAPI, HTTPGW...}

Using Search

Get-PASUser -ExtendedDetails $true -Search User4545 | fl

id                      : 3637
username                : User4545@domain88
source                  : LDAP
userType                : EPVUser
componentUser           : False
vaultAuthorization      : {}
location                : \Company
suspended               : False
lastSuccessfulLoginDate :
enableUser              : True
ExpiryDate              :
PasswordNeverExpires    :
ChangePassOnNextLogon   :
AuthenticationMethod    :
userDN                  : CN=User4545,OU=Users,OU=Company,OU=OEs,DC=domain88,DC=net
Description             :
distinguishedName       :
personalDetails         : @{firstName=some; middleName=; lastName=user; organization=company;department=company}
groupsMembership        : {@{groupID=3318; groupName=group;Vault}, @{groupID=3379;groupName=group;Vault}, @{groupID=3383;groupName=group;Vault}, @{groupID=3328;groupName=group;Vault}}
BusinessAddress         :
Internet                :
Phones                  :
unAuthorizedInterfaces  :
pspete commented 2 years ago

Hi @redboyhun

Get-PASUser has been included in psPAS for ~5 years, and can be used with CyberArk versions 9.7 onward.

The docs show that the Get-PASUser command allows invocation of both the "Get users" API & "Get user details" API (which has a both a Gen1 & Gen2 API available).

Backward compatibility for psPAS users, CyberArk version compatibility, and command performance all have to be considered, but it would be simple enough for you to create you own command to operate as you describe:

$User = Get-PASUser -Search $username

If ($User.ID) {
    $User | Get-PASUser
}

Hope the above snippet helps.

Edit: different parameters can cause the command to target a different API depending on the parameterset used, (all relating to users, so makes sense for them to be included in a single command rather than several separate but similar commands). This is in-line with the development model used throughout the module, and is ultimately the reason for scenarios where the output differs.