Closed Brogies closed 1 year ago
When calling the specific username in the command such as: get-passafe -safe %safename% | get-passafemember -username %group% | fl, it correctly returns the full permissions listing:
Permissions : @{UseAccounts=False; RetrieveAccounts=False; ListAccounts=False; AddAccounts=False; UpdateAccountContent=False; UpdateAccountProperties=False; InitiateCPMAccountManagementOperations=False; SpecifyNextAccountContent=False; RenameAccounts=False; DeleteAccounts=False; UnlockAccounts=False; ManageSafe=False; ManageSafeMembers=False; BackupSafe=False; ViewAuditLog=False; ViewSafeMembers=False; AccessWithoutConfirmation=False; CreateFolders=False; DeleteFolders=False; MoveAccountsAndFolders=False; RequestsAuthorizationLevel=1}
@Brogies - Is this different from the behaviour detailed in the command's help? https://pspas.pspete.dev/commands/Get-PASSafeMember#description
Note When using the Gen1 API & querying all members of a safe, the permissions are reported as follows:
List accounts (ListContent)
Retrieve accounts (Retrieve)
Add accounts, including update properties (Add)
Update account content (Update)
Update account properties (UpdateMetadata)
Rename accounts (Rename)
Delete accounts (Delete)
View Audit log (ViewAudit)
View Safe Members (ViewMembers)
Use accounts (RestrictedRetrieve)
Initiate CPM account management operations (<NOT RETURNED>)
Specify next account content (<NOT RETURNED>)
Create folders (AddRenameFolder)
Delete folders (DeleteFolder)
Unlock accounts (Unlock)
Move accounts/folders (MoveFilesAndFolders)
Manage Safe (ManageSafe)
Manage Safe Members (ManageSafeMembers)
Validate Safe Content (ValidateSafeContent)
Backup Safe (BackupSafe)
Access Safe without confirmation (<NOT RETURNED>)
Authorize account requests (<NOT RETURNED>)
If a Safe Member Name is provided, the full permissions of the member on the Safe will be returned as follows:
List accounts (ListAccounts)
Retrieve accounts (RetrieveAccounts)
Add accounts, including update properties (AddAccounts)
Update account content (UpdateAccountContent)
Update account properties (UpdateAccountProperties)
Rename accounts (RenameAccounts)
Delete accounts (DeleteAccounts)
View Audit log (ViewAuditLog)
View Safe Members (ViewSafeMembers)
Use accounts (UseAccounts)
Initiate CPM account management operations (InitiateCPMAccountManagementOperations)
Specify next account content (SpecifyNextAccountContent)
Create folders (CreateFolders)
Delete folders (DeleteFolder)
Unlock accounts (UnlockAccounts)
Move accounts/folders (MoveAccountsAndFolders)
Manage Safe (ManageSafe)
Manage Safe Members (ManageSafeMembers)
Validate Safe Content (<NOT RETURNED>)
Backup Safe (BackupSafe)
Access Safe without confirmation (AccessWithoutConfirmation)
Authorize account requests (RequestsAuthorizationLevel)
You can also refer to this support article from the vendor: https://cyberark-customers.force.com/s/article/00005190
Describe the issue Running v4.5.90 against PVWA 11.4 Get-passafemember not returning the "authorize requests" permission
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen. Looking for a true or false statement on the Authorize request perm for the safe member
Screenshots & Console Output If applicable, add screenshots and/or console output to help explain your problem.
Your Environment Include relevant details about your environment
PSVersion 5.1.19041.1682 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.19041.1682 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
Additional context Apologies if this was already covered and fixed in a new version, Tried checking the different versions but havent seen any notes around this specific issue.