Closed bldevcode closed 9 months ago
-limit 4 should return the first 4 accounts from administrator's favorite accounts.
hi @bldevcode - thanks for raising this.
TBH the limit
& offset
parameters should probably be removed from Get-PasAccount
.
The limit
parameter only relates to the page size of the results to fetch, not the total number of results to fetch.
Get-PASAccount
is coded in such a way that it fetches all pages of results - this was implemented way back via #144
We can replicate the behaviour you describe in the issue, but believe the underlying API response returns NextLink
URLs for results when the link
parameter is provided which are followed until the are no longer returned.
Currently thinking is that this is not caused nor fixable via the module code.
Simple workaround for now is to not specify limit
when using savedFilter
.
hi @pspete - thanks for your reply
Unfortunately this workaround does not work if the number of results is more than 50. The problem originally popped out for me when limit parameter was NOT specified and I had around 500 deleted accounts in customer's environment. In that case Get-PASAccount -savedfilter Deleted
query returns all the normal accounts (as the default value for limit
parameter is 50) instead of the deleted accounts. I can now use -limit 1000
to get the deleted accounts as result, but I will have no option when the number of deleted accounts become more than 1000 (as that is the maximum accepted value for limit
parameter).
I tried the same queries in swagger and all works fine there.
What I see in the verbose output is that starting from the second GET the savedFilter=Favorites
part seems to be missing :
PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites -Verbose).count
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?savedFilter=Favorites with 0-byte payload
VERBOSE: received 5033-byte response of content type application/json; charset=utf-8
10
PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites -limit 9 -Verbose).count
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?limit=9&savedFilter=Favorites with 0-byte payload
VERBOSE: received 4515-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=9&limit=9 with 0-byte payload
VERBOSE: received 3925-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=18&limit=9 with 0-byte payload
VERBOSE: received 4070-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=27&limit=9 with 0-byte payload
VERBOSE: received 4487-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=36&limit=9 with 0-byte payload
VERBOSE: received 4162-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=45&limit=9 with 0-byte payload
VERBOSE: received 4258-byte response of content type application/json; charset=utf-8
54
Unfortunately this workaround does not work if the number of results is more than 50 [...] but I will have no option when the number of deleted accounts become more than 1000
Fair point
starting from the second GET the savedFilter=Favorites part seems to be missing
Will investigate and see if this can be resolved via code update
@bldevcode Fix developed for this condition - currently available on the dev
branch, and will be included in the next main release
Thanks again for reporting this 👍
Thanks @pspete , much appreciated!
When using PASAccount with -savedfilter parameter (like deleted or favorites) if the result limit specified by -limit parameter is less than the actual result of the query, Get-PASAccount will return all the existing accounts (the requester has permission to list) not the accounts that match the savedfilter. The same happens if -limit parameter is not specified with Get-PASAccount -savedfilter and the result is more than the default API limit (50) .
To Reproduce Steps to reproduce the behavior:
Expected behavior Get-PASAccount -savedfilter Favorites -limit 4 should return the first 4 accounts from administrator's favorite accounts.
(I have total 54 accounts in the vault)
Your Environment Include relevant details about your environment
Additional context For Get Accounts RestAPI call there is default limit of 50 (https://docs.cyberark.com/PAS/13.2/en/Content/SDK/GetAccounts.htm?tocpath=Developer%7CREST%20APIs%7CAccounts%7C_____1#URLparameters). Let's assume that there are 200 accounts administrator has permission to list, and administrator has 60 favorites set. In this case if we don't even use the -limit parameter together with -savedfilter the result will give all the 200 accounts: Get-PASAccount -savedfilter Favorites will return 200 accounts as 50 < 60.