Get-PASAccount -savedfilter gives all accounts if limit is less than the result

[bldevcode]

When using PASAccount with -savedfilter parameter (like deleted or favorites) if the result limit specified by -limit parameter is less than the actual result of the query, Get-PASAccount will return all the existing accounts (the requester has permission to list) not the accounts that match the savedfilter. The same happens if -limit parameter is not specified with Get-PASAccount -savedfilter and the result is more than the default API limit (50) .

To Reproduce Steps to reproduce the behavior:

1. Set 5 favorite accounts for administrator user in PVWA
2. Authenticate as administrator against RestAPI
3. Get-PASAccount -savedfilter Favorites -limit 4 This will return all the accounts administrator has permission to list, not only the favorites.

Expected behavior Get-PASAccount -savedfilter Favorites -limit 4 should return the first 4 accounts from administrator's favorite accounts.

PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites).count
10
PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites -limit 9).count
54
PS C:\Users\Bob> (Get-PASAccount).count
54
PS C:\Users\Bob>

(I have total 54 accounts in the vault)

Your Environment Include relevant details about your environment

• PowerShell Version: 5.1.17763.4840
• psPAS Version: 6.0.4 and 5.6.135
• CyberArk Version: v12.6.7 and v13.2

Additional context For Get Accounts RestAPI call there is default limit of 50 (https://docs.cyberark.com/PAS/13.2/en/Content/SDK/GetAccounts.htm?tocpath=Developer%7CREST%20APIs%7CAccounts%7C_____1#URLparameters). Let's assume that there are 200 accounts administrator has permission to list, and administrator has 60 favorites set. In this case if we don't even use the -limit parameter together with -savedfilter the result will give all the 200 accounts: Get-PASAccount -savedfilter Favorites will return 200 accounts as 50 < 60.

[pspete]

-limit 4 should return the first 4 accounts from administrator's favorite accounts.

hi @bldevcode - thanks for raising this.

TBH the limit & offset parameters should probably be removed from Get-PasAccount. The limit parameter only relates to the page size of the results to fetch, not the total number of results to fetch. Get-PASAccount is coded in such a way that it fetches all pages of results - this was implemented way back via #144

We can replicate the behaviour you describe in the issue, but believe the underlying API response returns NextLink URLs for results when the link parameter is provided which are followed until the are no longer returned.

Currently thinking is that this is not caused nor fixable via the module code.

Simple workaround for now is to not specify limit when using savedFilter.

[bldevcode]

hi @pspete - thanks for your reply Unfortunately this workaround does not work if the number of results is more than 50. The problem originally popped out for me when limit parameter was NOT specified and I had around 500 deleted accounts in customer's environment. In that case Get-PASAccount -savedfilter Deleted query returns all the normal accounts (as the default value for limit parameter is 50) instead of the deleted accounts. I can now use -limit 1000 to get the deleted accounts as result, but I will have no option when the number of deleted accounts become more than 1000 (as that is the maximum accepted value for limit parameter). I tried the same queries in swagger and all works fine there.

[bldevcode]

What I see in the verbose output is that starting from the second GET the savedFilter=Favorites part seems to be missing :

PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites -Verbose).count
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?savedFilter=Favorites with 0-byte payload
VERBOSE: received 5033-byte response of content type application/json; charset=utf-8
10
PS C:\Users\Bob> (Get-PASAccount -savedFilter Favorites -limit 9 -Verbose).count
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?limit=9&savedFilter=Favorites with 0-byte payload
VERBOSE: received 4515-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=9&limit=9 with 0-byte payload
VERBOSE: received 3925-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=18&limit=9 with 0-byte payload
VERBOSE: received 4070-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=27&limit=9 with 0-byte payload
VERBOSE: received 4487-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=36&limit=9 with 0-byte payload
VERBOSE: received 4162-byte response of content type application/json; charset=utf-8
VERBOSE: GET https://cy-pvwacpm.hunsec.local/PasswordVault/api/Accounts?offset=45&limit=9 with 0-byte payload
VERBOSE: received 4258-byte response of content type application/json; charset=utf-8
54

[pspete]

Unfortunately this workaround does not work if the number of results is more than 50 [...] but I will have no option when the number of deleted accounts become more than 1000

Fair point

starting from the second GET the savedFilter=Favorites part seems to be missing

Will investigate and see if this can be resolved via code update

[pspete]

@bldevcode Fix developed for this condition - currently available on the dev branch, and will be included in the next main release Thanks again for reporting this 👍

[bldevcode]

Thanks @pspete , much appreciated!