search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
286 stars 90 forks source link

Set-PASAccount cannot update properties under /secretManagement #499

Closed kyrios123 closed 8 months ago

kyrios123 commented 8 months ago

Describe the issue Trying to set automaticManagementEnabled from false to true using Set-PASAccount does not work

To Reproduce

  1. Select an account that has been disabled by the CPM (in my example 89_7)
  2. define $operations to replace the value of /secretManagement/automaticManagementEnabled with true. Also try to replace /secretManagement/manualManagementReason with "" (I also tried to remove it).
  3. Execute Set-PASAccount -AccountID 89_7 -operations $operations

Here is the code `[array]$operations += @{"op"="replace";"path"="/secretManagement/automaticManagementEnabled";"value"="true"} [array]$operations += @{"op"="replace";"path"="/secretManagement/manualManagementReason";"value"=""}

Set-PASAccount -AccountID 89_7 -operations $operations `

Expected behavior /secretManagement/automaticManagementEnabled should be True instead of False /secretManagement/manualManagementReason should contain a blank value instead of (CPM)MaxRetries

Screenshots & Console Output

image 
`AccountID                 : 89_7
Safe                      : IRONPORT-ITT-ADMIN
address                   : hmslogbnc5.bc@test
UserName                  : 
name                      : hmslogbnc5.bc
platformId                : PXSSunOneDirectory
secretType                : password
platformAccountProperties : @{Port=6363; UserDN=UID=ipram;CUSTOMERID=604047484;OU=outbound;DC=secure-mail;DC=belgacom}
secretManagement          : @{automaticManagementEnabled=False; manualManagementReason=(CPM)MaxRetries; status=failure; 
                            lastModifiedTime=1528216144; lastVerifiedTime=1513270751}
createdTime               : 14/12/2017 16:26:41
categoryModificationTime  : 12/10/2023 09:13:43`

Your Environment Include relevant details about your environment

Additional context NA

pspete commented 8 months ago

Hi @kyrios123 , we unfortunately do not observe the same behaviour.

As shown in this screenshot, we are able to resume management of a CPM disabled account, in-line with the expected behaviour:

Please do attempt to replicate the process outside of the module to confirm if the action also fails - we have a guide on how to do this here: https://pspas.pspete.dev/docs/troubleshooting/#manual-api-command-testing

If you find supporting evidence suggesting fixes required in the module's code, include it in a response to this issue.

kyrios123 commented 8 months ago

Hi @pspete

Thank you for the feedback. I found out that this actually happens when there is no CPM assigned to the safe containing the account.

In the meantime I found out that you actually already developed a method that does what I want to do : Enable-PASCPMAutoManagement. Perhaps it would be nice to handle this special case in a future version of your function because I find it weird that the API behaves as if everything was OK while it did actually not update anything.

Sorry for the bothering. I am closing this issue since it's for upstream.