search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
286 stars 90 forks source link

Remove-PASGroup is not working as expected #504

Closed kchass closed 7 months ago

kchass commented 7 months ago

Describe the issue Remove-PASGroup is not working as expected, says some invalid parameters: Cannot add a member to directory group

To Reproduce Steps to reproduce the behavior:

  1. Authenticated using new-passession -Credential $creds -BaseURI https://
  2. Remove-pasgroup -GroupID

Expected behavior Should be success 200 response, group should be deleted

Screenshots & Console Output image

On Powershell 7.3.9, psPAS 5.4.101 & 6.0.21

Invoke-PASRestMethod:
Line |
  26 |              Invoke-PASRestMethod -Uri $URI -Method DELETE -WebSession …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [400] There are some invalid parameters: Can not add a member to directory group [2345].

On Powershell 5.1, psPAS 5.2.24
Remove-PASGroup -GroupID 707
Invoke-PASRestMethod : [400] There are some invalid parameters: Can not add a member to directory group [707].
At line:26 char:4
+             Invoke-PASRestMethod -Uri $URI -Method DELETE -WebSession ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"Details":[{"E...id parameters"}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : PASWS167E,PASWS214E,Invoke-PASRestMethod

Your Environment Tried in both our PROD and TEST environment

Additional context Help documentation on https://pspas.pspete.dev/commands/Remove-PASGroup might have some typo in example instead of Remove-PASGroup it says Delete-PASGroup -GroupID 3

pspete commented 7 months ago

Thanks for spotting the error in the psPAS documentation - will get that corrected.

For the issue reported with Remove-PASGroup Can you test outside the module using the below example code?

#after New-PASSession
$ThisSession = Get-PASSession

$GroupID = "2345"
$Method = "DELETE"
$UrlPath = "API/UserGroups/$GroupID/"

$Request = @{
    "Method"      = $Method
    "Uri"         = "$($ThisSession.BaseUri)/$UrlPath"
    "WebSession"  = $ThisSession.WebSession
    "ContentType" = "application/json"
}

Invoke-RestMethod @Request

Looking at the API documentation, I think you will see the same issue and error reported https://docs.cyberark.com/PAS/Latest/en/Content/SDK/Users%20Web%20Services%20-%20Delete%20User%20Group.htm

Only deletion of vault groups is mentioned, not directory groups.

kchass commented 7 months ago

@pspete You're right, API doesnt allow deleting directory groups, API error message is not very helpful. poshPACLI works fine to delete such groups, I'll use it for this work. Thanks for quick response. :)

Invoke-RestMethod: {"Details":[{"ErrorCode":"PASWS214E","ErrorMessage":"Can not add a member to directory group [12012].","ParameterName":"groupId"}],"ErrorCode":"PASWS167E","ErrorMessage":"There are some invalid parameters"}

@infamousjoeg is this feature in pipeline via APIs ?