search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

Get-PASAccount : limit #507

Closed kyrios123 closed 10 months ago

kyrios123 commented 10 months ago

Describe the issue Obviously Get-PASAccount returns up to 2000 results. When used with -limit, it is limited to 1000 results which is not very consistent but the problem is that I have more than 2000 results and I cannot loop because unlike the CyberArk Accounts API the response doesn't contain count or nextLink values.

To Reproduce There is more than 2000 accounts Steps to reproduce the behavior:

PS C:\Users\Bob> (Get-PASAccount).count
2000
Get-PASAccount -limit 2500).count
Get-PASAccount : Cannot validate argument on parameter 'limit'. The 2500 argument is greater than the maximum allowed range of 1000. Supply an argument that is less than or 
equal to 1000 and then try the command again.
At line:1 char:24
+ (Get-PASAccount -limit 2500).count
+                        ~~~~
    + CategoryInfo          : InvalidData: (:) [Get-PASAccount], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Get-PASAccount

Expected behavior A way to get all accouts (i.e: have the count and/or nextLink like on the CyberArk API so it is possible to make a loop.

    "count": 1234,
    "nextLink": "api/Accounts?offset=900&limit=450"

Your Environment Include relevant details about your environment

kyrios123 commented 10 months ago

UPDATE: Tested with the CyberArk REST API directly and I couldn't fetch more than 2000 accounts. Even on the PVWA the All accounts filters shows 2000 results.

Thus I am wondering what's the use of pagination if it doesn't allow to loop through big result sets and how I could get all the accounts.

pspete commented 10 months ago

Obviously Get-PASAccount returns up to 2000 results.

We don't follow @kyrios123 - Get-PASAccount can return more than 2k results image

When used with -limit, it is limited to 1000 results which is not very consistent but the problem is that I have more than 2000 results

Documented maximum value for limit is 1000: https://docs.cyberark.com/PAS/12.6/en/Content/SDK/GetAccounts.htm#:~:text=The%20maximum%20number%20of%20returned%20accounts.%20The%20maximum%20number%20that%20you%20can%20specify%20is%201000.

the response doesn't contain count or nextLink values

psPAS automatically processes any nextLink values returned from the api, these requests can be observed in the module's verbose output (and/or PVWA/IIS logs): image

pspete commented 10 months ago

Thus I am wondering what's the use of pagination if it doesn't allow to loop through big result sets and how I could get all the accounts.

Using a page size of 1000, results in Get-PASAccount sending 3 requests to return < 3000 results (2 requests for 1000 results, 1 request for the remaining 931) image

pspete commented 10 months ago

Also note that the number of returned accounts is determined by the configured value for the MaxDisplayedRecords parameter in PVWA options.

kyrios123 commented 10 months ago

Of course you're right, the value of MaxDisplayedRecords was reduced to 2000 by a colleague to mitigate some performances issues on the PVWA. And this parameter is clearly specified in the documentation !

Again all my fault, sorry for the annoyance and thank you very much for the kind help !