PowerShell module for CyberArk Privileged Access Security REST API
Use PowerShell to manage CyberArk via the Web Services REST API.
Contains all published methods of the API up to CyberArk v11.7.
Docs: https://pspas.pspete.dev
| Master Branch | Latest Build | CodeFactor | Coverage | PowerShell Gallery | License |
|---------------------------|--------------------------|---------------------------|-----------------------------|---------------------------|----------------------------|
| |
|
|
|
|
|
|
|
| |
|
| |
It all starts with a Logon
New-PASSessionis used to send a logon request to the CyberArk API.
On successful authentication
psPASuses the data which was provided for the request & also returned from the API for all subsequent operations.
$cred = Get-CredentialPowerShell credential request Enter your credentials. User: safeadmin Password for user safeadmin: **
New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com
$cred = Get-CredentialPowerShell credential request Enter your credentials. User: xApprover_1 Password for user xApprover_1: **
New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type LDAP
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
xApprover_1 LDAP EPVUser False False False False
$cred = Get-CredentialPowerShell credential request Enter your credentials. User: DuoUser Password for user DuoUser: **
New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type RADIUS -OTP 123456
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
DuoUser LDAP EPVUser False False False False
Some 2FA solutions allow a One Time Passcode to be sent with the password.
$Password,$OTP"
$cred = Get-CredentialPowerShell credential request Enter your credentials. User: DuoUser Password for user DuoUser: **
New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type RADIUS -OTP 738458 -OTPMode Append
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
DuoUser LDAP EPVUser False False False False
psPASwill use any provided certificate details for the duration of the session.
$Cert = "0E199489C57E666115666D6E9990C2ACABDB6EDB" New-PASSession -UseSharedAuthentication -BaseURI https://pvwa.somedomain.com -CertificateThumbprint $Cert
Find-PASSafe -search 3_TestSafe_028_XYJSafeUrlId SafeName Description Location
3_TestSafe_028_XYJ 3_TestSafe_028_XYJ TestSafe: 3_TestSafe_028_XYJ \
Get-PASSafe -SafeName 3_TestSafe_028_XYJ
SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
3_TestSafe_028_XYJ PasswordManager 3 TestSafe: 3_TestSafe_028_XYJ
Get-PASSafeMember -SafeName 3_TestSafe_028_XYJ -MemberName ACC-G-3_TestSafe_028_XYJ-UsrUserName SafeName Permissions
ACC-G-3_TestSafe_028_XYJ-Usr 3_TestSafe_028_XYJ @{Add=True; AddRenameFolder=True; BackupSafe=True...}
Get-PASUser -Search xapID UserName Source UserType ComponentUser Location
657 xApprover_A LDAP EPVUser False \psPETE\Users 658 xApprover_1 LDAP EPVUser False \psPETE\Users 659 xApprover_B LDAP EPVUser False \psPETE\Users 660 xApprover_2 LDAP EPVUser False \psPETE\Users 661 xApprover_C LDAP EPVUser False \psPETE\Users 662 xApprover_3 LDAP EPVUser False \psPETE\Users
Get-PASAccount -filter "SafeName eq 3_TestSafe_028_XYJ" -search sbwudlovAccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=SOMEDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/2019 23:37:02
keywords&
safeparameters of
Get-PASAccountforce use of the Classic API:
Get-PASAccount -Safe 3_TestSafe_028_XYJ WARNING: 2 matching accounts found. Only the first result will be returnedAccountID : 286_3 Safe : 3_TestSafe_028_XYJ Folder : Root Name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf UserName : kmgrsebf PlatformID : Z_WINDOMAIN_OFF DeviceType : Operating System Address : SOMEDOMAIN.COM InternalProperties : @{CreationMethod=PVWA}
PS>Get-PASAccount -filter "SafeName eq 3_TestSafe_028_XYJ"AccountID : 286_3 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : kmgrsebf name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=SOMEDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864221} createdTime : 06/06/2019 23:37:01
AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=SOMEDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/2019 23:37:02
#Convert Password to SecureString $Password = ConvertTo-SecureString -String "Secret1337$" -AsPlainText -Force#Additional account details $platformAccountProperties = @{ "LOGONDOMAIN"="domain.com" "Notes"="Demo Account. Owner:psPete" "Classification"="1F" }
#Add Account Add-PASAccount -secretType Password -secret $Password -SafeName "YourSafe" -PlatformID "YourPlatform" ` -Address "domain" -Username SomeUsername -platformAccountProperties $platformAccountProperties
Add-PASSafe -SafeName NewSafe -Description "New Safe" -ManagingCPM PasswordManager -NumberOfVersionsRetention 10SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description
NewSafe PasswordManager 10 New Safe
Add-PASSafeMember -SafeName NewSafe -MemberName NewMember -UseAccounts $false -ListAccounts $true ` -RetrieveAccounts $false -ViewAuditLog $true -ViewSafeMembers $trueMemberName SearchIn SafeName Permissions
NewMember vault NewSafe @{Add=True; AddRenameFolder=True; BackupSafe=True...}
Set-PASAccount -AccountID 286_4 -op replace -path /address -value NEWDOMAIN.COMAccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : NEWDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=SOMEDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/2019 23:37:02
Set-PASAccount -AccountID 286_4 -op replace -path /platformAccountProperties/LogonDomain -value NEWDOMAIN
AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : NEWDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=NEWDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/2019 23:37:02
# immediate verification Invoke-PASCPMOperation -AccountID $ID -VerifyTask
# immediate change Invoke-PASCPMOperation -AccountID $ID -ChangeTaskimmediate change to a specific password value
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeImmediately $true -NewCredentials $SecureString
change password in the Vault only
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -NewCredentials $SecureString
change password for account group
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeEntireGroup $true
change password for account group to a specific password value
Invoke-PASCPMOperation -AccountID $ID -ChangeTask -ChangeEntireGroup $true -NewCredentials $SecureString
# immediate reconcile Invoke-PASCPMOperation -AccountID $ID -ReconcileTask
Import-PASConnectionComponent -ImportFile C:\Temp\ConnectionComponent.zip
#Import a Platform Import-PASPlatform -ImportFile C:\Temp\Platform.zip#Export a Platform Export-PASPlatform -PlatformID "Some-SSH-Platform" -Path C:\Temp
#Find directory groups assigned to safes Get-PASSafe -query JXW | Get-PASSafeMember | Where-Object{ Get-PASGroup -search $_.UserName -filter 'groupType eq Directory' }UserName SafeName Permissions
ACC-G-1_TestSafe_049_JXW-Usr 1_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...} ACC-G-1_TestSafe_049_JXW-Adm 1_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...} ACC-G-2_TestSafe_049_JXW-Usr 2_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...} ACC-G-2_TestSafe_049_JXW-Adm 2_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...} ACC-G-3_TestSafe_049_JXW-Usr 3_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...} ACC-G-3_TestSafe_049_JXW-Adm 3_TestSafe_049_JXW @{Add=True; AddRenameFolder=True; BackupSafe=True...}
psPAScommands can be used together, along with standard PowerShell CmdLets:
#Add all "admin" users in the root location to the PVWAMonitor group Get-PASUser -UserType EPVUser -Search Admin | Where-Object{ $_.location -eq "\" } | Add-PASGroupMember -GroupName PVWAMonitor#Find an account, then find the members of the account's safe. Get-PASAccount -id 330_5 | Get-PASSafe | Get-PASSafeMember
UserName SafeName Permissions
Master ApproveTest @{Add=True; AddRenameFolder=True; BackupSafe=True...} Batch ApproveTest @{Add=True; AddRenameFolder=True; BackupSafe=True...} Backup Users ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=True...} Auditors ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=False...} Operators ApproveTest @{Add=True; AddRenameFolder=True; BackupSafe=True...} DR Users ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=True...} Notification Engines ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=False...} PVWAGWAccounts ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=False...} PasswordManager ApproveTest @{Add=False; AddRenameFolder=True; BackupSafe=False...} SafeAdmin ApproveTest @{Add=True; AddRenameFolder=True; BackupSafe=True...} SafeAdmin1 ApproveTest @{Add=True; AddRenameFolder=True; BackupSafe=True...} zApprover_1 ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=False...} xReq ApproveTest @{Add=False; AddRenameFolder=False; BackupSafe=False...}
The standard features of PowerShell which allow creation of and iterations through collections of objects, can be used to perform bulk operations:
$Accounts = Import-Csv -Path C:\Temp\Accounts.csvNew-PASSession -Credential $creds -BaseURI https://your.pvwa.url
foreach($Account in $Accounts){
$Password = ConvertTo-SecureString -String $Account.Password -AsPlainText -Force Add-PASAccount -secretType Password ` -secret $Password ` -platformAccountProperties @{"LOGONDOMAIN"=$Account.LogonDomain} ` -SafeName $Account.SafeName ` -PlatformID $Account.PlatformID ` -Address $Account.Address ` -Username $Account.Username
}
Close-PASSession
#Specify Vault Logon Credentials $LogonCredential = Get-Credential#Logon New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url
$Safes = Get-PASSafe -query TestSafe
#Delete Safes foreach ($Safe in $Safes){
Remove-PASSafe -SafeName $Safe -WhatIf
}
#Logoff Close-PASSession
#Vault Logon Credentials $LogonCredential = Get-Credential#Logon New-PASSession -Credential $LogonCredential -BaseURI https://your.pvwa.url
#get list of users $users = Get-Content .\userlist.txt
#move users $users | foreach{
Set-PASUser -UserName $_ -Location "\New\Location\Path" -WhatIf
}
#Logoff Close-PASSession
$Role1 = [PSCustomObject]@{ UseAccounts = $true ListAccounts = $true ViewAuditLog = $false ViewSafeMembers = $false }$Role2 = [PSCustomObject]@{ UseAccounts = $false ListAccounts = $true RetrieveAccounts = $false AddAccounts = $true UpdateAccountContent = $true UpdateAccountProperties = $true InitiateCPMAccountManagementOperations = $true SpecifyNextAccountContent = $false RenameAccounts = $true DeleteAccounts = $true UnlockAccounts = $true ManageSafe = $true ManageSafeMembers = $true BackupSafe = $false ViewAuditLog = $true ViewSafeMembers = $true RequestsAuthorizationLevel = $false AccessWithoutConfirmation = $true CreateFolders = $true DeleteFolders = $true MoveAccountsAndFolders = $true }
$Role1 | Add-PASSafeMember -SafeName NewSafe -MemberName User23 -SearchIn Vault
MemberName SearchIn SafeName Permissions
User23 Vault NewSafe @{Add=False; AddRenameFolder=False; BackupSafe=False...}
$Role2 | Add-PASSafeMember -SafeName NewSafe -MemberName SafeAdmin1 -SearchIn Vault
MemberName SearchIn SafeName Permissions
SafeAdmin1 Vault NewSafe @{Add=True; AddRenameFolder=True; BackupSafe=True...}
#Find Active Sessions for a PSM Server IP #Terminate the Sessions Get-PASPSMSession | Where-Object{ ($_.RawProperties.ProviderID -eq $(Get-PASComponentDetail -ComponentID SessionManagement | Where-Object{$_.ComponentIP -eq "192.168.60.20"} | Select -ExpandProperty ComponentUserName)) -and ($_.IsLive) -and ($_.CanTerminate)} | Stop-PASPSMSession
[array]$operations += @{"op"="remove";"path"="/platformAccountProperties/LogonDomain"} [array]$operations += @{"op"="replace";"path"="/name";"value"="SomeNewName"} [array]$operations += @{"op"="replace";"path"="/address";"value"="domain.co.uk"}Set-PASAccount -AccountID 286_4 -operations $operations
AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : domain.co.uk userName : sbwudlov name : SomeNewName platformId : Z_WINDOMAIN_OFF secretType : password secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/2019 23:37:02
Methods present on objects returned from psPAS functions can be leveraged to get the data you need with ease.
psPAS.CyberArk.Vault.Safeobject returned by
Get-PASSafehas a ScriptMethod (
SafeMembers()), which will run a query for the members of the safe:
#List all safes where AppUser is not a member Get-PASSafe | Where-Object{ ($_.safemembers() | Select-Object -ExpandProperty UserName) -notcontains "AppUser"}
(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()
#Start first session $VaultAdmin = Get-CredentialPowerShell credential request Enter your credentials. User: VaultAdmin Password for user VaultAdmin: **
New-PASSession -Credential $VaultAdmin -BaseURI https://pvwa.somedomain.com
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
VaultAdmin Internal EPVUser False False False False
#Save first session data $FirstSession = Get-PASSession
#Start second session $SafeAdmin = Get-Credential
PowerShell credential request Enter your credentials. User: SafeAdmin Password for user SafeAdmin: **
New-PASSession -Credential $SafeAdmin -BaseURI https://pvwa.somedomain.com
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
SafeAdmin Internal EPVUser False False False False
#Save second session data $SecondSession = Get-PASSession
#Switch back to first session Use-PASSession -Session $FirstSession
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
VaultAdmin Internal EPVUser False False False False
#End first session Close-PASSession
#Switch to second session Use-PASSession -Session $SecondSession
Get-PASLoggedOnUser
UserName Source UserTypeName AgentUser Expired Disabled Suspended
SafeAdmin Internal EPVUser False False False False
#End second session Close-PASSession
A selection of psPAS sample scripts can be found in the psPAS-Examples repository.
Your version of CyberArk determines which functions of psPAS will be supported.
Check the below table to determine what is available for you to use.
The CyberArk Version listed is the minimum required to use the function.
The module will attempt to confirm that your version of CyberArk meets the minimum
version requirement (if you are using version 9.7+, and the function being invoked
requires version 9.8+).
Check the output of
Get-Helpfor the
psPASfunctions for further details of available parameters and version requirements.
Click the below dropdown to view the current lis of psPAS functions and their minimum version requirements:
Function Name |
CyberArk Version | Description |
---|---|---|
New-PASSession |
9.0 | Authenticates a user to CyberArk Vault |
Close-PASSession |
9.0 | Logoff from CyberArk Vault. |
Get-PASSession |
--- | Get psPASSession Data. |
Use-PASSession |
--- | Set psPASSession Data. |
Add-PASPublicSSHKey |
9.6 | Adds an authorised public SSH key for a user. |
Get-PASPublicSSHKey |
9.6 | Retrieves a user's SSH Keys. |
Remove-PASPublicSSHKey |
9.6 | Deletes a Public SSH Key from a user |
Add-PASAccountACL |
9.0 | Adds a new privileged command rule to an account. |
Get-PASAccountACL |
9.0 | Lists privileged commands rule for an account |
Remove-PASAccountACL |
9.0 | Deletes privileged commands rule from an account |
Add-PASAccountGroupMember |
9.95 | Adds an account as a member of an account group. |
Get-PASAccountGroup |
9.10 | Returns account groups in a Safe. |
Get-PASAccountGroupMember |
9.10 | Returns members of an account group. |
New-PASAccountGroup |
9.95 | Adds a new account group |
Remove-PASAccountGroupMember |
9.10 | Deletes a member of an account group |
Add-PASAccount |
9.0 | Adds a new account. |
Add-PASPendingAccount |
9.7 | Adds discovered account or SSH key as a pending account. |
Get-PASAccount |
9.3 | Returns information about accounts. |
Get-PASAccountActivity |
9.7 | Returns activities for an account. |
Get-PASAccountPassword |
9.7 | Returns password for an account. |
Remove-PASAccount |
9.3 | Deletes an account |
Set-PASAccount |
9.5 | Updates details of an account. |
Invoke-PASCPMOperation |
9.7 | Invoke CPM verify, change & reconcile tasks. |
Unlock-PASAccount |
9.10 | Checks in an exclusive-use account. |
Add-PASApplication |
9.1 | Adds a new application |
Add-PASApplicationAuthenticationMethod |
9.1 | Add authentication method to an application |
Get-PASApplication |
9.1 | Returns details of applications |
Get-PASApplicationAuthenticationMethod |
9.1 | Returns application authentication methods |
Remove-PASApplication |
9.1 | Deletes an application |
Remove-PASApplicationAuthenticationMethod |
9.1 | Delete auth method from an application |
Import-PASConnectionComponent |
10.3 | Imports a Connection Component |
New-PASPSMSession |
9.10 | Get required parameters to connect through PSM |
Get-PASPSMRecording |
9.10 | Get details of PSM Recording |
Get-PASPSMSession |
9.10 | Get details of PSM Sessions |
Resume-PASPSMSession |
10.2 | Resumes a Suspended PSM Session. |
Stop-PASPSMSession |
10.1 | Terminates a PSM Session. |
Suspend-PASPSMSession |
10.2 | Suspends a PSM Session. |
Get-PASOnboardingRule |
9.7 | Gets automatic on-boarding rules |
New-PASOnboardingRule |
9.7 | Adds a new on-boarding rule |
Remove-PASOnboardingRule |
9.7 | Deletes an automatic on-boarding rule |
Get-PASPlatform |
9.10 | Retrieves details of a specified platform. |
Import-PASPlatform |
10.2 | Import a new platform |
Export-PASPlatform |
10.4 | Export a platform |
Add-PASPolicyACL |
9.0 | Adds a new privileged command rule |
Get-PASPolicyACL |
9.0 | Lists OPM Rules for a policy |
Remove-PASPolicyACL |
9.0 | Delete privileged commands from policy |
Approve-PASRequest |
9.10 | Confirm a single request |
Deny-PASRequest |
9.10 | Reject a single request |
Get-PASRequest |
9.10 | List requests |
Get-PASRequestDetail |
9.10 | Get request details |
New-PASRequest |
9.10 | Creates an access request for an account |
Remove-PASRequest |
9.10 | Deletes a request |
Add-PASSafeMember |
9.3 | Adds a Safe Member to a safe |
Get-PASSafeMember |
9.7 | Lists the members of a Safe |
Remove-PASSafeMember |
9.3 | Removes a member from a safe |
Set-PASSafeMember |
9.3 | Updates a Safe Member's Permissions |
Add-PASSafe |
9.2 | Adds a new safe |
Get-PASSafe |
9.7 | Returns safe details |
Remove-PASSafe |
9.3 | Deletes a safe |
Set-PASSafe |
9.3 | Updates a safe |
Get-PASSafeShareLogo |
9.7 | Returns details of SafeShare Logo |
Get-PASServer |
9.7 | Returns details of the Web Service Server |
Get-PASServerWebService |
9.7 | Returns details of the Web Service |
Get-PASComponentDetail |
10.1 | Returns details about component instances. |
Get-PASComponentSummary |
10.1 | Returns consolidated information about components. |
Add-PASGroupMember |
9.7 | Adds a user as a group member |
Get-PASLoggedOnUser |
9.7 | Returns details of the logged on user |
Get-PASUserLoginInfo |
10.4 | Returns login details of the current user |
Get-PASUser |
9.7 | Returns details of a user |
New-PASUser |
9.7 | Creates a new user |
Remove-PASUser |
9.7 | Deletes a user |
Set-PASUser |
9.7 | Updates a user |
Unblock-PASUser |
9.7 | Activates a suspended user |
Get-PASDirectory |
10.4 | Get configured LDAP directories |
Add-PASDirectory |
10.4 | Add a new LDAP directory |
New-PASDirectoryMapping |
10.4 | Create a new LDAP directory mapping |
Add-PASPTARule |
10.4 | Add a new Risky Commandrule to PTA |
Get-PASPTAEvent |
10.3 | Get security events from PTA |
Set-PASPTAEvent |
11.3 | Set PTA security event status |
Get-PASPTARemediation |
10.4 | Get automatic response config from PTA |
Get-PASPTARule |
10.4 | List Risky Command rules from PTA |
Set-PASPTARemediation |
10.4 | Update automaticresponse config in PTA |
Set-PASPTARule |
10.4 | Update a Risky Commandrule in PTA |
Get-PASGroup |
10.5 | Return group information |
Remove-PASGroupMember |
10.5 | Remove group members |
Set-PASOnboardingRule |
10.5 | Update Onboarding Rules |
Add-PASDiscoveredAccount |
10.5 | Add discovered accounts to the Accounts Feed |
Connect-PASPSMSession |
10.5 | Get required parameters to connect to a PSM Session |
Get-PASPSMSessionActivity |
10.6 | Get activity details from an active PSM Session. |
Get-PASPSMSessionProperty |
10.6 | Get property details from an active PSM Session. |
Get-PASPSMRecordingActivity |
10.6 | Get activity details from a PSM Recording. |
Get-PASPSMRecordingProperty |
10.6 | Get property details from a PSM Recording. |
Export-PASPSMRecording |
10.6 | Save PSM Session Recording to a file. |
Request-PASAdHocAccess |
10.6 | Request temporary access to a server. |
Get-PASDirectoryMapping |
10.7 | Get details of configured directory mappings. |
Set-PASDirectoryMapping |
10.7 | Update a configured directory mapping. |
Remove-PASDirectory |
10.7 | Delete a directory configuration. |
Find-PASSafe |
10.1 | List or Search Safes by name. |
Set-PASDirectoryMappingOrder |
10.10 | Reorder Directory Mappings |
Set-PASUserPassword |
10.10 | Reset a User's Password |
New-PASGroup |
11.1 | Create a new CyberArk group |
Get-PASPlatformSafe |
11.1 | List details for all platforms |
Remove-PASDirectoryMapping |
11.1 | Deletes a Directory Mapping |
Enable-PASCPMAutoManagement |
10.4 | Enables Automatic CPM Management for an account |
Disable-PASCPMAutoManagement |
10.4 | Disables Automatic CPM Management for an account |
Test-PASPSMRecording |
11.2 | Determine validity of PSM Session Recording |
Copy-PASPlatform |
11.4 | Duplicate a platform |
Enable-PASPlatform |
11.4 | Enable a platform |
Disable-PASPlatform |
11.4 | Disable a platform |
Remove-PASPlatform |
11.4 | Delete a platform |
Remove-PASGroup |
11.5 | Delete a user group |
Get-PASAllowedReferrer |
11.5 | List PVWA Allowed Referrer |
Add-PASAllowedReferrer |
11.5 | Add PVWA Allowed Referrer |
Get-PASAccountSSHKey |
11.5 | Get Private SSH Key value of Account |
Get-PASAuthenticationMethod |
11.5 | List authentication methods |
Add-PASAuthenticationMethod |
11.5 | Add authentication method |
Set-PASAuthenticationMethod |
11.5 | Update authentication method |
Get-PASConnectionComponent |
11.5 | List configured connection components |
Get-PASPSMServer |
11.5 | List configured PSM Servers |
Get-PASPlatformPSMConfig |
11.5 | List Platform PSM configuration |
Set-PASPlatformPSMConfig |
11.5 | Update Platform PSM configuration |
Start-PASAccountImportJob |
11.6 | Add multiple accounts to existing Safes. |
Get-PASAccountImportJob |
11.6 | Get status of account import |
New-PASAccountObject |
--- | Format an object to include in an import list |
Get-PASDiscoveredAccount |
11.6 | List discovered accounts |
Add-PASOpenIDConnectProvider |
11.7 | Adds an OIDC Authentication Provider |
Get-PASOpenIDConnectProvider |
11.7 | Gets details of configured OIDC Authentication Providers |
Remove-PASOpenIDConnectProvider |
11.7 | Deletes an OIDC Authentication Provider |
Set-PASOpenIDConnectProvider |
11.7 | Updates an OIDC Authentication Provider |
Remove-PASAuthenticationMethod |
11.7 | Delete an authentication method |
Use one of the following methods:
PowerShell 5.0 or above must be used
This is the simplest & preferred method for installation of the module.
To install the module from the PowerShell Gallery, from a PowerShell prompt, run:
Install-Module -Name psPAS -Scope CurrentUser
You can manually copy the module files to one of your powershell module folders.
Find your PowerShell Module Paths with the following command:
$env:PSModulePath.split(';')
The module files should be placed in a folder named
psPASin one of the listed locations.
More: about_PSModulePath
There are multiple options for downloading the module files:
Save-Module -Name psPAS -Path C:\temp
C:\temp\psPASfolder to your "Powershell Modules" directory of choice.
psPAS-v#.#.#folder to
psPAS
psPASfolder to your "Powershell Modules" directory of choice.
master branch
psPAS(
\\psPAS-master\psPAS) folder to your "Powershell Modules" directory of choice.
Validate Install:
Get-Module -ListAvailable psPAS
Import the module:
Import-Module psPAS
List Module Commands:
Get-Command -Module psPAS
Get detailed information on specific commands:
Get-Help New-PASUser -Full
Please support continued psPAS development; consider sponsoring @pspete on GitHub Sponsors
All notable changes to this project will be documented in the Changelog
This project is licensed under the MIT License.
Any and all contributions to this project are appreciated.
See the CONTRIBUTING.md for a few more details.
Hat Tips:
Assaf Miron (AssafMiron) For the JSON formatting assistance.
Warren Frame (RamblingCookieMonster) for Add-ObjectDetail.ps1.
Joe Garcia (infamousjoeg) for the unofficial API documentation.
Chapeau!