Cyberark github

Cyberark github DEFAULT

GitHub Enterprise SAML Single Sign-On (SSO)

IP Address

The computer’s IP address when the user logs in. You can create rules based on:

  • Whether the location of the IP address is inside or outside the corporate network.

    Use either the Inside corporate IP range or Outside corporate IP range condition. The corporate IP network is defined in the table in Settings > Network > Corporate IP Range.

  • A Secure Zone (an IP address range that is a subset of your internal or external corporate IP network).

    Use the inside IP range ... condition. If you select this condition, you also need to indicate the specific Secure Zone (IP range configured in the IP table in Settings > Network > Corporate IP Range).

To configure the IP address condition, you first need to configure the IP address range in Settings > Network > Corporate IP Range. See Set Corporate IP ranges. The specified authentication profile is then applied to users whose IP address matches the specified IP address value, or falls within the specified IP address range.

Also see Disable policy rules for Corporate IP ranges to exempt certain IP addresses or ranges from policy rules.

  • Inside corporate IP range
  • Outside corporate IP range
  • Inside IP range ...
Identity Cookie

The cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in

  • Is present
  • Is not present

Day of Week

Specific days of the week (Sunday through Saturday). You can select one or more, based on either User Local Time or UTC.

Authentication filters for RADIUS connections only use UTC.

Checkboxes for each day of the week and radio buttons to select either User Local Time or UTC

Date

A date before or after which the user logs in that triggers the specified authentication requirement, based on either User Local Time or UTC.

Authentication filters for RADIUS connections only use UTC.
  • Less than <selected date>
  • Greater than <selected date>

User Local Time or UTC

Date Range

A specific date range, based on either User Local Time or UTC.

Authentication filters for RADIUS connections only use UTC.

Date pickers and radio buttons for User Local Time or UTC

Time Range

A specific time range in hours and minutes, based on either User Local Time or UTC .

Authentication filters for RADIUS connections only use UTC.

Strings representing time ranges in the format hh:mm, with radio buttons for User Local Time or UTC

Device OS

The operating system of the device a user is logging in from.

Network Level Authentication

This filter is used to apply authentication profiles based on whether an RDP client has completed Network Level Authenticaton ("NLA").

Browser

The browser used for opening the CyberArk Identity portal.

Role

CyberArk Identity roles that a user belongs to. If a user belongs to multiple roles, the authentication rule that comes first (highest priority on top) is honored.

If a role is renamed following the creation of an authentication rule using Role as a filter, the authentication rule will automatically update with the new role name. If a role is deleted, the portion of the any authentication rule using that role as a filter will also be deleted.

This filter is only applicable to managing web application access.

Country

The country based on the IP address of the user computer.

Risk Level

Risk Level: The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact CyberArk support. The supported risk level are:

  • Non Detected -- No unexpected activities are detected.
  • Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
  • Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
  • High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.
  • Undetermined -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

Managed Devices

A device is considered “managed” if it is enrolled in CyberArk Identity and you use CyberArk Identity for device management. A device that is enrolled for only single sign-on or endpoint authentication is not considered a managed device. For more information about the difference, refer to Mobile Device Management or single sign-on only.

The Windows Cloud Agent does not include device management features. Enrolled Windows machines are not considered managed devices.

This filter is only applicable to managing web application access.

Certificate Authentication

Whether or not you use a digital certificate issued by your organization’s trusted certificate authority. You can upload a certificate using Admin Portal > Settings > Authentication > Certificate Authorities. Users can also individually use CyberArk as their trusted certificate authority and automatically install the digital certificate by enrolling their devices.

For example, if you configure an authentication rule to use the Certificate Authentication condition, then CyberArk Identity checks for a digital certificate issued by a trusted certificate authority and enforces the specified authentication profile before allowing access to this application.

CyberArk support must enable the Certificate Authentication filter for your company.
Sours: https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsWeb/GitHub-Enterprise.htm

CyberArk REST API

All available requests in CyberArk Privileged Account Security (PAS) REST API.

LAST UPDATED: v11.7

THIS IS UNOFFICIAL DOCUMENTATION

Getting Started Guide

Getting Started with REST Using Postman (PDF)

Postman Live Documentation

View CyberArk's Live Documentation and Postman Collection

Get Accounts via REST - PowerShell Example

This example demonstrates how to create a function in PowerShell for each REST call necessary and how to handle responses.

functionPASREST-Logon { # Declaration$webServicesLogon="$PVWA_URL/PasswordVault/api/auth/ldap/logon"# [email protected]{username="Svc_CyberArkAPI"; password="password"} |ConvertTo-JSON# Executiontry { $logonResult=Invoke-RestMethod-Uri $webServicesLogon-Method POST -ContentType "application/json"-Body $bodyParams-ErrorVariable logonResultErr Return$logonResult.Trim('"') } catch { Write-Host"StatusCode: "$_.Exception.Response.StatusCode.value__Write-Host"StatusDescription: "$_.Exception.Response.StatusDescriptionWrite-Host"Response: "$_.Exception.MessageReturn$false } } functionPASREST-Logoff ([string]$Authorization) { # Declaration$webServicesLogoff="$PVWA_URL/PasswordVault/api/auth/logoff"# [email protected]{} $headerParams.Add("Authorization",$Authorization) # Executiontry { $logoffResult=Invoke-RestMethod-Uri $webServicesLogoff-Method POST -ContentType "application/json"-Header $headerParams-ErrorVariable logoffResultErr Return$true } catch { Write-Host"StatusCode: "$_.Exception.Response.StatusCode.value__Write-Host"StatusDescription: "$_.Exception.Response.StatusDescriptionWrite-Host"Response: "$_.Exception.MessageReturn$false } } functionPASREST-GetAccount ([string]$Authorization) { # Declaration$webServicesGA="$PVWA_URL/PasswordVault/api/Accounts?Keywords=$Keywords&Safe=$Safe"# [email protected]{} $headerParams.Add("Authorization",$sessionID) # Executiontry { $getAccountResult=Invoke-RestMethod-Uri $webServicesGA-Method GET -ContentType "application/json"-Headers $headerParams-ErrorVariable getAccountResultErr return$getAccountResult } catch { Write-Host"StatusCode:"$_.Exception.Response.StatusCode.value__Write-Host"StatusDescription:"$_.Exception.Response.StatusDescriptionWrite-Host"Response:"$_.Exception.Messagereturn$false } } # Global Declaration$PVWA_URL="https://components.cyberark.local"$Keywords="TestAccount"$Safe="TestSafe"# Execute Logon$sessionID= PASREST-Logon # Error Handling for Logonif ($sessionID-eq$false) {Write-Host"[ERROR] There was an error logging into the Vault."-ForegroundColor Red; break} else {Write-Host"[INFO] Logon completed successfully."-ForegroundColor DarkYellow} # Execute Get Accounts$getAccountResult= PASREST-GetAccount -Authorization $sessionIDif ($getAccountResult-eq$false) {Write-Host"[ERROR] There was an error getting the account from the Vault."-ForegroundColor Red; break} else {$getAccountResult.accounts|Format-Table-Property AccountID} # Execute Logoff$logoffResult= PASREST-Logoff -Authorization $sessionIDif ($logoffResult-eq$true) {Write-Host"[INFO] Logoff completed successfully."-ForegroundColor DarkYellow} else {Write-Host"[ERROR] Logoff was not completed successfully. Please logout manually using Authorization token:"$sessionID-ForegroundColor Red}

Support or Contact

SYMPTOM: A delete request was sent to the Vault, and the following response was received: .

PROBLEM: The / command is handled by the WebDAV instead of the Restful services.

SOLUTION:

  1. Edit the PVWA's file.
  2. Search for
  3. In that line search for the & command and delete them, leaving the other ones.
  4. Save the file
  5. Restart IIS

Having trouble with CyberArk's REST API? Check out the /r/CyberArk subreddit on Reddit!

Sours: https://github.com/infamousjoeg/CyberArk-RESTAPI
  1. Hero cantare bam
  2. Aarons rental center
  3. Ged flash review
  4. Dodge prospector badge
  5. Intelligence analyst jobs michigan

Disconnect-from-Vault

Powershell PACLI Module for CyberArk EPV

Use the native functions of the CyberArk PACLI command line utility translated into PowerShell.

If you are landing here and interested in using PowerShell to automate an aspect of CyberArk,

I recommend investigating my psPAS module first, to see if you can achieve what you need with the REST API.


Usage & Examples

An identical process to using the PACLI tool on its own should be followed.

  • Check the relationship table to determine what PoShPACLI function exposes which PACLI command.

Initial Configuration

must be run before using the module for the first time. This function identifies the location of the utility to the module.

Set-PVConfiguration

Example: Connecting to a Vault

When starting PACLI, defining a vault, & Authenticating, any values provided for , name & name are automatically provided to future PoShPACLI commands.

Connecting-to-a-Vault

The function is used to view the current values in use by the module.

Example: Add Password Object to Safe

Execute the sequence of commands to complete a required process.

Add-Password-Object-to-Safe

Example: Disconnect from Vault

The module provides the the required parameter values to the PACLI executable.

Disconnect-from-Vault

PACLI Pipeline Examples

Output can be piped between PoShPACLI functions:

Pipeline Example

Pipeline-Example-1

PACLI to PoShPACLI Function Relationship

The table shows how the the PoShPACLI module functions relate to their native PACLI counterparts:

PACLI CommandPoshPACLI Function
INIT
TERM
DEFINEFROMFILE
DEFINE
CREATELOGONFILE
LOGON
LOGOFF
CTLGETFILENAME
CTLADDCERT
CTLLIST
CTLREMOVECERT
STOREFILE
FINDFILES
RETRIEVEFILE
LOCKFILE
MOVEFILE
DELETEFILE
RESETFILE
UNDELETEFILE
UNLOCKFILE
INSPECTFILE
ADDFILECATEGORY
LISTFILECATEGORIES
DELETEFILECATEGORY
UPDATEFILECATEGORY
FILESLIST
FILEVERSIONSLIST
FOLDERSLIST
MOVEFOLDER
ADDFOLDER
DELETEFOLDER
UNDELETEFOLDER
GROUPDETAILS
ADDGROUP
DELETEGROUP
UPDATEGROUP
ADDGROUPMEMBER
GROUPMEMBERS
DELETEGROUPMEMBER
LDAPBRANCHESLIST
LDAPBRANCHADD
LDAPBRANCHDELETE
LDAPBRANCHUPDATE
LOCATIONSLIST
ADDLOCATION
DELETELOCATION
RENAMELOCATION
UPDATELOCATION
MAILUSER
NETWORKAREASLIST
MOVENETWORKAREA
ADDNETWORKAREA
DELETENETWORKAREA
RENAMENETWORKAREA
ADDAREAADDRESS
DELETEAREAADDRESS
VALIDATEOBJECT
GENERATEPASSWORD
STOREPASSWORDOBJECT
RETRIEVEPASSWORDOBJECT
DELETEPREFFEREDFOLDER
ADDPREFERREDFOLDER
REQUESTSLIST
DELETEREQUEST
REQUESTCONFIRMATIONSTATUS
CONFIRMREQUEST
ADDRULE
RULESLIST
DELETERULE
CLOSESAFE
SAFEDETAILS
ADDSAFE
OPENSAFE
DELETESAFE
RENAMESAFE
RESETSAFE
UPDATESAFE
INSPECTSAFE
SAFEEVENTSLIST
ADDEVENT
LISTSAFEFILECATEGORIES
ADDSAFEFILECATEGORY
DELETESAFEFILECATEGORY
UPDATESAFEFILECATEGORY
ADDSAFESHARE
DELETESAFESHARE
CLEARSAFEHISTORY
SAFESLIST
SAFESLOG
ADDNOTE
ADDOWNER
OWNERSLIST
DELETEOWNER
UPDATEOWNER
ADDTRUSTEDNETWORKAREA
DEACTIVATETRUSTEDNETWORKAREA
ACTIVATETRUSTEDNETWORKAREA
TRUSTEDNETWORKAREALIST
DELETETRUSTEDNETWORKAREA
USERDETAILS
LOCK
ADDUSER
DELETEUSER
RENAMEUSER
UPDATEUSER
UNLOCK
INSPECTUSER
CLEARUSERHISTORY
USERSLIST
SETPASSWORD
GETUSERPHOTO
PUTUSERPHOTO
OWNERSAFESLIST
ADDUPDATEEXTERNALUSERENTITY

Getting Started

Prerequisites

  • Requires Powershell v5 (minimum)
  • The CyberArk PACLI executable must be present on the same computer as the module.
    • PACLI 7.2 was used for development, anything less is considered unsupported for use with this module.
  • A CyberArk user with which to authenticate, which has appropriate Vault/Safe permissions.

Installation Options

This repository contains a folder named .

The folder and it's contents needs to be present in one of your PowerShell Module Directories.

Use one of the following methods:

Option 1: Install from PowerShell Gallery

Download the module from the PowerShell Gallery.

  • PowerShell 5.0 or above required.

From a PowerShell prompt, run:

Install-Module-Name PoShPACLI -Scope CurrentUser

Option 2: Manual Install

Find your PowerShell Module Paths with the following command:

$env:PSModulePath.split(';')

Download a Release

OR

Download the branch

Extract the archive

Copy the folder to your "Powershell Modules" directory of choice.

Verification

Validate Module Exists on your local machine:

Get-Module-ListAvailable PoShPACLI

Import the module:

List Module Commands:

Get-Command-Module PoShPACLI

Get detailed information on specific commands:

Get-HelpOpen-PVSafe-Full

Changelog

All notable changes to this project will be documented in the Changelog

Author

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Contributing

Any and all contributions to this project are appreciated. See the CONTRIBUTING.md for a few more details.

Sours: https://github.com/pspete/PoShPACLI
Quickly collect GitHub Enterprise Audit Logs - Splunk - GitHub Checkout

Conjur Open Source

At Conjur Open Source, we’re creating the tools to help you build applications safely and securely - without having to be a security expert. From our flagship Conjur server (a secret store and RBAC engine), to custom authenticators that make the secret zero problem a thing of the past, to Secretless Broker, which aims to make sure your apps never have to worry about secrets again.

Not sure where to get started? Visit our "Where to Start" page on Discourse.

Conjur Open Source integrations with platforms and DevOps tools.

Platform Integrations

Tools for Conjur integrations with platforms and cloud providers.

  • cyberark/conjur-authn-k8s-client

    Kubernetes: The Conjur authenticator client can be deployed as a sidecar or init container to ensure your application has a valid Conjur access token.

  • cyberark/secrets-provider-for-k8s

    Kubernetes: The Conjur Secrets Provider for K8s is deployed as an init container in your application pod. It injects secrets from Conjur into Kubernetes secrets, which are accessible to your application pod.

  • cyberark/conjur-service-broker

    Cloud Foundry: The Conjur service broker ensures your Cloud Foundry-deployed applications are bootstrapped with a Conjur machine identity on deploy.

  • cyberark/cloudfoundry-conjur-buildpack

    Cloud Foundry: The Conjur buildpack brings the benefit of Summon to your Cloud Foundry-deployed applications. Leverage your app's Conjur identity to automatically inject the secrets your app needs into its environment at runtime.

DevOps Tools

Conjur Open Source integrations with DevOps tools.

  • cyberark/ansible-conjur-collection

    Ansible: Ansible collection containing the Conjur Ansible Role to provide Conjur identity to Ansible hosts, and the Conjur Lookup Plugin for fetching secrets from Conjur.

  • cyberark/ansible-conjur-host-identity

    Ansible: Ansible role to provide Conjur machine identity to application hosts and install the Summon tool, which enables hosts to securely retrieve credentials.

  • cyberark/conjur-credentials-plugin

    Jenkins: Conjur plugin for securely providing credentials to Jenkins jobs.

  • cyberark/conjur-puppet

    Puppet: Puppet module that simplifies the operation of establishing Conjur host identity and allows authorized Puppet nodes to fetch secrets from Conjur.

  • cyberark/terraform-provider-conjur

    Terraform: Terraform provider that makes secrets in Conjur available in Terraform manifests.

Sours: https://cyberark.github.io/conjur/

Github cyberark

psPAS: PowerShell Module for the CyberArk API

psPAS

Use PowerShell to manage CyberArk via the PVWA REST API.

Contains all published methods of the API up to CyberArk v12.2.

Docs: https://pspas.pspete.dev


Module Status


Usage

Logo

Authenticate

It all starts with a Logon

is used to send a logon request to the CyberArk API.

On successful authentication uses the data which was provided for the request & also returned from the API for all subsequent operations.

CyberArk Authentication

  • Use a PowerShell credential object containing a valid vault username and password.
$cred=Get-Credential PowerShell credential request Enter your credentials. User: safeadmin Password for user safeadmin: **********New-PASSession-Credential $cred-BaseURI https://pvwa.somedomain.com

LDAP Authentication

  • Specify LDAP credentials allowed to authenticate to the vault.
$cred=Get-Credential PowerShell credential request Enter your credentials. User: xApprover_1 Password for user xApprover_1: **********New-PASSession-Credential $cred-BaseURI https://pvwa.somedomain.com-type LDAP Get-PASLoggedOnUser UserName Source UserTypeName AgentUser Expired Disabled Suspended ----------------------------------------------------------- xApprover_1 LDAP EPVUser False False False False

RADIUS Authentication

Challenge Mode
$cred=Get-Credential PowerShell credential request Enter your credentials. User: DuoUser Password for user DuoUser: **********New-PASSession-Credential $cred-BaseURI https://pvwa.somedomain.com-type RADIUS -OTP 123456Get-PASLoggedOnUser UserName Source UserTypeName AgentUser Expired Disabled Suspended ----------------------------------------------------------- DuoUser LDAP EPVUser False False False False
Append Mode
  • Some 2FA solutions allow a One Time Passcode to be sent with the password.

    • If an OTP is provided, it is sent to the API with the password, separated by a delimiter: ""
$cred=Get-Credential PowerShell credential request Enter your credentials. User: DuoUser Password for user DuoUser: **********New-PASSession-Credential $cred-BaseURI https://pvwa.somedomain.com-type RADIUS -OTP 738458-OTPMode Append Get-PASLoggedOnUser UserName Source UserTypeName AgentUser Expired Disabled Suspended ----------------------------------------------------------- DuoUser LDAP EPVUser False False False False

SAML Authentication

SAML SSO authentication using IWA and ADFS can be performed

New-PASSession-BaseURI $url-SAMLAuth

Where IWA SSO is not possible, the PS-SAML-Interactive module can be used to obtain the SAMLResponse from an authentication service.

SAMLResponse is then used to perform saml authentication.

import-module-name 'C:\PS-SAML-Interactive.psm1'$loginURL='https://company.okta.com/home/app1/0oa11xddwdzhvlbiZ5d7/aln1k2HsUl5d7'$baseURL='https://pvwa.mycompany.com'$loginResponse=New-SAMLInteractive-LoginIDP $loginURLNew-PASSession-SAMLAuth -concurrentSession $true-BaseURI $baseURL-SAMLResponse $loginResponse

Shared Authentication with Client Certificate

  • If IIS is configured to require client certificates, will use any provided certificate details for the duration of the session.
$Cert="0E199489C57E666115666D6E9990C2ACABDB6EDB"New-PASSession-UseSharedAuthentication -BaseURI https://pvwa.somedomain.com-CertificateThumbprint $Cert

Basic Operations

Logo

Search

Safes
  • Get information relating to Safes you have access to:
Get-PASSafe-search _YZO SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description ---------------------------------------------------------------------------- 1_TestSafe_096_YZO PasswordManager 3 TestSafe: 1_TestSafe_096_YZO 1_TestSafe_100_YZO PasswordManager 3 TestSafe: 1_TestSafe_100_YZO 3_TestSafe_058_YZO PasswordManager 3 TestSafe: 3_TestSafe_058_YZO 3_TestSafe_068_YZO PasswordManager 3 TestSafe: 3_TestSafe_068_YZO 3_TestSafe_069_YZO PasswordManager 3 TestSafe: 3_TestSafe_069_YZO 2_TestSafe_090_YZO PasswordManager 3 TestSafe: 2_TestSafe_090_YZO 1_TestSafe_067_YZO PasswordManager 3 TestSafe: 1_TestSafe_067_YZO

Safe Members

Get-PASSafeMember-SafeName 1_TestSafe_067_YZO -search Usr UserName SafeName Permissions --------------------------- ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False;.....
Users
Get-PASUser-Search xap ID UserName Source UserType ComponentUser Location ---------------------------------------------657 xApprover_A LDAP EPVUser False \psPETE\Users 658 xApprover_1 LDAP EPVUser False \psPETE\Users 659 xApprover_B LDAP EPVUser False \psPETE\Users 660 xApprover_2 LDAP EPVUser False \psPETE\Users 661 xApprover_C LDAP EPVUser False \psPETE\Users 662 xApprover_3 LDAP EPVUser False \psPETE\Users
Accounts
Get-PASAccount-SafeName "3_TestSafe_028_XYJ"-search sbwudlov AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain= SOMEDOMAIN } secretManagement : @{automaticManagementEnabled= True; lastModifiedTime=1559864222 } createdTime : 06/06/201923:37:02
1st Gen API
  • The & parameters of force use of the 1st gen API:
Get-PASAccount-Safe 3_TestSafe_028_XYJ WARNING: 2 matching accounts found. Only the first result will be returned AccountID : 286_3 Safe : 3_TestSafe_028_XYJ Folder : Root Name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf UserName : kmgrsebf PlatformID : Z_WINDOMAIN_OFF DeviceType : Operating System Address : SOMEDOMAIN.COM InternalProperties : @{CreationMethod= PVWA }
  • Only details of the first found account will be returned.
  • More results can be returned by specifying alternative parameters to avoid sending the request via the 1st gen API
PS>Get-PASAccount-SafeName "3_TestSafe_028_XYJ" AccountID : 286_3 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : kmgrsebf name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-kmgrsebf platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain= SOMEDOMAIN } secretManagement : @{automaticManagementEnabled= True; lastModifiedTime=1559864221 } createdTime : 06/06/201923:37:01 AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : SOMEDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain= SOMEDOMAIN } secretManagement : @{automaticManagementEnabled= True; lastModifiedTime=1559864222 } createdTime : 06/06/201923:37:02

Logo

Administration

Add An Account
  • Add an account to manage:
#Convert Password to SecureString$Password=ConvertTo-SecureString-String "Secret1337$"-AsPlainText -Force #Additional account [email protected]{ "LOGONDOMAIN"="domain.com""Notes"="Demo Account. Owner:psPete""Classification"="1F" } #Add AccountAdd-PASAccount-secretType Password -secret $Password-SafeName "YourSafe"-PlatformID "YourPlatform"`-Address "domain"-Username SomeUsername -platformAccountProperties $platformAccountProperties
Create Safes
Add-PASSafe-SafeName NewSafe -Description "New Safe"-ManagingCPM PasswordManager -NumberOfVersionsRetention 10 SafeName ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention Description ---------------------------------------------------------------------------- NewSafe PasswordManager 10 New Safe
Add Safe Members
  • Consistent safe membership:
Add-PASSafeMember-SafeName NewSafe -MemberName NewMember -UseAccounts $false-ListAccounts $true`-RetrieveAccounts $false-ViewAuditLog $true-ViewSafeMembers $true UserName SafeName Permissions --------------------------- NewMember NewSafe @{useAccounts=False; retrieveAccounts=False; listAccounts=True; addAccounts=False;...
Update Accounts
  • Update values for individual account properties:
Set-PASAccount-AccountID 286_4-op replace -path /address -value NEWDOMAIN.COM AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : NEWDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=SOMEDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/201923:37:02Set-PASAccount-AccountID 286_4-op replace -path /platformAccountProperties/LogonDomain -value NEWDOMAIN AccountID : 286_4 Safe : 3_TestSafe_028_XYJ address : NEWDOMAIN.COM userName : sbwudlov name : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov platformId : Z_WINDOMAIN_OFF secretType : password platformAccountProperties : @{LogonDomain=NEWDOMAIN} secretManagement : @{automaticManagementEnabled=True; lastModifiedTime=1559864222} createdTime : 06/06/201923:37:02

Logo

CPM Operations
Verify
# immediate verificationInvoke-PASCPMOperation-AccountID $ID-VerifyTask
Change
  • Change passwords for accounts or account groups
# immediate changeInvoke-PASCPMOperation-AccountID $ID-ChangeTask # immediate change to a specific password valueInvoke-PASCPMOperation-AccountID $ID-ChangeTask -ChangeImmediately $true-NewCredentials $SecureString# change password in the Vault onlyInvoke-PASCPMOperation-AccountID $ID-ChangeTask -NewCredentials $SecureString# change password for account groupInvoke-PASCPMOperation-AccountID $ID-ChangeTask -ChangeEntireGroup $true# change password for account group to a specific password valueInvoke-PASCPMOperation-AccountID $ID-ChangeTask -ChangeEntireGroup $true-NewCredentials $SecureString
Reconcile
# immediate reconcileInvoke-PASCPMOperation-AccountID $ID-ReconcileTask
Import a Connection Component
  • Import Custom Connection Components:
Import-PASConnectionComponent-ImportFile C:\Temp\ConnectionComponent.zip
Platforms
  • Import & Export of CPM Platforms:
#Import a PlatformImport-PASPlatform-ImportFile C:\Temp\Platform.zip #Export a PlatformExport-PASPlatform-PlatformID "Some-SSH-Platform"-Path C:\Temp

Logo

Pipeline Operations

  • Work with the PowerShell pipeline:
#Find directory groups assigned to safesGet-PASSafe-search YZO |Get-PASSafeMember-memberType group -includePredefinedUsers $false|Where-Object { Get-PASGroup-search $_.UserName-groupType Directory } UserName SafeName Permissions --------------------------- ACC-G-1_TestSafe_096_YZO-Usr 1_TestSafe_096_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-1_TestSafe_096_YZO-Adm 1_TestSafe_096_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-1_TestSafe_100_YZO-Usr 1_TestSafe_100_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-1_TestSafe_100_YZO-Adm 1_TestSafe_100_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_058_YZO-Usr 3_TestSafe_058_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_058_YZO-Adm 3_TestSafe_058_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_068_YZO-Usr 3_TestSafe_068_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_068_YZO-Adm 3_TestSafe_068_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_069_YZO-Usr 3_TestSafe_069_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-3_TestSafe_069_YZO-Adm 3_TestSafe_069_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-2_TestSafe_090_YZO-Usr 2_TestSafe_090_YZO @{useAccounts=True; retrieveAccounts=True; lis... ACC-G-2_TestSafe_090_YZO-Adm 2_TestSafe_090_YZO @{useAccounts=True; retrieveAccounts=
Sours: https://github.com/pspete/psPAS
Ansible Tower/AWX Project and Github Connection Setup

.

You will also like:

.



406 407 408 409 410