Use PowerShell to manage CyberArk via the Web Services REST API.
Contains all published methods of the API up to CyberArk v10.2.
It all starts with a Logon
The output of New-PASSession can be used as input for subsequent commands.
In the below examples, the $token variable contains the values for the
sessionToken & baseURI parameters, which are mandatory for all functions.
Use the pipeline to allow multiple successive commands to be executed.
Save time on repetitive support tasks...
Unlock Users:
Add Users as Group Members:
Streamline your safe creation process...
Achieve consistent safe permissions...
Enact changes across multiple safes, with speed...
Onboard a User Account...
Onboard User Accounts, in bulk...
Check-In locked accounts...
Make changes to multiple managed accounts...
See the module in action in the below "CyberArk REST API: From Start-to-Finish" video:
Your version of CyberArk determines which functions of psPAS will be supported.
Check the below table to determine what is available for you to use.
The CyberArk Version listed is the minimum required to use the function.
| Function Name | Description | CyberArk Version |
|---|---|---|
New-PASSession |
Authenticates a user to CyberArk Vault |
9.0 |
Close-PASSession |
Logoff from CyberArk Vault. |
9.0 |
New-PASSAMLSession |
Authenticates a user to CyberArk Vault using SAML |
9.7 |
Close-PASSAMLSession |
Logoff from CyberArk Vault SAML Session. |
9.7 |
New-PASSharedSession |
Authenticates a user to CyberArk Vault. |
9.7 |
Close-PASSharedSession |
Logoff from CyberArk Vault shared user. |
9.7 |
Add-PASPublicSSHKey |
Adds an authorised public SSH key for a specific user in the Vault. |
9.6 |
Get-PASPublicSSHKey |
Retrieves a user's SSH Keys. |
9.6 |
Remove-PASPublicSSHKey |
Deletes a specific Public SSH Key from a specific vault user |
9.6 |
Add-PASAccountACL |
Adds a new privileged command rule to an account. |
9.0 |
Get-PASAccountACL |
Lists privileged commands rule for an account |
9.0 |
Remove-PASAccountACL |
Deletes privileged commands rule from an account |
9.0 |
Add-PASAccountGroupMember |
Adds an account as a member of an account group. |
9.95 |
Get-PASAccountGroup |
Returns all the account groups in a specific Safe. |
9.10 |
Get-PASAccountGroupMember |
Returns all the members of a specific account group. |
9.10 |
New-PASAccountGroup |
Adds a new account group to the Vault |
9.95 |
Remove-PASAccountGroupMember |
Deletes a member of an account group |
9.10 |
Add-PASAccount |
Adds a new privileged account to the Vault |
9.0 |
Add-PASPendingAccount |
Adds discovered account or SSH key as a pending account in the accounts feed. |
9.7 |
Get-PASAccount |
Returns information about an account. |
9.3 |
Get-PASAccountActivity |
Returns activities for an account. |
9.7 |
Get-PASAccountPassword |
Returns password for an account. |
9.7 |
Invoke-PASCredChange |
Initiate CPM password change to new random or specified value. |
9.10 |
Invoke-PASCredReconcile |
Initiates password reconcile by the CPM to a new random password. |
9.10 |
Invoke-PASCredVerify |
Marks account for immediate verification by the CPM. |
9.10 |
Remove-PASAccount |
Deletes an account | 9.3 |
Set-PASAccount |
Updates an existing accounts details. |
9.5 |
Start-PASCredChange |
Initiates an immediate password change by the CPM to a new random password. |
9.3 |
Start-PASCredVerify |
Marks account for immediate verification by the CPM |
9.7 |
Unlock-PASAccount |
Checks in an exclusive account in to the Vault. |
9.10 |
Add-PASApplication |
Adds a new application to the Vault |
9.1 |
Add-PASApplicationAuthenticationMethod |
Adds an authentication method to an application. |
9.1 |
Get-PASApplication |
Returns details of applications in the Vault |
9.1 |
Get-PASApplicationAuthenticationMethod |
Returns information about all of the authentication methods of a specific application. |
9.1 |
Remove-PASApplication |
Deletes an application | 9.1 |
Remove-PASApplicationAuthenticationMethod |
Deletes an authentication method from an application |
9.1 |
Get-PASPSMConnectionParameter |
Get required parameters to connect through PSM |
9.10 |
Get-PASPSMRecording |
Get details of PSM Recording |
9.10 |
Get-PASPSMSession |
Get details of Live PSM Sessions |
9.10 |
Resume-PASPSMSession |
Resumes a Suspended PSM Session. |
10.2 |
Stop-PASPSMSession |
Terminates a Live PSM Session. |
10.1 |
Suspend-PASPSMSession |
Suspends a Live PSM Session. |
10.2 |
Get-PASOnboardingRule |
Gets all automatic on-boarding rules |
9.7 |
New-PASOnboardingRule |
Adds a new on-boarding rule to the Vault |
9.7 |
Remove-PASOnboardingRule |
Deletes an automatic on-boarding rule |
9.7 |
Get-PASPlatform |
Retrieves details of a specified platform from the Vault. |
9.10 |
Import-PASPlatform |
Import a new platform | 10.2 |
Add-PASPolicyACL |
Adds a new privileged command rule |
9.0 |
Get-PASPolicyACL |
Lists OPM Rules for a policy |
9.0 |
Remove-PASPolicyACL |
Delete all privileged commands on policy |
9.0 |
Approve-PASRequest |
Confirm a single request | 9.10 |
Deny-PASRequest |
Reject a single request | 9.10 |
Get-PASRequest |
List requests | 9.10 |
Get-PASRequestDetail |
Get request details | 9.10 |
New-PASRequest |
Creates an access request for a specific account |
9.10 |
Remove-PASRequest |
Deletes a request from the Vault |
9.10 |
Add-PASSafeMember |
Adds a Safe Member to a safe |
9.3 |
Get-PASSafeMember |
Lists the members of a Safe |
9.7 |
Remove-PASSafeMember |
Removes a member from a safe |
9.3 |
Set-PASSafeMember |
Updates a Safe Member's Permissions |
9.3 |
Add-PASSafe |
Adds a new safe to the Vault |
9.2 |
Get-PASSafe |
Returns safe details from the vault. |
9.7 |
Remove-PASSafe |
Deletes a safe from the Vault |
9.3 |
Set-PASSafe |
Updates a safe in the Vault |
9.3 |
Get-PASSafeShareLogo |
Returns details of SafeShare Logo |
9.7 |
Get-PASServer |
Returns details of the Web Service Server |
9.7 |
Get-PASServerWebService |
Returns details of the Web Service |
9.7 |
Get-PASComponentDetail |
Returns details & health information about CyberArk component instances. |
10.1 |
Get-PASComponentSummary |
Returns consolidated information about CyberArk Components. |
10.1 |
Add-PASGroupMember |
Adds a vault user as a group member |
9.7 |
Get-PASLoggedOnUser |
Returns details of the logged on user |
9.7 |
Get-PASUser |
Returns details of a user | 9.7 |
New-PASUser |
Creates a new vault user | 9.7 |
Remove-PASUser |
Deletes a vault user | 9.7 |
Set-PASUser |
Updates a vault user | 9.7 |
Unblock-PASUser |
Activates a suspended user | 9.7 |
- Requires Powershell v3 (minimum)
- CyberArk PAS REST API/Web Service
- A user with which to authenticate, with appropriate Vault/Safe permissions.
This repository contains a folder named psPAS.
The folder needs to be copied to one of your PowerShell Module Directories.
Use one of the following methods:
PowerShell 5.0 or above & Administrator rights are required.
To download the module from the PowerShell Gallery,
from an elevated PowerShell prompt, run:
Install-Module -Name psPAS -Scope CurrentUser
Find your PowerShell Module Paths with the following command:
$env:PSModulePath.split(';')
Extract the archive
Copy the psPAS folder to your "Powershell Modules" directory of choice.
Validate Module Exists on your local machine:
Get-Module -ListAvailable psPAS
Import the module:
Import-Module psPAS
List Module Commands:
Get-Command -Module psPAS
Get detailed information on specific commands:
Get-Help Add-PASUser -Full
All notable changes to this project will be documented in the Changelog
- Pete Maan - pspete
This project is licensed under the MIT License.
Any and all contributions to this project are appreciated.
The SAML authentication capability needs testing, no federation service is
available to me to confirm that the functionality works as required...
See the CONTRIBUTING.md for a few more details.
Hat Tips:
Warren Frame
(RamblingCookieMonster) for the borrowed Add-ObjectDetail.ps1
&
New-DynamicParam.ps1
helper functions.
Joe Garcia (infamousjoeg) for the unofficial API documentation
Chapeau!