Giters

cyberark / epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.

Home Page:https://www.cyberark.com/best

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Account Onboard Utility -Delete is taking a very long time per account

sgarrison77 opened this issue · comments

commented

I need to delete several thousand accounts from multiple safes in our vault. Using the -Delete flag, I'm trying to delete accounts from a .csv and it's taking more than 20 minutes per account to delete... here's my log out put (account/host/safe names obscured)

Our PAS environment version is v12.2

Any suggestions?

As you can see, 24 minutes passed to get the "Deleted successfully" result for the first account on the list.

Command Syntax Used
.\Accounts_Onboard_Utility.ps1 -PVWAURL "https://<pvwa fqdn>/PasswordVault" -Delete -CsvPath '.\delete_accounts - linux.csv'

Log:

=======================================
[2023-09-20 11:25:32]	[INFO]	Welcome to Accounts Onboard Utility
------------------------------------
[2023-09-20 11:25:32]	[INFO]	Starting script (v2.5.0)
[2023-09-20 11:25:32]	[ERROR]	Error checking for latest version. Error: Source:; Message: Test-LatestVersion: Couldn't download and check for latest version
	->Source:Microsoft.PowerShell.Commands.Utility; Message: The request was aborted: Could not create SSL/TLS secure channel.
------------------------------------
[2023-09-20 11:25:32]	[INFO]	Getting PVWA Credentials to start Onboarding Accounts
[2023-09-20 11:25:40]	[INFO]	Reading CSV from :.\delete_accounts - linux.csv
------------------------------------
[2023-09-20 11:25:40]	[INFO]	Starting to Onboard 9 accounts
[2023-09-20 11:25:42]	[INFO]	Safe <safename> exists
[2023-09-20 11:37:29]	[INFO]	Account <id>@<hostname> exist
[2023-09-20 11:49:15]	[ERROR]	Unable to outout good record to file: .\delete_accounts - linux.csv.good.csv
[2023-09-20 11:49:15]	[INFO]	[2)] Deleted <id>@<hostname> successfully.
commented

Update... when running the script with -verbose enabled, I see that it's taking time to process mainly due to these safes containing large numbers of accounts within... typically 8k-18k accounts in each safe.

It seems to be pulling objects from the safe 100 at a time, is it possible to increase the number of accounts it pulls per Invoke from 100 to something much larger?

Verbose Log Example:

[2023-09-20 01:03:13]	[VERBOSE]	Invoke-RestMethod -Uri https://<pvwa fqdn>/PasswordVault/api/Accounts?filter=safename eq <safename> -Method Get -Header System.Collections.Hashtable -ContentType "application/json" -TimeoutSec 2700
[2023-09-20 01:03:18]	[VERBOSE]	Invoke-REST Response: @{value=System.Object[]; count=13178; nextLink=api/Accounts?offset=100&**limit=100**&filter=safename+eq+<safename>}
[2023-09-20 01:03:18]	[VERBOSE]	Invoke-RestMethod -Uri https://<pvwa fqdn>/PasswordVault/api/Accounts?offset=100&**limit=100**&filter=safename+eq+<safename> -Method Get -Header System.Collections.Hashtable -ContentType "application/json" -TimeoutSec 2700
[2023-09-20 01:03:23]	[VERBOSE]	Invoke-REST Response: @{value=System.Object[]; count=13178; nextLink=api/Accounts?offset=200&**limit=100**&filter=safename+eq+<safename>}
commented

I have found a resolution... the switch "WideAccountsSearch" was not working in combination with the -Delete switch.

I modified the script to add 'Delete' parameter to the "WideAccountsSearch" switch.... the time it takes to delete the accounts has dropped from 24minutes to ~12 seconds per account.

95    #Use this switch when "WideAccountsSearch" is enabled use to quicken searches via name"
96	[Parameter(ParameterSetName = 'Update', Mandatory = $false)]
97	[Parameter(ParameterSetName = 'Delete', Mandatory = $false)]
98	[Switch]$WideAccountsSearch,
commented

resolved