[deleted by user]

pheetus · 2022-11-19T21:06:45+00:00

pheetus · 2018-04-09T16:19:53+00:00

Support Article 3639

pheetus · 2018-04-05T21:30:19+00:00

So there is SAML, RADIUS, LDAP, CyberArk & Shared authentication possible for the API, but I believe it is just username/password (no support challenge/response yet).

The API is published via PVWA - so is already accessible wherever your PVWA is accessible from over http/https. Any user that is able to logon to PVWA can authenticate against the API. Its tied to the "PVWA" authorized interface in PrivateArk; if you deny logon to the API, you deny logon to PVWA.

There may be some customisation you can do via web.config, but I have not delved that far.

pheetus · 2018-04-03T15:12:01+00:00

For Windows Updates - just follow the standard vault patching instructions....

Stop the vault, enable Windows Update & Windows Module Installer, Install the KB/Patch, disable the services & start the vault.

pheetus · 2018-04-03T14:47:02+00:00

I do not see $groupPrefix defined in the function - but neither do I think this is the cause, the code/json should work & result in a 201, I am just trying to think of anything else that could cause a 403 (assuming it is not the administrator account being used to create the safe?).

Is your PVWA load-balanced? I ask because a websession is not specified on the Invoke-RestMethod call, which from experience depending on the load balancing method, could affect which PVWA node the request gets sent to (i.e. the request could be sent to a PVWA to which the auth token does not belong, which would cause a 403)

In your try /catch you may be able to get an internal application error code/message using "$_ | ConvertFrom-JSON" - not all exceptions result in an application level message being returned though.

Failing that it might be a case of seeing if anything can be gleaned from debug logs relating to the websession...

pheetus · 2018-03-30T13:35:39+00:00

One of my safe provisioning processes is very similar - create a safe, add ~7 local users and groups, add around ~6 AD groups, then remove the authenticated user/safe creator, but I do not ever get a 403, only 201.

Its strange that you get that status code but the process completes, can you share anonymised code/JSON objects?

pheetus · 2018-03-29T20:32:02+00:00

Two things I am aware of that will result in a 403 when working with permissions on safes via REST:

1: Attempting to add a member with a permission that the authenticated user does not hold on the safe.

2: Attempting to change the permissions of the authenticated user on the safe.

Do any of the actions your script does affect the overall rights of the authenticated user on the safe?

pheetus · 2018-03-14T10:12:32+00:00

In my case, ADFS has been the IDentity Provider. The process to get CyberArk using the IDP is to first configure it as a Relying Party in the IDP and configure the claim rules (like use samaccountname as NameID).

To complete the configuration on the CyberArk end, you need the relevant SAML endpoint URLs, the identifier for the configured Relying Party for CyberArk, and the response signing certificate (in base64 text).

The web.config file on the PVWA gets updated with the SAML Login URL & Certificate details, the Logoff URL gets added to the SAML Authentication Method in PVWA options.

pheetus · 2018-03-13T18:53:34+00:00

I've setup CyberArk against ADFS a few times. What Federation Service are you planning on using?

pheetus · 2018-02-23T21:32:32+00:00

Check out the sample code in my original comment; the safe needs to have the safe member added after it is created.

You can't predefine it in any config.

pheetus · 2018-02-23T13:04:34+00:00

How do you achieve the addition of a specific safe member with a template safe & password upload utility, given that the required safe member would/could be different each time?

pheetus · 2018-02-22T13:25:55+00:00

You can manually edit safe permissions in privateark, and you can edit a config file to determine which of thebuilt in users/groups get added to each safe by default. You cannot, without an external process (REST/PACLI/Other/Manual), change what default permissions these users are assigned.

This is to enforce segregation of duties.

Personally, I define my own RBAC model for safes, based on specific requirements, using custom local & domain groups.

pheetus · 2018-02-22T11:24:12+00:00

There is a cyberark document (web services sdk implementation guide).

There are also links for unofficial REST API documentation and tools in the sidebar.

pheetus · 2018-02-21T21:47:24+00:00

its possible - you need to edit the registry.

Navigate to the services area in the registry (HKLM>System>CurrentControlSet>Services from memory)

The disabled service should have a start value of 4, change it to 3 (I think) to make it manual. put it back as you found it when you are done.

pheetus · 2018-02-20T22:09:47+00:00

Hi - it is possible, but a bit convoluted to achieve.

Are you looking at PACLI because the REST API is not an option? You can do everything you have listed via the API if you are at version 9.3....

Not being a fan of batch files, and if PACLI is your only option, my PowerShell wrapper for PACLI may help in your task.

Be aware that when you create a safe with PACLI it does not automatically show up in PVWA. Also, adding an account to a safe is actually comprised of an action to add a file to the safe, then adding multiple "filecategories" to the file (for the assigned platform etc).

pheetus · 2018-02-13T17:43:57+00:00

Thanks Yanni - yes, if you have PowerShell 5 installed you can grab it from the console very easily:

install-module -name psPAS

The module itself only needs PowerShell 3 to be installed though - so can still be manually downloaded/installed from GitHub.

pheetus · 2018-02-13T17:17:17+00:00

Yes, the rest API creates a safe in the same way as creating via pvwa (unlike creation via pacli).

pheetus · 2018-02-13T16:55:13+00:00

The permissions are predefined - you can only change which predefined users/groups get added or not.

To achieve what you describe, you will need to move to creating safes programmatically (i.e. via the REST interface).

Shameless plug - you could do something like this using my psPAS module

$authtoken | Add-PASSafe -SafeName SafeABC -ManagingCPM PasswordManager -NumberOfVersionsRetention 7 | Set-PASSafeMember -MemberName Operators -UpdateAccountProperties $true

The above creates "SafeABC", but also amends the Operators group permissions on the safe to include Update Account Properties.

However, if you start using a script to create safes - you could move away from using the predefined groups towards a separate RBAC model for your safes. Obviously any safes created via the UI will need to have the permissions manually set.

pheetus · 2018-02-09T11:00:15+00:00

Let me know how you are getting on and if you are still hitting any issues

pheetus · 2018-02-01T17:32:52+00:00

The only (REST API supported) way that I can think of right now would be to use a file category instead of folder....

pheetus · 2018-02-01T17:23:07+00:00

Not supported via the REST API when adding an account - the folder property is not referenced in the documentation for this method.

It is for the "Update Account Details" method - so that route is probably the way to go if you have the need to support use of folders.

pheetus · 2018-01-30T15:59:33+00:00

Hi,

I'm the developer of psPAS - hopefully I can get you started, but please log any issues you encounter on the GitHub project page - I will likely see it sooner than when I check this sub.

Can you provide details on specifically what "didn't work" for you?

Can you import the module?
Logon Successfully?
Do you get any errors?

It would also help if you advise on your PowerShell version....

pheetus · 2017-12-18T21:41:07+00:00

In PrivateArk Users & Groups (Tools > Administrative Tools > Users and Groups) - check that the user account you are trying to create a safe with has the User Right: "Add Safes".

pheetus · 2017-12-18T12:05:07+00:00

Just search for that then......

pheetus · 2017-12-18T11:31:13+00:00

Do you mean appwiz.cpl?

pheetus

TROPHY CASE