JG
Uploaded byJoe Garcia
PPTX, PDF190 views

Intro to PAS REST API

This document provides instructions and code samples for automating common CyberArk password vault tasks using PowerShell, including onboarding accounts, retrieving credentials, managing sessions, and creating a safe with role-based access groups. It demonstrates how to connect to the CyberArk PAS API, create a new safe, generate Active Directory security groups for admin, auditor and user roles, assign permissions to the groups, and add them as members to the safe. The script handles validation and skips steps if objects already exist, and provides examples of credential retrieval from vault using different SDKs.

Embed presentation

Download to read offline
1 🌎 🌍
• • • • • • • • • • • • • • 🕐 2
• • • • • • • • • • • • 🕑 3
• • • • • 🕒 5
6
• • • • • • • • • • 7
8
• • • • • 9
10 🏃 🏻♂️
11 • • • •
12 • • • • • • • • • • • • Accounts_Onboard_Utility.ps1 –PVWAURL https://pvwa.domain.com/PasswordVault -Create –AuthType ldap –TemplateSafe WinLocalTemplate –CsvPath “${env:userprofile}Documentscyberark-import.csv”
13 Accounts_Onboard_Utility.ps1 –PVWAURL https://pvwa.domain.com/PasswordVault -Update –AuthType ldap –TemplateSafe WinLocalTemplate –CsvPath “${env:userprofile}Documentscyberark-import.csv” • • • 🏃 🏻♂️
14 🏃 🏻♂️
15 • • • • 🏃 🏻♂️
• • • • • • • • 16
• • • • • 17
18 • • • • • • • • • • •
19 • • • Install-Module • • • • Import-Module • • •
20 Get-CCPCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser –URL https://components.cyberarkdemo.com • • • • • • • • • • • • • • •
21 Import-Module CredentialRetriever do { $response = Get-CCPCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser –URL https://components.cyberarkdemo.com } until ( $response.PasswordChangeinProcess –eq $false ) Write-Output $response.Content # Password Write-Output $response.UserName # Username Write-Output $response.Address # Address 🏃 🏻♂️
22 Set-AIMConfiguration –ClientPath “C:Program Files (x86)CyberArkApplicationPasswordSdkCLIPasswordSDK.exe” • • •
23 Get-AIMCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser -RequiredProps Address,Username • • • • • • • • • • • • • • •
24 Import-Module CredentialRetriever Set-AIMConfiguration –ClientPath “C:Program Files (x86)CyberArkApplicationPasswordSdkCLIPasswordSDK.exe” do { $response = Get-AIMCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser –RequiredProps Address,Username } until ( $response.PasswordChangeinProcess –eq $false ) Write-Output $response.Content # Password Write-Output $response.UserName # Username Write-Output $response.Address # Address 🏃 🏻♂️
28
• • • • • • • • • 29
• • • • • • • • 30
31
32
33 Import-Module psPAS # Since token is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type ldap - Credential $(Get-Credential) Close-PASSession
34 Import-Module psPAS # Since token is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) Close-PASSession
35 Import-Module psPAS # Since token is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) -OTPMode Append -OTP 123456 Close-PASSession
36 Import-Module psPAS # Since token is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) -OTPMode Challenge -OTP 123456 Close-PASSession
37
38 Get-PASSafe –query D-Nix | Get-PASSafeMember | Where-Object { $_.Permissions –contains ‘Add’ } • • • • • • 🏃 🏻♂️
39 Import-Module psPAS $secGrp = "CyberArk_Vault_Admins" # Get all safes and pass to ForEach loop... Get-PASSafe | ForEach-Object { # Get all safe members from each safe and return those that do not have # CyberArk_Vault_Admins security group as a member. if ($(Get-PASSafeMember -SafeName $_.SafeName) -notcontains $secGrp) { Write-Output $_.SafeName } }
40
41 Import-Module ActiveDirectory function New-CyberArkADGroups ($safeName) { $roles = "Admins", "Auditors", "Users" foreach ($role in $roles) { $groupName = "CyberArk_${safeName}_${role}" if (!$(Get-ADGroup $groupName –ErrorAction SilentlyContinue)) { New-ADGroup -Name $groupName -DisplayName $groupName ` -SamAccountName $groupName -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,OU=CyberArk,DC=workshop,DC=local" ` | Out-Null Write-Output "Created $groupName successfully." } else { Write-Output "Skipped $groupName. Already exists." } } }
42
• • • • • • 43
44
45 Import-Module CredentialRetriever Import-Module psPAS Import-Module ActiveDirectory
46 Import-Module CredentialRetriever Import-Module psPAS Import-Module ActiveDirectory # Script Variables $Global:roles = "Admins", "Auditors", "Users" $safePermsAdmins = @{} $safePermsAuditors = @{} $safePermsUsers = @{}
47 Import-Module CredentialRetriever Import-Module psPAS Import-Module ActiveDirectory # Script Variables $Global:roles = "Admins", "Auditors", "Users" $safePermsAdmins = @{} $safePermsAuditors = @{} $safePermsUsers = @{} # Get User Input # # (This could also come in from a CSV file using Import-Csv) Write-Output "Welcome to Company X Safe Factory v1.0" do { $safeName = Read-Host "Enter the safe name to create (28 char limit)" } until ($safeName.length -le 28) $safeDesc = Read-Host "Enter the description for the safe"
48 function New-CyberArkADGroups ($safeName) { foreach ($role in $roles) { $groupName = "CyberArk_${safeName}_${role}" if (!$(Get-ADGroup $groupName –ErrorAction SilentlyContinue)) { New-ADGroup -Name $groupName -DisplayName $groupName ` -SamAccountName $groupName -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,OU=CyberArk,DC=workshop,DC=local" ` | Out-Null Write-Output "Created $groupName successfully." } else { Write-Output "Skipped $groupName. Already exists." } } }
49 # Main # # Securely login to PAS REST API while fetching credentials from AAM try { New-PASSession -BaseURI https://components.workshop.local ` -Credential $( ` Get-CCPCredential -AppID RESTAPIWorkshop -Safe P-APP-CyberArk-API ` -UserName Svc_CyberArkAPI -URL ` https://components.workshop.local ` ).ToCredential() ` -type LDAP } catch { Write-Error -Message "Unable to connect to PAS Web Services." -Category ConnectionError exit(1) }
50 # # Create the safe and continue on if it already exists... Add-PASSafe -SafeName $safeName -Description $safeDesc -ManagingCPM PasswordManager -NumberOfVersionsRetention 5 -ErrorAction SilentlyContinue # # If the safe exists, an error occurs silently and we just continue
51 # # Create the safe and continue on if it already exists... Add-PASSafe -SafeName $safeName -Description $safeDesc -ManagingCPM PasswordManager -NumberOfVersionsRetention 5 -ErrorAction SilentlyContinue # # If the safe exists, an error occurs silently and we just continue # # Create the Active Directory security groups # # to be used as Safe Members on the Safe New-CyberArkADGroups $safeName
52 # # Create permission sets for role-based Safe Members # # We're using a technique called a "SPLAT" $safePermsAdmins = @{ ListAccounts = $true AddAccounts = $true UpdateAccountContent = $true UpdateAccountProperties = $true InitiateCPMAccountManagementOperations = $true RenameAccounts = $true DeleteAccounts = $true UnlockAccounts = $true ManageSafe = $true ManageSafeMembers = $true BackupSafe = $true AccessWithoutConfirmation = $true CreateFolders = $true DeleteFolders = $true MoveAccountsAndFolders = $true }
53 $safePermsAuditors = @{ ListAccounts = $true ViewAuditLog = $true ViewSafeMembers = $true } $safePermsUsers = @{ UseAccounts = $true RetrieveAccounts = $true ListAccounts = $true AddAccounts = $true UpdateAccountContent = $true UpdateAccountProperties = $true InitiateCPMAccountManagementOperations = $true UnlockAccounts = $true ViewAuditLog = $true ViewSafeMembers = $true }
54 # # Add created Security Groups as Safe Members to our newly created Safe Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Admins -SearchIn ”workshop.local" @safePermsAdmins Add-PASSafeMember -SafeName $safeName –MemberName CyberArk_${safeName}_Auditors -SearchIn ”workshop.local" @safePermsAuditors Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Users -SearchIn ”workshop.local" @safePermsUsers
55 # # Add created Security Groups as Safe Members to our newly created Safe Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Admins -SearchIn ”workshop.local" @safePermsAdmins Add-PASSafeMember -SafeName $safeName –MemberName CyberArk_${safeName}_Auditors -SearchIn ”workshop.local" @safePermsAuditors Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Users -SearchIn ”workshop.local" @safePermsUsers # # Verify the safe exists with the proper safe members foreach ($role in $roles) { $result = Get-PASSafe -Safe $safeName | Get-PASSafeMember | Where-Object { $_.UserName -eq "CyberArk_${safeName}_${role}" } if (!$result) { Write-Error -Message "Could not find CyberArk_${safeName}_${role} as a Safe Member of ${safeName}.” exit(1) } }
56 # # Logoff PAS REST API Session Close-PASSession | Out-Null
57
58

More Related Content

PDF
Immutable Deployments with AWS CloudFormation and AWS Lambda
byAOE
 
PPT
Jsp
byManav Prasad
 
PPT
Presentation
byManav Prasad
 
PPT
Mining Ruby Gem vulnerabilities for Fun and No Profit.
byLarry Cashdollar
 
PDF
Masterclass Advanced Usage of the AWS CLI
byDanilo Poccia
 
PDF
Take Data Validation Seriously - Paul Milham, WildWorks
byNodejsFoundation
 
PDF
Facebook的缓存系统
byyiditushe
 
PPTX
Deep Dive into AWS CLI - the command line interface
byJohn Varghese
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
byAOE
 
Jsp
byManav Prasad
 
Presentation
byManav Prasad
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
byLarry Cashdollar
 
Masterclass Advanced Usage of the AWS CLI
byDanilo Poccia
 
Take Data Validation Seriously - Paul Milham, WildWorks
byNodejsFoundation
 
Facebook的缓存系统
byyiditushe
 
Deep Dive into AWS CLI - the command line interface
byJohn Varghese
 

What's hot

ODP
An Introduction to Windows PowerShell
byDale Lane
 
PDF
4069180 Caching Performance Lessons From Facebook
byguoqing75
 
PDF
Apache::LogFormat::Compiler YAPC::Asia 2013 Tokyo LT-Thon
byMasahiro Nagano
 
PDF
Burn down the silos! Helping dev and ops gel on high availability websites
byLindsay Holmwood
 
PDF
Cloud patterns applied
byLars Fronius
 
PDF
Assetic (OSCON)
byKris Wallsmith
 
PDF
Forget the Web
byRemy Sharp
 
PDF
Top Node.js Metrics to Watch
bySematext Group, Inc.
 
PPTX
Azure Expert Leading Camp UA - 2015
byOleg Chorny
 
PDF
Securing WordPress
byShawn Hooper
 
PDF
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
byakashdprajapati
 
PPTX
Administering and Monitoring SolrCloud Clusters
bySematext Group, Inc.
 
ODP
My app is secure... I think
byWim Godden
 
PDF
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
bygeorgepenkov
 
ODP
When dynamic becomes static: the next step in web caching techniques
byWim Godden
 
PDF
Load Data Fast!
byKarwin Software Solutions LLC
 
An Introduction to Windows PowerShell
byDale Lane
 
4069180 Caching Performance Lessons From Facebook
byguoqing75
 
Apache::LogFormat::Compiler YAPC::Asia 2013 Tokyo LT-Thon
byMasahiro Nagano
 
Burn down the silos! Helping dev and ops gel on high availability websites
byLindsay Holmwood
 
Cloud patterns applied
byLars Fronius
 
Assetic (OSCON)
byKris Wallsmith
 
Forget the Web
byRemy Sharp
 
Top Node.js Metrics to Watch
bySematext Group, Inc.
 
Azure Expert Leading Camp UA - 2015
byOleg Chorny
 
Securing WordPress
byShawn Hooper
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
byakashdprajapati
 
Administering and Monitoring SolrCloud Clusters
bySematext Group, Inc.
 
My app is secure... I think
byWim Godden
 
Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached
bygeorgepenkov
 
When dynamic becomes static: the next step in web caching techniques
byWim Godden
 
Load Data Fast!
byKarwin Software Solutions LLC
 

Similar to Intro to PAS REST API

PDF
I Have the Power(View)
byWill Schroeder
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PDF
From P0W3R to SH3LL
byArthur Paixão
 
PDF
Prévention et détection des mouvements latéraux
byColloqueRISQ
 
PDF
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
byprashant3535
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
PPTX
PowerShell - Be A Cool Blue Kid
byMatthew Johnson
 
PPTX
Securing Windows with Group Policy
byJosh Rickard
 
DOCX
termUserGroups
byDaniel Gilhousen
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
PPTX
Understanding Active Directory Enumeration
byDaniel López Jiménez
 
PPTX
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
byjasonjfrank
 
PDF
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
PDF
Beyond the mcse red teaming active directory
byPriyanka Aash
 
PDF
ADRecon - Detection CHCON 2018
byprashant3535
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PDF
Introduction to Windows Dictionary Attacks
byScott Sutherland
 
I Have the Power(View)
byWill Schroeder
 
Attacker's Perspective of Active Directory
bySunny Neo
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
From P0W3R to SH3LL
byArthur Paixão
 
Prévention et détection des mouvements latéraux
byColloqueRISQ
 
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
byprashant3535
 
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
PowerShell - Be A Cool Blue Kid
byMatthew Johnson
 
Securing Windows with Group Policy
byJosh Rickard
 
termUserGroups
byDaniel Gilhousen
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
Understanding Active Directory Enumeration
byDaniel López Jiménez
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
byjasonjfrank
 
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
Beyond the mcse red teaming active directory
byPriyanka Aash
 
ADRecon - Detection CHCON 2018
byprashant3535
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
Introduction to Windows Dictionary Attacks
byScott Sutherland
 

Recently uploaded

PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 

Intro to PAS REST API

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
    12 • • • • • • • • • • • • Accounts_Onboard_Utility.ps1 –PVWAURL https://pvwa.domain.com/PasswordVault-Create –AuthType ldap –TemplateSafe WinLocalTemplate –CsvPath “${env:userprofile}Documentscyberark-import.csv”
  • 12.
    13 Accounts_Onboard_Utility.ps1 –PVWAURL https://pvwa.domain.com/PasswordVault-Update –AuthType ldap –TemplateSafe WinLocalTemplate –CsvPath “${env:userprofile}Documentscyberark-import.csv” • • • 🏃 🏻♂️
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
    20 Get-CCPCredential –AppID DemoApp–Safe DemoSafe –UserName DemoUser –URL https://components.cyberarkdemo.com • • • • • • • • • • • • • • •
  • 20.
    21 Import-Module CredentialRetriever do { $response= Get-CCPCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser –URL https://components.cyberarkdemo.com } until ( $response.PasswordChangeinProcess –eq $false ) Write-Output $response.Content # Password Write-Output $response.UserName # Username Write-Output $response.Address # Address 🏃 🏻♂️
  • 21.
    22 Set-AIMConfiguration –ClientPath “C:ProgramFiles (x86)CyberArkApplicationPasswordSdkCLIPasswordSDK.exe” • • •
  • 22.
    23 Get-AIMCredential –AppID DemoApp–Safe DemoSafe –UserName DemoUser -RequiredProps Address,Username • • • • • • • • • • • • • • •
  • 23.
    24 Import-Module CredentialRetriever Set-AIMConfiguration –ClientPath“C:Program Files (x86)CyberArkApplicationPasswordSdkCLIPasswordSDK.exe” do { $response = Get-AIMCredential –AppID DemoApp –Safe DemoSafe –UserName DemoUser –RequiredProps Address,Username } until ( $response.PasswordChangeinProcess –eq $false ) Write-Output $response.Content # Password Write-Output $response.UserName # Username Write-Output $response.Address # Address 🏃 🏻♂️
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
    33 Import-Module psPAS # Sincetoken is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type ldap - Credential $(Get-Credential) Close-PASSession
  • 30.
    34 Import-Module psPAS # Sincetoken is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) Close-PASSession
  • 31.
    35 Import-Module psPAS # Sincetoken is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) -OTPMode Append -OTP 123456 Close-PASSession
  • 32.
    36 Import-Module psPAS # Sincetoken is stored in the session, no need to save # the response in a variable for use later. New-PASSession -BaseURI https://components.cyberarkdemo.com -Type radius - Credentials $(Get-Credentials) -OTPMode Challenge -OTP 123456 Close-PASSession
  • 33.
  • 34.
    38 Get-PASSafe –query D-Nix| Get-PASSafeMember | Where-Object { $_.Permissions –contains ‘Add’ } • • • • • • 🏃 🏻♂️
  • 35.
    39 Import-Module psPAS $secGrp ="CyberArk_Vault_Admins" # Get all safes and pass to ForEach loop... Get-PASSafe | ForEach-Object { # Get all safe members from each safe and return those that do not have # CyberArk_Vault_Admins security group as a member. if ($(Get-PASSafeMember -SafeName $_.SafeName) -notcontains $secGrp) { Write-Output $_.SafeName } }
  • 36.
  • 37.
    41 Import-Module ActiveDirectory function New-CyberArkADGroups($safeName) { $roles = "Admins", "Auditors", "Users" foreach ($role in $roles) { $groupName = "CyberArk_${safeName}_${role}" if (!$(Get-ADGroup $groupName –ErrorAction SilentlyContinue)) { New-ADGroup -Name $groupName -DisplayName $groupName ` -SamAccountName $groupName -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,OU=CyberArk,DC=workshop,DC=local" ` | Out-Null Write-Output "Created $groupName successfully." } else { Write-Output "Skipped $groupName. Already exists." } } }
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
    46 Import-Module CredentialRetriever Import-Module psPAS Import-ModuleActiveDirectory # Script Variables $Global:roles = "Admins", "Auditors", "Users" $safePermsAdmins = @{} $safePermsAuditors = @{} $safePermsUsers = @{}
  • 43.
    47 Import-Module CredentialRetriever Import-Module psPAS Import-ModuleActiveDirectory # Script Variables $Global:roles = "Admins", "Auditors", "Users" $safePermsAdmins = @{} $safePermsAuditors = @{} $safePermsUsers = @{} # Get User Input # # (This could also come in from a CSV file using Import-Csv) Write-Output "Welcome to Company X Safe Factory v1.0" do { $safeName = Read-Host "Enter the safe name to create (28 char limit)" } until ($safeName.length -le 28) $safeDesc = Read-Host "Enter the description for the safe"
  • 44.
    48 function New-CyberArkADGroups ($safeName){ foreach ($role in $roles) { $groupName = "CyberArk_${safeName}_${role}" if (!$(Get-ADGroup $groupName –ErrorAction SilentlyContinue)) { New-ADGroup -Name $groupName -DisplayName $groupName ` -SamAccountName $groupName -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,OU=CyberArk,DC=workshop,DC=local" ` | Out-Null Write-Output "Created $groupName successfully." } else { Write-Output "Skipped $groupName. Already exists." } } }
  • 45.
    49 # Main # #Securely login to PAS REST API while fetching credentials from AAM try { New-PASSession -BaseURI https://components.workshop.local ` -Credential $( ` Get-CCPCredential -AppID RESTAPIWorkshop -Safe P-APP-CyberArk-API ` -UserName Svc_CyberArkAPI -URL ` https://components.workshop.local ` ).ToCredential() ` -type LDAP } catch { Write-Error -Message "Unable to connect to PAS Web Services." -Category ConnectionError exit(1) }
  • 46.
    50 # # Createthe safe and continue on if it already exists... Add-PASSafe -SafeName $safeName -Description $safeDesc -ManagingCPM PasswordManager -NumberOfVersionsRetention 5 -ErrorAction SilentlyContinue # # If the safe exists, an error occurs silently and we just continue
  • 47.
    51 # # Createthe safe and continue on if it already exists... Add-PASSafe -SafeName $safeName -Description $safeDesc -ManagingCPM PasswordManager -NumberOfVersionsRetention 5 -ErrorAction SilentlyContinue # # If the safe exists, an error occurs silently and we just continue # # Create the Active Directory security groups # # to be used as Safe Members on the Safe New-CyberArkADGroups $safeName
  • 48.
    52 # # Createpermission sets for role-based Safe Members # # We're using a technique called a "SPLAT" $safePermsAdmins = @{ ListAccounts = $true AddAccounts = $true UpdateAccountContent = $true UpdateAccountProperties = $true InitiateCPMAccountManagementOperations = $true RenameAccounts = $true DeleteAccounts = $true UnlockAccounts = $true ManageSafe = $true ManageSafeMembers = $true BackupSafe = $true AccessWithoutConfirmation = $true CreateFolders = $true DeleteFolders = $true MoveAccountsAndFolders = $true }
  • 49.
    53 $safePermsAuditors = @{ ListAccounts= $true ViewAuditLog = $true ViewSafeMembers = $true } $safePermsUsers = @{ UseAccounts = $true RetrieveAccounts = $true ListAccounts = $true AddAccounts = $true UpdateAccountContent = $true UpdateAccountProperties = $true InitiateCPMAccountManagementOperations = $true UnlockAccounts = $true ViewAuditLog = $true ViewSafeMembers = $true }
  • 50.
    54 # # Addcreated Security Groups as Safe Members to our newly created Safe Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Admins -SearchIn ”workshop.local" @safePermsAdmins Add-PASSafeMember -SafeName $safeName –MemberName CyberArk_${safeName}_Auditors -SearchIn ”workshop.local" @safePermsAuditors Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Users -SearchIn ”workshop.local" @safePermsUsers
  • 51.
    55 # # Addcreated Security Groups as Safe Members to our newly created Safe Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Admins -SearchIn ”workshop.local" @safePermsAdmins Add-PASSafeMember -SafeName $safeName –MemberName CyberArk_${safeName}_Auditors -SearchIn ”workshop.local" @safePermsAuditors Add-PASSafeMember -SafeName $safeName -MemberName CyberArk_${safeName}_Users -SearchIn ”workshop.local" @safePermsUsers # # Verify the safe exists with the proper safe members foreach ($role in $roles) { $result = Get-PASSafe -Safe $safeName | Get-PASSafeMember | Where-Object { $_.UserName -eq "CyberArk_${safeName}_${role}" } if (!$result) { Write-Error -Message "Could not find CyberArk_${safeName}_${role} as a Safe Member of ${safeName}.” exit(1) } }
  • 52.
    56 # # LogoffPAS REST API Session Close-PASSession | Out-Null
  • 53.
  • 54.