Functions/SafeMembers/Set-PASSafeMember.ps1
|
# .ExternalHelp psPAS-help.xml function Set-PASSafeMember { [CmdletBinding(SupportsShouldProcess, DefaultParameterSetName = 'Gen2')] param( [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ConnectOnly' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ReadOnly' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Approver' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'AccountsManager' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Full' )] [ValidateNotNullOrEmpty()] [string]$SafeName, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ConnectOnly' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ReadOnly' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Approver' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'AccountsManager' )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Full' )] [Alias('UserName')] [ValidateNotNullOrEmpty()] [ValidateScript( { $_ -notmatch '.*(\?|\&).*' })] [string]$MemberName, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ConnectOnly' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'ReadOnly' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Approver' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'AccountsManager' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Full' )] [datetime]$MembershipExpirationDate, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('RestrictedRetrieve')] [boolean]$UseAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Retrieve')] [boolean]$RetrieveAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('ListContent')] [boolean]$ListAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Add')] [boolean]$AddAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Update')] [boolean]$UpdateAccountContent, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('UpdateMetadata')] [boolean]$UpdateAccountProperties, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$InitiateCPMAccountManagementOperations, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$SpecifyNextAccountContent, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Rename')] [boolean]$RenameAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Delete')] [boolean]$DeleteAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('Unlock')] [boolean]$UnlockAccounts, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$ManageSafe, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$ManageSafeMembers, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$BackupSafe, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('ViewAudit')] [boolean]$ViewAuditLog, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('ViewMembers')] [boolean]$ViewSafeMembers, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [ValidateRange(0, 2)] [int]$RequestsAuthorizationLevel, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$requestsAuthorizationLevel1, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$requestsAuthorizationLevel2, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$AccessWithoutConfirmation, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('AddRenameFolder')] [boolean]$CreateFolders, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [boolean]$DeleteFolders, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen1' )] [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'Gen2' )] [Alias('MoveFilesAndFolders')] [boolean]$MoveAccountsAndFolders, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'Gen1' )] [switch]$UseGen1API, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'ConnectOnly' )] [switch]$ConnectOnly, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'ReadOnly' )] [switch]$ReadOnly, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'Approver' )] [switch]$Approver, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'AccountsManager' )] [switch]$AccountsManager, [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $false, ParameterSetName = 'Full' )] [switch]$Full ) BEGIN { #array for parameter names which appear in the top-tier of the JSON object $keysToKeep = [Collections.Generic.List[String]]@( 'MembershipExpirationDate', 'Permissions' ) }#begin PROCESS { #Get passed parameters to include in request body $boundParameters = $PSBoundParameters | Get-PASParameter If ($PSCmdlet.ParameterSetName -in 'ReadOnly','ConnectOnly','Approver','AccountsManager','Full') { switch ($PSCmdlet.ParameterSetName) { 'ConnectOnly' { Set-PASSafeMember -MemberName $MemberName -SafeName $SafeName -ListAccounts $true -UseAccounts $true break } 'ReadOnly' { Set-PASSafeMember -MemberName $MemberName -SafeName $SafeName -ListAccounts $true -UseAccounts $true -RetrieveAccounts $true break } 'Approver' { Set-PASSafeMember -memberName $memberName -SafeName $SafeName -ListAccounts $true -ViewSafeMembers $true -ManageSafeMembers $true -requestsAuthorizationLevel1 $true break } 'AccountsManager' { Set-PASSafeMember -memberName $MemberName -SafeName $SafeName -ListAccounts $true -UseAccounts $true -RetrieveAccounts $true -AddAccounts $true -UpdateAccountProperties $true -UpdateAccountContent $true -InitiateCPMAccountManagementOperations $true -SpecifyNextAccountContent $true -RenameAccounts $true -DeleteAccounts $true -UnlockAccounts $true -ViewSafeMembers $true -ManageSafeMembers $true -ViewAuditLog $true -AccessWithoutConfirmation $true break } 'Full' { Set-PASSafeMember -memberName $MemberName -SafeName $SafeName -ListAccounts $true -UseAccounts $true -RetrieveAccounts $true -AddAccounts $true -UpdateAccountProperties $true -UpdateAccountContent $true -InitiateCPMAccountManagementOperations $true -SpecifyNextAccountContent $true -RenameAccounts $true -DeleteAccounts $true -UnlockAccounts $true -ManageSafe $true -ViewSafeMembers $true -ManageSafeMembers $true -ViewAuditLog $true -BackupSafe $true -requestsAuthorizationLevel1 $true -AccessWithoutConfirmation $true -MoveAccountsAndFolders $true -CreateFolders $true -DeleteFolders $true break } } break } switch ($PSCmdlet.ParameterSetName) { ( { $PSItem -match '^Gen1' } ) { #check required version Assert-VersionRequirement -MaximumVersion 12.3 #Create URL for request $URI = "$($psPASSession.BaseURI)/WebServices/PIMServices.svc/Safes/$($SafeName | Get-EscapedString)/Members/$($MemberName | Get-EscapedString)/" If ($PSBoundParameters.ContainsKey('MembershipExpirationDate')) { #Convert ExpiryDate to string in Required format $Date = (Get-Date $MembershipExpirationDate -Format MM/dd/yyyy).ToString() #Include date string in request $boundParameters['MembershipExpirationDate'] = $Date } #Add permissions array to request in correct order [array]$boundParameters['Permissions'] = $boundParameters | ConvertTo-SortedPermission -Gen1 #Create JSON for body of request $body = @{ 'member' = $boundParameters | Get-PASParameter -ParametersToKeep $keysToKeep #Ensure all levels of object are output } | ConvertTo-Json -Depth 3 break } ( { $PSItem -match '^Gen2' -or '^ReadOnly' -or '^ConnectOnly' -or '^Approver' -or '^AccountsManager' -or '^Full'} ) { Assert-VersionRequirement -RequiredVersion 12.2 $safeMember = Get-PASSafeMember -SafeName $SafeName -MemberName $MemberName if ($null -ne $safeMember) { Format-PutRequestObject -InputObject $safeMember -boundParameters $BoundParameters -ParametersToRemove safeNumber, memberId, UserName, safeName, isExpiredMembershipEnable, memberName, memberType, safeUrlId, memberType, isPredefinedUser } #Create URL for request $URI = "$($psPASSession.BaseURI)/api/Safes/$($SafeName | Get-EscapedString)/Members/$($MemberName | Get-EscapedString)/" If ($PSBoundParameters.ContainsKey('MembershipExpirationDate')) { #Convert MembershipExpirationDate to string in Required format $Date = Get-Date $MembershipExpirationDate | ConvertTo-UnixTime #Include date string in request $boundParameters['MembershipExpirationDate'] = $Date } #Add permissions array to request in correct order $boundParameters['Permissions'] = $boundParameters | ConvertTo-SortedPermission -Gen2 #Create required request object $body = $boundParameters | Get-PASParameter -ParametersToKeep $keysToKeep | ConvertTo-Json break } } if ($PSCmdlet.ShouldProcess($SafeName, "Update Safe Permissions for '$MemberName'")) { #Send request to webservice $result = Invoke-PASRestMethod -Uri $URI -Method PUT -Body $Body If ($null -ne $result) { switch ($PSCmdlet.ParameterSetName) { 'Gen1' { #format output $result.member | Select-Object MembershipExpirationDate, @{Name = 'Permissions'; 'Expression' = { $result.member.permissions | ConvertFrom-KeyValuePair } } | Add-ObjectDetail -typename psPAS.CyberArk.Vault.Safe.Member -PropertyToAdd @{ 'UserName' = $MemberName 'SafeName' = $SafeName } break } 'Gen2' { $result | Select-Object *, @{Name = 'UserName'; 'Expression' = { $PSItem.MemberName } } | Add-ObjectDetail -typename psPAS.CyberArk.Vault.Safe.Member.Gen2 break } } } } }#process END { }#end } |