Export Safe, Safe Members, and Accounts from CyberArk Self-Hosted PAM using psPAS & PowerShell

exportData.ps1

# Check if the psPAS module is already installed
if (-not (Get-Module -ListAvailable -Name psPAS)) {
    # If not, install the module
    Install-Module -Name psPAS -Repository PSGallery -Force -Scope CurrentUser

    # Check if the module was successfully installed before importing
    if (-not (Get-Module -ListAvailable -Name psPAS)) {
        Write-Output "ERROR: Failed to install the psPAS module. Please install manually from https://pspas.pspete.dev/docs/install."
        return
    }
}

# Import the psPAS module
Import-Module psPAS

# Authenticate to CyberArk PAM REST API
$baseURI = Read-Host "Please enter the Base URI for your PVWA (e.g. https://comp01.cybr.com)"
$authType = Read-Host "Please choose the authentication type ([cyberark], ldap, windows, radius)"
# $baseURI = "https://comp01.cybr.com"
# $authType = "cyberark"
# If authType is blank, default to cyberark, otherwise lowercase if valid, or error if invalid
if ($authType -eq "") {
    $authType = "cyberark"
} elseif ($authType.ToLower() -eq "cyberark" -or $authType.ToLower() -eq "ldap" -or $authType.ToLower() -eq "windows" -or $authType.ToLower() -eq "radius") {
    $authType = $authType.ToLower()
} else {
    Write-Output "ERROR: Invalid authentication type chosen. Please select either cyberark, ldap, windows, or radius."
    return
}
New-PASSession -BaseURI $baseURI -type $authType -Credential (Get-Credential) -concurrentSession $true

# Get all safes
$safes = Get-PASSafe

# Loop through each safe returned
$exportCSVData = [PSCustomObject]@{}
$filePath = "${env:USERPROFILE}\Documents\export_$(Get-Date -Format dd-MM-yyyy_hh-mm-ss).csv"
foreach ($safe in $safes) {
    $writeData = $true
    # Get all accounts located in safe
    $accounts = Get-PASAccount -SafeName $safe.safeName
    # Get all members of safe
    $safeMembers = Get-PASSafeMember -includePredefinedUsers $true -SafeName $safe.safeName
    # Add SafeName to exportCSVData object
    $exportCSVData | Add-Member -MemberType NoteProperty -Name "SafeName" -Value $safe.safeName -Force
    # Loop through each account in safe
    foreach ($account in $accounts) {
        Write-Output $account
        # Add ObjectName, Username, and Password to exportCSVData object
        $exportCSVData | Add-Member -MemberType NoteProperty -Name "ObjectName" -Value $account.name -Force
        $exportCSVData | Add-Member -MemberType NoteProperty -Name "Username" -Value $account.userName -Force
        $exportCSVData | Add-Member -MemberType NoteProperty -Name "Password" -Value $($(Get-PASAccountPassword -AccountID $account.id -Reason "Exported by CyberArk for WPM").Password) -Force
        # Loop through each member of safe
        foreach ($member in $safeMembers) {
            # Add MemberName and MemberType to exportCSVData object
            $exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberName" -Value $member.memberName -Force
            $exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberType" -Value $member.memberType -Force
            # Check if member has retrieveAccounts and updateAccounts permission
            if ($member.permissions.retrieveAccounts -eq $true -and $member.permissions.updateAccountContent -eq $true -and $member.permissions.updateAccountProperties -eq $true) {
                $exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberRight" -Value "EditNote" -Force
                $exportCSVData | Export-Csv -Path $filePath -NoTypeInformation -Append
            } elseif ($member.permissions.retrieveAccounts -eq $true -and $member.permissions.updateAccountContent -eq $false -and $member.permissions.updateAccountProperties -eq $false) {  
                $exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberRight" -Value "ViewNote" -Force
                $exportCSVData | Export-Csv -Path $filePath -NoTypeInformation -Append
            }
        }
    }
}

# Logoff CyberArk PAM REST API
Close-PASSession