Last active
October 17, 2023 13:13
-
-
Save infamousjoeg/cb05bb29f44401b728e97878b30f5c27 to your computer and use it in GitHub Desktop.
Export Safe, Safe Members, and Accounts from CyberArk Self-Hosted PAM using psPAS & PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check if the psPAS module is already installed | |
if (-not (Get-Module -ListAvailable -Name psPAS)) { | |
# If not, install the module | |
Install-Module -Name psPAS -Repository PSGallery -Force -Scope CurrentUser | |
# Check if the module was successfully installed before importing | |
if (-not (Get-Module -ListAvailable -Name psPAS)) { | |
Write-Output "ERROR: Failed to install the psPAS module. Please install manually from https://pspas.pspete.dev/docs/install." | |
return | |
} | |
} | |
# Import the psPAS module | |
Import-Module psPAS | |
# Authenticate to CyberArk PAM REST API | |
$baseURI = Read-Host "Please enter the Base URI for your PVWA (e.g. https://comp01.cybr.com)" | |
$authType = Read-Host "Please choose the authentication type ([cyberark], ldap, windows, radius)" | |
# $baseURI = "https://comp01.cybr.com" | |
# $authType = "cyberark" | |
# If authType is blank, default to cyberark, otherwise lowercase if valid, or error if invalid | |
if ($authType -eq "") { | |
$authType = "cyberark" | |
} elseif ($authType.ToLower() -eq "cyberark" -or $authType.ToLower() -eq "ldap" -or $authType.ToLower() -eq "windows" -or $authType.ToLower() -eq "radius") { | |
$authType = $authType.ToLower() | |
} else { | |
Write-Output "ERROR: Invalid authentication type chosen. Please select either cyberark, ldap, windows, or radius." | |
return | |
} | |
New-PASSession -BaseURI $baseURI -type $authType -Credential (Get-Credential) -concurrentSession $true | |
# Get all safes | |
$safes = Get-PASSafe | |
# Loop through each safe returned | |
$exportCSVData = [PSCustomObject]@{} | |
$filePath = "${env:USERPROFILE}\Documents\export_$(Get-Date -Format dd-MM-yyyy_hh-mm-ss).csv" | |
foreach ($safe in $safes) { | |
$writeData = $true | |
# Get all accounts located in safe | |
$accounts = Get-PASAccount -SafeName $safe.safeName | |
# Get all members of safe | |
$safeMembers = Get-PASSafeMember -includePredefinedUsers $true -SafeName $safe.safeName | |
# Add SafeName to exportCSVData object | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "SafeName" -Value $safe.safeName -Force | |
# Loop through each account in safe | |
foreach ($account in $accounts) { | |
Write-Output $account | |
# Add ObjectName, Username, and Password to exportCSVData object | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "ObjectName" -Value $account.name -Force | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "Username" -Value $account.userName -Force | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "Password" -Value $($(Get-PASAccountPassword -AccountID $account.id -Reason "Exported by CyberArk for WPM").Password) -Force | |
# Loop through each member of safe | |
foreach ($member in $safeMembers) { | |
# Add MemberName and MemberType to exportCSVData object | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberName" -Value $member.memberName -Force | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberType" -Value $member.memberType -Force | |
# Check if member has retrieveAccounts and updateAccounts permission | |
if ($member.permissions.retrieveAccounts -eq $true -and $member.permissions.updateAccountContent -eq $true -and $member.permissions.updateAccountProperties -eq $true) { | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberRight" -Value "EditNote" -Force | |
$exportCSVData | Export-Csv -Path $filePath -NoTypeInformation -Append | |
} elseif ($member.permissions.retrieveAccounts -eq $true -and $member.permissions.updateAccountContent -eq $false -and $member.permissions.updateAccountProperties -eq $false) { | |
$exportCSVData | Add-Member -MemberType NoteProperty -Name "MemberRight" -Value "ViewNote" -Force | |
$exportCSVData | Export-Csv -Path $filePath -NoTypeInformation -Append | |
} | |
} | |
} | |
} | |
# Logoff CyberArk PAM REST API | |
Close-PASSession |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment