Add-PASSafeMember

Add-PASSafeMember

SYNOPSIS

Adds a Safe Member to safe

SYNTAX

Gen2 (Default)

Add-PASSafeMember -SafeName <String> -MemberName <String> [-SearchIn <String>]
 [-MembershipExpirationDate <DateTime>] [-UseAccounts <Boolean>] [-RetrieveAccounts <Boolean>]
 [-ListAccounts <Boolean>] [-AddAccounts <Boolean>] [-UpdateAccountContent <Boolean>]
 [-UpdateAccountProperties <Boolean>] [-InitiateCPMAccountManagementOperations <Boolean>]
 [-SpecifyNextAccountContent <Boolean>] [-RenameAccounts <Boolean>] [-DeleteAccounts <Boolean>]
 [-UnlockAccounts <Boolean>] [-ManageSafe <Boolean>] [-ManageSafeMembers <Boolean>] [-BackupSafe <Boolean>]
 [-ViewAuditLog <Boolean>] [-ViewSafeMembers <Boolean>] [-requestsAuthorizationLevel1 <Boolean>]
 [-requestsAuthorizationLevel2 <Boolean>] [-AccessWithoutConfirmation <Boolean>] [-CreateFolders <Boolean>]
 [-DeleteFolders <Boolean>] [-MoveAccountsAndFolders <Boolean>] [<CommonParameters>]

Gen1

Add-PASSafeMember -SafeName <String> -MemberName <String> [-SearchIn <String>]
 [-MembershipExpirationDate <DateTime>] [-UseAccounts <Boolean>] [-RetrieveAccounts <Boolean>]
 [-ListAccounts <Boolean>] [-AddAccounts <Boolean>] [-UpdateAccountContent <Boolean>]
 [-UpdateAccountProperties <Boolean>] [-InitiateCPMAccountManagementOperations <Boolean>]
 [-SpecifyNextAccountContent <Boolean>] [-RenameAccounts <Boolean>] [-DeleteAccounts <Boolean>]
 [-UnlockAccounts <Boolean>] [-ManageSafe <Boolean>] [-ManageSafeMembers <Boolean>] [-BackupSafe <Boolean>]
 [-ViewAuditLog <Boolean>] [-ViewSafeMembers <Boolean>] [-RequestsAuthorizationLevel <Int32>]
 [-AccessWithoutConfirmation <Boolean>] [-CreateFolders <Boolean>] [-DeleteFolders <Boolean>]
 [-MoveAccountsAndFolders <Boolean>] [-UseGen1API] [<CommonParameters>]

DESCRIPTION

Adds an existing user as a Safe member.

“Manage Safe Members” permission is required by the authenticated user account sending request.

Default operation uses the Gen 2 API and requires version 12.1+

  • Earlier versions must specify the -UseGen1API switch to force use of the Gen1 API.

Note when using the Gen1 API:

Unless otherwise specified, the default permissions applied to a safe member will include:

  • ListAccounts, RetrieveAccounts, UseAccounts, ViewAuditLog & ViewSafeMembers.

If these permissions should not be granted to the safe member, they must be explicitly set to $false in the request.

Gen1 API is depreciated from version 12.3

EXAMPLES

EXAMPLE 1

Add-PASSafeMember -SafeName Windows_Safe -MemberName winUser -SearchIn Vault -UseAccounts $true `
-RetrieveAccounts $true -ListAccounts $true

Adds winUser to Windows_Safe with Use, Retrieve & List permissions.

Minimum required version 12.1

EXAMPLE 2

$Role = [PSCustomObject]@{

  UseAccounts                  = $true
  ListAccounts                 = $true
  RetrieveAccounts						 = $true
  ViewAuditLog                 = $false
  ViewSafeMembers              = $false
}

PS > $Role | Add-PASSafeMember -SafeName NewSafe -MemberName User23 -SearchIn Vault

Grant User23 UseAccounts, RetrieveAccounts & ListAccounts only.

Minimum required version 12.1

EXAMPLE 3

$Role = [PSCustomObject]@{

  UseAccounts                  = $true
  ListAccounts                 = $true
  RetrieveAccounts						 = $true
  ViewAuditLog                 = $false
  ViewSafeMembers              = $false
}

PS > $Role | Add-PASSafeMember -SafeName NewSafe -MemberName User23 -SearchIn Vault -UseGen1API

Grant User23 UseAccounts, RetrieveAccounts & ListAccounts using the Gen1 API

PARAMETERS

-SafeName

The name of the safe to add the member to

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MemberName

Vault or Domain User, or Group, to add as member.

Must not contain ‘&’ (ampersand).

Type: String
Parameter Sets: (All)
Aliases: UserName

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-SearchIn

The Vault or Domain, defined in the vault,

in which to search for the member to add to the safe.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MembershipExpirationDate

Defines when the user’s Safe membership expires.

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UseAccounts

Boolean value defining if UseAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: RestrictedRetrieve

Type: Boolean
Parameter Sets: (All)
Aliases: RestrictedRetrieve

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RetrieveAccounts

Boolean value defining if RetrieveAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: Retrieve

Type: Boolean
Parameter Sets: (All)
Aliases: Retrieve

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ListAccounts

Boolean value defining if ListAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: ListContent

Type: Boolean
Parameter Sets: (All)
Aliases: ListContent

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AddAccounts

Boolean value defining if permission will be granted to safe member on safe.

Includes UpdateAccountProperties (when adding or removing permission).

Get-PASSafeMember (Gen1) returns the name of this permission as: Add

Type: Boolean
Parameter Sets: (All)
Aliases: Add

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UpdateAccountContent

Boolean value defining if AddAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: Update

Type: Boolean
Parameter Sets: (All)
Aliases: Update

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UpdateAccountProperties

Boolean value defining if UpdateAccountProperties permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: UpdateMetadata

Type: Boolean
Parameter Sets: (All)
Aliases: UpdateMetadata

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-InitiateCPMAccountManagementOperations

Boolean value defining if InitiateCPMAccountManagementOperations permission will be granted to safe member on safe.

When this parameter is set to $False, the SpecifyNextAccountContent parameter is also automatically set to False.

Get-PASSafeMember (Gen1) may not return details of this permission

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-SpecifyNextAccountContent

Boolean value defining if SpecifyNextAccountContent permission will be granted to safe member on safe.

Can only be specified when the InitiateCPMAccountManagementOperations parameter is set to $True.

When InitiateCPMAccountManagementOperations is set to $False this parameter is automatically set to False.

Get-PASSafeMember (Gen1) may not return details of this permission

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RenameAccounts

Boolean value defining if RenameAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: Rename

Type: Boolean
Parameter Sets: (All)
Aliases: Rename

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DeleteAccounts

Boolean value defining if DeleteAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: Delete

Type: Boolean
Parameter Sets: (All)
Aliases: Delete

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UnlockAccounts

Boolean value defining if UnlockAccounts permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: Unlock

Type: Boolean
Parameter Sets: (All)
Aliases: Unlock

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ManageSafe

Boolean value defining if ManageSafe permission will be granted to safe member on safe.

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ManageSafeMembers

Boolean value defining if ManageSafeMembers permission will be granted to safe member on safe.

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BackupSafe

Boolean value defining if BackupSafe permission will be granted to safe member on safe.

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ViewAuditLog

Boolean value defining if ViewAuditLog permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: ViewAudit

Type: Boolean
Parameter Sets: (All)
Aliases: ViewAudit

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ViewSafeMembers

Boolean value defining if ViewSafeMembers permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: ViewMembers

Type: Boolean
Parameter Sets: (All)
Aliases: ViewMembers

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequestsAuthorizationLevel

Integer value defining level assigned to RequestsAuthorizationLevel for safe member.

Valid Values: 0, 1 or 2

Get-PASSafeMember (Gen1) may not return details of this permission

Depreciated from version 12.3

Type: Int32
Parameter Sets: Gen1
Aliases:

Required: False
Position: Named
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AccessWithoutConfirmation

Boolean value defining if AccessWithoutConfirmation permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) may not return details of this permission

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-CreateFolders

Boolean value defining if CreateFolders permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: AddRenameFolder

Type: Boolean
Parameter Sets: (All)
Aliases: AddRenameFolder

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DeleteFolders

Boolean value defining if DeleteFolders permission will be granted to safe member on safe.

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MoveAccountsAndFolders

Boolean value defining if MoveAccountsAndFolders permission will be granted to safe member on safe.

Get-PASSafeMember (Gen1) returns the name of this permission as: MoveFilesAndFolders

Type: Boolean
Parameter Sets: (All)
Aliases: MoveFilesAndFolders

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-requestsAuthorizationLevel1

Request Authorization Level 1

Minimum required version 12.1

Type: Boolean
Parameter Sets: Gen2
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-requestsAuthorizationLevel2

Request Authorization Level 2

Minimum required version 12.1

Type: Boolean
Parameter Sets: Gen2
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UseGen1API

Force use of Gen1 API.

Should be specified for versions earlier than 12.1

Depreciated from version 12.3

Type: SwitchParameter
Parameter Sets: Gen1
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

https://pspas.pspete.dev/commands/Add-PASSafeMember

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Add%20Safe%20Member.htm