Compatibility

This section lists the commands available in psPAS as well as any relevant version requirements.

Depending on your version of CyberArk, different psPAS commands and parameters are available.

The most recent psPAS version should work with your particular CyberArk version and be able to be used with it.

The version requirements for certain parameters are described in greater detail in the command’s documentation.

Function List

Check the below table to determine what functions are available for you to use:

The minimum required version of CyberArk to use the function is listed.

CyberArk Version may affect available capabilities or function parameters. See Notes for more details.

The module will take steps to verify that your version of CyberArk meets any psPAS command’s minimum version requirement.

If version requirement criteria are not met, operations may be prevented.

Function Name CyberArk Version Description
New-PASSession 9.0 (Notes) Authenticates a user to CyberArk Vault
Close-PASSession 9.0 (Notes) Logoff from CyberArk Vault.
Get-PASSession Get psPAS Session Data.
Use-PASSession Set psPAS Session Data.
Add-PASPublicSSHKey 9.6 Adds an authorised public SSH key for a user.
Get-PASPublicSSHKey 9.6 Retrieves a user’s SSH Keys.
Remove-PASPublicSSHKey 9.6 Deletes a Public SSH Key from a user
Add-PASAccountACL 9.0 Adds a new privileged command rule to an account.
Get-PASAccountACL 9.0 Lists privileged commands rule for an account
Remove-PASAccountACL 9.0 Deletes privileged commands rule from an account
Add-PASAccountGroupMember 9.95 Adds an account as a member of an account group.
Get-PASAccountGroup 9.10 (Notes) Returns account groups in a Safe.
Get-PASAccountGroupMember 9.10 Returns members of an account group.
New-PASAccountGroup 9.95 Adds a new account group
Remove-PASAccountGroupMember 9.10 Deletes a member of an account group
Add-PASAccount 9.0 (Notes) Adds a new account.
Add-PASPendingAccount 9.7 Adds discovered account or SSH key as a pending account.
Get-PASAccount 9.3 (Notes) Returns information about accounts.
Get-PASAccountDetail 10.4 Returns information about accounts.
Get-PASAccountActivity 9.7 Returns activities for an account.
Get-PASAccountPassword 9.7 (Notes) Returns password for an account.
Remove-PASAccount 9.3 (Notes) Deletes an account
Set-PASAccount 9.5 (Notes) Updates details of an account.
Invoke-PASCPMOperation 9.7 (Notes) Invoke CPM verify, change & reconcile tasks.
Unlock-PASAccount 9.10(Notes) Checks-in / Unlocks an exclusive-use account.
Add-PASApplication 9.1 Adds a new application
Add-PASApplicationAuthenticationMethod 9.1 Add authentication method to an application
Get-PASApplication 9.1 Returns details of applications
Get-PASApplicationAuthenticationMethod 9.1 Returns application authentication methods
Remove-PASApplication 9.1 Deletes an application
Remove-PASApplicationAuthenticationMethod 9.1 Delete auth method from an application
Import-PASConnectionComponent 10.3 Imports a Connection Component
New-PASPSMSession 9.10 (Notes) Get required parameters to connect through PSM
Get-PASPSMRecording 9.10 (Notes) Get details of PSM Recording
Get-PASPSMSession 9.10 (Notes) Get details of PSM Sessions
Resume-PASPSMSession 10.2 Resumes a Suspended PSM Session.
Stop-PASPSMSession 10.1 Terminates a PSM Session.
Suspend-PASPSMSession 10.2 Suspends a PSM Session.
Get-PASOnboardingRule 9.7 Gets automatic on-boarding rules
New-PASOnboardingRule 9.7 (Notes) Adds a new on-boarding rule
Remove-PASOnboardingRule 9.7 Deletes an automatic on-boarding rule
Get-PASPlatform 9.10 (Notes) Retrieves details of a specified platform.
Import-PASPlatform 10.2 Import a new platform
Export-PASPlatform 10.4 Export a platform
Add-PASPolicyACL 9.0 Adds a new privileged command rule
Get-PASPolicyACL 9.0 Lists OPM Rules for a policy
Remove-PASPolicyACL 9.0 Delete privileged commands from policy
Approve-PASRequest 9.10 (Notes) Confirm a single request
Deny-PASRequest 9.10 (Notes) Reject a single request
Get-PASRequest 9.10 (Notes) List requests
Get-PASRequestDetail 9.10 (Notes) Get request details
New-PASRequest 9.10 (Notes) Creates an access request for an account
Remove-PASRequest 9.10 (Notes) Deletes a request
Add-PASSafeMember 9.3 (Notes) Adds a Safe Member to a safe
Get-PASSafeMember 9.7 (Notes) Lists the members of a Safe
Remove-PASSafeMember 9.3 (Notes Removes a member from a safe
Set-PASSafeMember 9.3 (Notes Updates a Safe Member’s Permissions
Add-PASSafe 9.2 (Notes) Adds a new safe
Get-PASSafe 9.7 (Notes) Returns safe details
Remove-PASSafe 9.3 (Notes) Deletes a safe
Set-PASSafe 9.3 (Notes) Updates a safe
Get-PASSafeShareLogo 9.7 Returns details of SafeShare Logo
Get-PASServer 9.7 Returns details of the Web Service Server
Get-PASServerWebService 9.7 Returns details of the Web Service
Get-PASComponentDetail 10.1 (Notes) Returns details about component instances.
Get-PASComponentSummary 10.1 Returns consolidated information about components.
Add-PASGroupMember 9.7 (Notes) Adds a user as a group member
Get-PASLoggedOnUser 9.7 Returns details of the logged on user
Get-PASUserLoginInfo 10.4 Returns login details of the current user
Get-PASUser 9.7 (Notes) Returns details of a user
New-PASUser 9.7 (Notes) Creates a new user
Remove-PASUser 9.7 (Notes) Deletes a user
Set-PASUser 9.7 (Notes) Updates a user
Unblock-PASUser 9.7 (Notes) Activates a suspended user
Get-PASDirectory 10.4 (Notes) Get configured LDAP directories
Add-PASDirectory 10.4 (Notes) Add a new LDAP directory
New-PASDirectoryMapping 10.4 (Notes) Create a new LDAP directory mapping
Add-PASPTARule 10.4 Add a new Risky Commandrule to PTA
Get-PASPTAEvent 10.3 Get security events from PTA
Set-PASPTAEvent 11.3 Set status of PTA security events
Get-PASPTARemediation 10.4 Get automatic response config from PTA
Get-PASPTARule 10.4 List Risky Command rules from PTA
Set-PASPTARemediation 10.4 Update automaticresponse config in PTA
Set-PASPTARule 10.4 Update a Risky Commandrule in PTA
Get-PASGroup 10.5 (Notes) Return group information
Remove-PASGroupMember 10.5 Remove group members
Set-PASOnboardingRule 10.5 Update Onboarding Rules
Add-PASDiscoveredAccount 10.5 (Notes) Add discovered accounts to the Accounts Feed
Connect-PASPSMSession 10.5 Get required parameters to connect to a PSM Session
Get-PASPSMSessionActivity 10.6 Get activity details from an active PSM Session.
Get-PASPSMSessionProperty 10.6 Get property details from an active PSM Session.
Get-PASPSMRecordingActivity 10.6 Get activity details from a PSM Recording.
Get-PASPSMRecordingProperty 10.6 Get property details from a PSM Recording.
Export-PASPSMRecording 10.6 Save PSM Session Recording to a file.
Request-PASJustInTimeAccess 10.6 Request temporary access to a server.
Revoke-PASJustInTimeAccess 12.0 Revoke temporary server access.
Get-PASDirectoryMapping 10.7 Get details of configured directory mappings.
Set-PASDirectoryMapping 10.7 (Notes) Update a configured directory mapping.
Remove-PASDirectory 10.7 Delete a directory configuration.
Find-PASSafe 10.1 - 11.7 (Notes) List or Search Safes by name.
Set-PASDirectoryMappingOrder 10.10 Reorder Directory Mappings
Set-PASUserPassword 10.10 Reset a User’s Password
New-PASGroup 11.1 Create a new CyberArk group
Get-PASPlatformSafe 11.1 List details for all platforms
Remove-PASDirectoryMapping 11.1 Deletes a Directory Mapping
Enable-PASCPMAutoManagement 10.4 Enables Automatic CPM Management for an account
Disable-PASCPMAutoManagement 10.4 Disables Automatic CPM Management for an account
Test-PASPSMRecording 11.2 Determine validity of PSM Session Recording
Copy-PASPlatform 11.4 Duplicate a platform
Enable-PASPlatform 11.4 Enable a platform
Disable-PASPlatform 11.4 Disable a platform
Remove-PASPlatform 11.4 Delete a platform
Remove-PASGroup 11.5 Delete a user group
Get-PASAllowedReferrer 11.5 List PVWA Allowed Referrer
Add-PASAllowedReferrer 11.5 Add PVWA Allowed Referrer
Get-PASAccountSSHKey 11.5 Get Private SSH Key value of Account
Get-PASAuthenticationMethod 11.5 List authentication methods
Add-PASAuthenticationMethod 11.5 Add authentication method
Set-PASAuthenticationMethod 11.5 Update authentication method
Get-PASConnectionComponent 11.5 List configured connection components
Get-PASPSMServer 11.5 List configured PSM Servers
Get-PASPlatformPSMConfig 11.5 List Platform PSM configuration
Set-PASPlatformPSMConfig 11.5 Update Platform PSM configuration
Start-PASAccountImportJob 11.6 Add multiple accounts to existing Safes.
Get-PASAccountImportJob 11.6 Get status of account import
New-PASAccountObject Format an object to include in an import list
Get-PASDiscoveredAccount 11.6 List discovered accounts
Add-PASOpenIDConnectProvider 11.7 Adds an OIDC Authentication Provider
Get-PASOpenIDConnectProvider 11.7 Gets details of configured OIDC Authentication Providers
Remove-PASOpenIDConnectProvider 11.7 Deletes an OIDC Authentication Provider
Set-PASOpenIDConnectProvider 11.7 Updates an OIDC Authentication Provider
Remove-PASAuthenticationMethod 11.7 Delete an authentication method
Clear-PASDiscoveredAccountList 12.1 Clear all discovered accounts from the pending account list
Get-PASAccountPasswordVersion 12.1 Get details of previous password versions
New-PASAccountPassword 12.0 Generate new password values based on platform policy
Set-PASLinkedAccount 12.1 Associate logon and reconcile accounts
Clear-PASLinkedAccount 12.2 Clear associated linked accounts
Clear-PASPrivateSSHKey 12.1 Remove all MFA caching SSH Keys
New-PASPrivateSSHKey 12.1 Generate MFA caching SSH Keys
Remove-PASPrivateSSHKey 12.1 Delete MFA caching SSH Keys
Set-PASGroup 12.0 Update CyberArk groups
Get-PASPlatformSummary 12.2 Get basic information on current platform system types
Enable-PASUser 12.6 Enable CyberArk Users
Disable-PASUser 12.6 Disable CyberArk Users
Publish-PASDiscoveredAccount 12.6 Onboard Discovered Accounts
Get-PASLinkedAccount 12.2 Get details of linked accounts
Get-PASLinkedGroup 12.2 Get details of linked groups
Add-PASPersonalAdminAccount 12.6 Add Personal Admin Account (Privilege Cloud Only).
Get-PASPTAGlobalCatalog 13.0 Get Global Catalog connectivity details for PTA.
Add-PASPTAGlobalCatalog 13.0 Add Global Catalog connectivity details to PTA.
Get-PASUserTypeInfo 13.2 Get User Type Info
Get-PASPTARiskEvent 13.2 (Notes) Get PTA Risk Events
Set-PASPTARiskEvent 13.2 (Notes) Update PTA Risk Events
Get-PASPTARiskSummary 13.2 Get PTA Risk Summary
New-PASRequestObject Format an object to include in an request list
Add-PASPTAExcludedTarget 14.0 Excludes a PTA Monitored Target
Add-PASPTAIncludedTarget 14.0 Includes a PTA Monitored Target
Add-PASPTAPrivilegedGroup 14.0 Configures a PTA Privileged Group
Add-PASPTAPrivilegedUser 14.0 Configures a PTA Privileged User
Get-PASPTAExcludedTarget 14.0 Get PTA Excluded Target
Get-PASPTAIncludedTarget 14.0 Get PTA Included target
Get-PASPTAPrivilegedGroup 14.0 Get PTA Privileged Group
Get-PASPTAPrivilegedUser 14.0 Get PTA Privileged User
Remove-PASPTAExcludedTarget 14.0 Remove PTA Excluded Target
Remove-PASPTAIncludedTarget 14.0 Remove PTA Included Target
Remove-PASPTAPrivilegedGroup 14.0 Remove PTA Privileged Group
Remove-PASPTAPrivilegedUser 14.0 Remove PTA Privileged User
Set-PASIPAllowList P Cloud Only Set P Cloud IP Allow List
Get-PASIPAllowList P Cloud Only Get P Cloud IP Allow List
Get-PASBYOKConfig P Cloud Only Get P Cloud BYOK Config
Publish-PASDiscoveredLocalAccount P Cloud Only Publish P Cloud Discovered Local Account
Remove-PASDiscoveredLocalAccount P Cloud Only Delete P Cloud Discovered Local Account
Get-PASDiscoveredLocalAccountActivity P Cloud Only Get P Cloud Discovered Local Account Activity
Get-PASDiscoveredLocalAccount P Cloud Only Get P Cloud Discovered Local Account
Clear-PASDiscoveredLocalAccount P Cloud Only Clear all P Cloud Discovered Local Accounts
Add-PASDiscoveredLocalAccount P Cloud Only Add P Cloud Discovered Local Account

Notes

New-PASSession

  • Version 9.7 introduced a new Authentication Options:
    • New Authentication Methods:
      • LDAP
      • RADIUS
      • Shared
      • SAML
  • Version 10.4 introduced a new Authentication Option.
    • New Authentication Method:
      • Windows
  • Version 11.3 introduced support for concurrent API sessions.
  • Version 11.4 introduced updated support for SAML auth.
  • The Gen1 API endpoint can be used by specifying the -UseGen1API parameter.

Close-PASSession

  • The Gen1 API endpoint can be used by specifying the -UseGen1API parameter.

Get-PASAccountGroup

  • Version 10.5 introduced a new API endpoint, “Get Safe account groups”.
    • This API is deprecated from version 12.6.
    • The “Get Safe account groups” API endpoint can be used by specifying the -UseGen1API parameter.

Add-PASAccount

  • Version 10.4 introduced a new API endpoint.
  • The Gen1 API endpoint can be used by using the ParameterSet which includes the -password parameter.

Get-PASAccount

  • 12.6 introduced ability to use the savedFilter parameter
  • 11.4 introduced ability to filter by modificationTime
  • Version 10.4 introduced a new API endpoint.
    • Supports:
      • Get details of all matching accounts.
  • The Gen1 API endpoint can be used by using the -Keywords & -Safe parameters.
    • The Gen1 API is limited to returning the details of only 1 account.

Get-PASAccountPassword

  • Version 10.1 introduced a new API endpoint.
    • Supports:
      • Specifying Reason for Access.
      • Supplying Ticketing Information.
      • Requesting specific password versions.
      • Return of SSH key.

Remove-PASAccount

  • Version 10.4 introduced a new API endpoint.
  • The Gen1 API endpoint can be used by specifying the -UseGen1API parameter.

Set-PASAccount

  • Version 10.4 introduced a new API endpoint.
    • Supports:
      • Add/Update/Remove single account property.
      • Perform multiple update operations against account.
    • Requires Parameters:
      • op (for single property update)
      • operations (for multiple updates)
  • The Gen1 API endpoint requires all of the account properties be passed to the function.
    • Any current properties of the account not sent as part of the request will result in them being removed from the account.

Invoke-PASCPMOperation

  • Version 9.10 introduced a new API endpoint.
    • Supports:
      • Verify/Change/Reconcile of password.
  • Version 10.1 introduced a new API endpoint.
    • Supports:
      • Changing password to specific value.
      • Changing password only in the vault.
  • The Gen1 API endpoint can be used by:
    • Using the -ImmediateChangeByCPM parameter.
    • Specifying the -UseGen1API parameter.

New-PASPSMSession

  • Version 10.2 introduced a new API endpoint.
    • Supports:
      • Connection via PSM GW.
  • Version 10.5 introduced a new API endpoint.
    • Supports:
      • AdHoc Connect.

Get-PASPSMRecording

  • Version 10.6 introduced a new API endpoint.
    • Supports:
      • Get recording details by RecordingID.

Get-PASPSMSession

  • Version 10.6 introduced a new API endpoint.
    • Supports:
      • Get session details by liveSessionId.

New-PASOnboardingRule

  • Version 10.2 introduced a new API endpoint.
    • Supports:
      • Additional filter options
    • Requires Parameters:
      • DecisionSafeName
      • DecisionPlatformId

*-PASRequest*

  • The functions related to requests (Approve-PASRequest, Deny-PASRequest, Get-PASRequest, Get-PASRequestDetail, New-PASRequest & Remove-PASRequest), are documented as supported from version 9.10.
    • Reports received from psPAS users, observing that these functions also work in version 9.9.
  • New-PASRequest
    • Version 13.2 introduced a new API endpoint.
    • Supports:
      • Requests to access multiple accounts
  • Get-PASRequest
    • Version 13.2 introduced a new API endpoint.
    • Supports:
      • Get status of requests to access multiple accounts

Add-PASGroupMember

  • Version 10.6 introduced a new API endpoint.
    • Requires Parameters:
      • GroupID
      • memberID
  • The Gen1 API endpoint can be used by using the GroupName & UserName parameters.
  • Gen1 API deprecated from 12.3

Get-PASUser

  • Version 10.9 introduced a new API endpoint.
    • Supports:
      • Additional query types.
  • Version 10.10 introduced a new API endpoint.
    • Supports:
      • Get user by ID.
  • Version 11.5 returns additional group membership detail for user accounts.
  • Version 12.1 introduced new parameter to request ExtendedDetails for a user.
  • Version 12.2 introduced new sort parameter and ability to filter by UserName.
  • Version 13.2 introduced new source & userStatus parameters.

New-PASUser

  • Version 10.9 introduced a new API endpoint.
    • Supports:
      • Additional property parameters.
  • Gen1 API deprecated from 12.3
  • Version 13.2 introduced new parameters: userActivityLogRetentionDays, loginFromHour & loginToHour

Unblock-PASUser

  • Version 10.10 introduced a new API endpoint.
    • Requires Parameters:
      • userID
  • The Gen1 API endpoint can be used by using the userName parameter.
  • Gen1 API deprecated from 12.3

Get-PASDirectory

  • Version 10.5 introduced a new API endpoint.
    • Supports:
      • Get directory details by id.

Add-PASDirectory

  • Version 10.7 introduced a new API endpoint.
    • Requires Parameters:
      • DCList Parameter.

New-PASDirectoryMapping

  • Version 10.7 introduced a new API endpoint.
    • Supports:
      • VaultGroups.
      • Location.
      • LDAP Query.
  • Version 10.10 introduced a new API endpoint.
    • Supports:
      • UserActivityLogPeriod.
  • Version 14.0 introduced new API parameters.
    • Supports:
      • UsedQuota
      • AuthorizedInterfaces
      • EnableENEWhenDisconnected

Set-PASDirectoryMapping

  • Version 10.10 introduced a new API endpoint.
    • Supports:
      • UserActivityLogPeriod.
  • Version 14.0 introduced new API parameters.
    • Supports:
      • UsedQuota
      • AuthorizedInterfaces
      • EnableENEWhenDisconnected

Add-PASDiscoveredAccount

  • Version 10.8 introduced a new API endpoint.
    • Supports:
      • Account Dependency & AWS specific parameters
  • Version 11.7
    • Supports
      • Azure specific parameter

Get-PASPlatform

  • Version 11.1 introduced a new API endpoint.
    • Supports:
      • New options for finding platforms
  • Version 11.4 introduced new API endpoints
    • Parameters added to enable more filtering options for querying target platforms
    • Parameters added to request details of dependent, group & rotational group platforms.
  • Version 9.10+ When specifying PlatformID
    • if the platform properties contain a semicolon (‘;’), the API may not return the complete value.
      • noted for ChangeCommand, ReconcileCommand & ConnectionCommand properties

Remove-PASUser

  • Version 11.1 introduced a new API endpoint.
    • Supports:
      • Delete User by ID
  • Gen1 API deprecated from 12.3

Set-PASUser

  • Version 11.1 introduced a new API endpoint.
    • Supports:
      • Additional parameters for updating users.
  • Gen1 API deprecated from 12.3
  • Version 13.2 introduced new parameters: userActivityLogRetentionDays, loginFromHour & loginToHour

Get-PASPTAEvent

  • Version 11.3 introduced new parameters for filtering events
    • Supports:
      • status
      • fromUpdateDate
  • Version 11.4 introduced new parameters for filtering events
    • Supports:
      • accountID

Get-PASSafeMember

  • Version 12.0 introduced a new API endpoint.
  • Version 12.1 introduced new filter parameters.
  • Version 12.2 introduces capability to get permissions of individual safe member.

Set-PASSafeMember

  • Version 12.2 introduced a new API endpoint.

Remove-PASSafeMember

  • Version 12.2 introduced a new API endpoint.

Add-PASSafeMember

  • Version 12.1 introduced a new API endpoint.

Add-PASSafe

  • Version 12.0 introduced a new API endpoint.

Get-PASSafe

  • Version 12.0 introduced a new API endpoint.
  • Version 12.1 introduced a new parameter extendedDetails.
  • Version 12.1 introduces capability to get details of individual safe using the Gen2 API.

Remove-PASSafe

  • Version 12.1 introduced a new API endpoint.

Find-PASSafe

  • External changes to the API mean Find-PASSafe cannot be used past version 11.7.
  • Equivalent API functionality exists in Get-PASSafe using the Gen2 ParameterSet.

Get-PASGroup

  • Version 12.0 introduced includeMembers parameter.
  • Version 12.2 introduced new sort & groupName parameters.
  • Version 12.6 introduced the id parameter.

Set-PASSafe

  • Version 12.2 introduced new API endpoint

Get-PASComponentDetail

  • Version 12 adds pta as target component

Unlock-PASAccount

  • Unlock (not check-in) assumed to work from 11.6 (officially supported from 14.0)

Get-PASPTARiskEvent

  • Version 14 introduced new filter parameters
    • FromTime
    • ToTime

Set-PASPTARiskEvent

  • Version 14 introduced new parameters
    • closeReason
    • reasonText

Updated: