Compatibility
Your version of CyberArk determines which functions of psPAS will be supported.
Function List
Check the below table to determine what functions are available for you to use:
The CyberArk Version listed is the minimum required to use the function.
CyberArk Version may affect available capabilities or function parameters. See Notes for more details.
If you are using version 9.7+, and the function being invoked requires version 9.8+, psPAS will attempt to confirm that your version of CyberArk meets the minimum version requirement.
| Function Name | CyberArk Version | Description |
|---|---|---|
New-PASSession |
9.0 (Notes) | Authenticates a user to CyberArk Vault |
Close-PASSession |
9.0 (Notes) | Logoff from CyberArk Vault. |
Get-PASSession |
— | Get psPAS Session Data. |
Use-PASSession |
— | Set psPAS Session Data. |
Add-PASPublicSSHKey |
9.6 | Adds an authorised public SSH key for a user. |
Get-PASPublicSSHKey |
9.6 | Retrieves a user’s SSH Keys. |
Remove-PASPublicSSHKey |
9.6 | Deletes a Public SSH Key from a user |
Add-PASAccountACL |
9.0 | Adds a new privileged command rule to an account. |
Get-PASAccountACL |
9.0 | Lists privileged commands rule for an account |
Remove-PASAccountACL |
9.0 | Deletes privileged commands rule from an account |
Add-PASAccountGroupMember |
9.95 | Adds an account as a member of an account group. |
Get-PASAccountGroup |
9.10 (Notes) | Returns account groups in a Safe. |
Get-PASAccountGroupMember |
9.10 | Returns members of an account group. |
New-PASAccountGroup |
9.95 | Adds a new account group |
Remove-PASAccountGroupMember |
9.10 | Deletes a member of an account group |
Add-PASAccount |
9.0 (Notes) | Adds a new account. |
Add-PASPendingAccount |
9.7 | Adds discovered account or SSH key as a pending account. |
Get-PASAccount |
9.3 (Notes) | Returns information about accounts. |
Get-PASAccountDetail |
10.4 | Returns information about accounts. |
Get-PASAccountActivity |
9.7 | Returns activities for an account. |
Get-PASAccountPassword |
9.7 (Notes) | Returns password for an account. |
Remove-PASAccount |
9.3 (Notes) | Deletes an account |
Set-PASAccount |
9.5 (Notes) | Updates details of an account. |
Invoke-PASCPMOperation |
9.7 (Notes) | Invoke CPM verify, change & reconcile tasks. |
Unlock-PASAccount |
9.10 | Checks in an exclusive-use account. |
Add-PASApplication |
9.1 | Adds a new application |
Add-PASApplicationAuthenticationMethod |
9.1 | Add authentication method to an application |
Get-PASApplication |
9.1 | Returns details of applications |
Get-PASApplicationAuthenticationMethod |
9.1 | Returns application authentication methods |
Remove-PASApplication |
9.1 | Deletes an application |
Remove-PASApplicationAuthenticationMethod |
9.1 | Delete auth method from an application |
Import-PASConnectionComponent |
10.3 | Imports a Connection Component |
New-PASPSMSession |
9.10 (Notes) | Get required parameters to connect through PSM |
Get-PASPSMRecording |
9.10 (Notes) | Get details of PSM Recording |
Get-PASPSMSession |
9.10 (Notes) | Get details of PSM Sessions |
Resume-PASPSMSession |
10.2 | Resumes a Suspended PSM Session. |
Stop-PASPSMSession |
10.1 | Terminates a PSM Session. |
Suspend-PASPSMSession |
10.2 | Suspends a PSM Session. |
Get-PASOnboardingRule |
9.7 | Gets automatic on-boarding rules |
New-PASOnboardingRule |
9.7 (Notes) | Adds a new on-boarding rule |
Remove-PASOnboardingRule |
9.7 | Deletes an automatic on-boarding rule |
Get-PASPlatform |
9.10 (Notes) | Retrieves details of a specified platform. |
Import-PASPlatform |
10.2 | Import a new platform |
Export-PASPlatform |
10.4 | Export a platform |
Add-PASPolicyACL |
9.0 | Adds a new privileged command rule |
Get-PASPolicyACL |
9.0 | Lists OPM Rules for a policy |
Remove-PASPolicyACL |
9.0 | Delete privileged commands from policy |
Approve-PASRequest |
9.10 (Notes) | Confirm a single request |
Deny-PASRequest |
9.10 (Notes) | Reject a single request |
Get-PASRequest |
9.10 (Notes) | List requests |
Get-PASRequestDetail |
9.10 (Notes) | Get request details |
New-PASRequest |
9.10 (Notes) | Creates an access request for an account |
Remove-PASRequest |
9.10 (Notes) | Deletes a request |
Add-PASSafeMember |
9.3 (Notes) | Adds a Safe Member to a safe |
Get-PASSafeMember |
9.7 (Notes) | Lists the members of a Safe |
Remove-PASSafeMember |
9.3 (Notes | Removes a member from a safe |
Set-PASSafeMember |
9.3 (Notes | Updates a Safe Member’s Permissions |
Add-PASSafe |
9.2 (Notes) | Adds a new safe |
Get-PASSafe |
9.7 (Notes) | Returns safe details |
Remove-PASSafe |
9.3 (Notes) | Deletes a safe |
Set-PASSafe |
9.3 (Notes) | Updates a safe |
Get-PASSafeShareLogo |
9.7 | Returns details of SafeShare Logo |
Get-PASServer |
9.7 | Returns details of the Web Service Server |
Get-PASServerWebService |
9.7 | Returns details of the Web Service |
Get-PASComponentDetail |
10.1 | Returns details about component instances. |
Get-PASComponentSummary |
10.1 | Returns consolidated information about components. |
Add-PASGroupMember |
9.7 (Notes) | Adds a user as a group member |
Get-PASLoggedOnUser |
9.7 | Returns details of the logged on user |
Get-PASUserLoginInfo |
10.4 | Returns login details of the current user |
Get-PASUser |
9.7 (Notes) | Returns details of a user |
New-PASUser |
9.7 (Notes) | Creates a new user |
Remove-PASUser |
9.7 (Notes) | Deletes a user |
Set-PASUser |
9.7 (Notes) | Updates a user |
Unblock-PASUser |
9.7 (Notes) | Activates a suspended user |
Get-PASDirectory |
10.4 (Notes) | Get configured LDAP directories |
Add-PASDirectory |
10.4 (Notes) | Add a new LDAP directory |
New-PASDirectoryMapping |
10.4 (Notes) | Create a new LDAP directory mapping |
Add-PASPTARule |
10.4 | Add a new Risky Commandrule to PTA |
Get-PASPTAEvent |
10.3 | Get security events from PTA |
Set-PASPTAEvent |
11.3 | Set status of PTA security events |
Get-PASPTARemediation |
10.4 | Get automatic response config from PTA |
Get-PASPTARule |
10.4 | List Risky Command rules from PTA |
Set-PASPTARemediation |
10.4 | Update automaticresponse config in PTA |
Set-PASPTARule |
10.4 | Update a Risky Commandrule in PTA |
Get-PASGroup |
10.5 (Notes) | Return group information |
Remove-PASGroupMember |
10.5 | Remove group members |
Set-PASOnboardingRule |
10.5 | Update Onboarding Rules |
Add-PASDiscoveredAccount |
10.5 (Notes) | Add discovered accounts to the Accounts Feed |
Connect-PASPSMSession |
10.5 | Get required parameters to connect to a PSM Session |
Get-PASPSMSessionActivity |
10.6 | Get activity details from an active PSM Session. |
Get-PASPSMSessionProperty |
10.6 | Get property details from an active PSM Session. |
Get-PASPSMRecordingActivity |
10.6 | Get activity details from a PSM Recording. |
Get-PASPSMRecordingProperty |
10.6 | Get property details from a PSM Recording. |
Export-PASPSMRecording |
10.6 | Save PSM Session Recording to a file. |
Request-PASJustInTimeAccess |
10.6 | Request temporary access to a server. |
Revoke-PASJustInTimeAccess |
12.0 | Revoke temporary server access. |
Get-PASDirectoryMapping |
10.7 | Get details of configured directory mappings. |
Set-PASDirectoryMapping |
10.7 (Notes) | Update a configured directory mapping. |
Remove-PASDirectory |
10.7 | Delete a directory configuration. |
Find-PASSafe |
10.1 - 11.7 (Notes) | List or Search Safes by name. |
Set-PASDirectoryMappingOrder |
10.10 | Reorder Directory Mappings |
Set-PASUserPassword |
10.10 | Reset a User’s Password |
New-PASGroup |
11.1 | Create a new CyberArk group |
Get-PASPlatformSafe |
11.1 | List details for all platforms |
Remove-PASDirectoryMapping |
11.1 | Deletes a Directory Mapping |
Enable-PASCPMAutoManagement |
10.4 | Enables Automatic CPM Management for an account |
Disable-PASCPMAutoManagement |
10.4 | Disables Automatic CPM Management for an account |
Test-PASPSMRecording |
11.2 | Determine validity of PSM Session Recording |
Copy-PASPlatform |
11.4 | Duplicate a platform |
Enable-PASPlatform |
11.4 | Enable a platform |
Disable-PASPlatform |
11.4 | Disable a platform |
Remove-PASPlatform |
11.4 | Delete a platform |
Remove-PASGroup |
11.5 | Delete a user group |
Get-PASAllowedReferrer |
11.5 | List PVWA Allowed Referrer |
Add-PASAllowedReferrer |
11.5 | Add PVWA Allowed Referrer |
Get-PASAccountSSHKey |
11.5 | Get Private SSH Key value of Account |
Get-PASAuthenticationMethod |
11.5 | List authentication methods |
Add-PASAuthenticationMethod |
11.5 | Add authentication method |
Set-PASAuthenticationMethod |
11.5 | Update authentication method |
Get-PASConnectionComponent |
11.5 | List configured connection components |
Get-PASPSMServer |
11.5 | List configured PSM Servers |
Get-PASPlatformPSMConfig |
11.5 | List Platform PSM configuration |
Set-PASPlatformPSMConfig |
11.5 | Update Platform PSM configuration |
Start-PASAccountImportJob |
11.6 | Add multiple accounts to existing Safes. |
Get-PASAccountImportJob |
11.6 | Get status of account import |
New-PASAccountObject |
— | Format an object to include in an import list |
Get-PASDiscoveredAccount |
11.6 | List discovered accounts |
Add-PASOpenIDConnectProvider |
11.7 | Adds an OIDC Authentication Provider |
Get-PASOpenIDConnectProvider |
11.7 | Gets details of configured OIDC Authentication Providers |
Remove-PASOpenIDConnectProvider |
11.7 | Deletes an OIDC Authentication Provider |
Set-PASOpenIDConnectProvider |
11.7 | Updates an OIDC Authentication Provider |
Remove-PASAuthenticationMethod |
11.7 | Delete an authentication method |
Clear-PASDiscoveredAccountList |
12.1 | Clear all discovered accounts from the pending account list |
Get-PASAccountPasswordVersion |
12.1 | Get details of previous password versions |
New-PASAccountPassword |
12.0 | Generate new password values based on platform policy |
Set-PASLinkedAccount |
12.1 | Associate logon and reconcile accounts |
Clear-PASLinkedAccount |
12.2 | Clear associated linked accounts |
Clear-PASPrivateSSHKey |
12.1 | Remove all MFA caching SSH Keys |
New-PASPrivateSSHKey |
12.1 | Generate MFA caching SSH Keys |
Remove-PASPrivateSSHKey |
12.1 | Delete MFA caching SSH Keys |
Set-PASGroup |
12.0 | Update CyberArk groups |
Get-PASPlatformSummary |
12.2 | Get basic information on current platform system types |
Notes
New-PASSession
- Version 9.7 introduced a new Authentication Options:
- New Authentication Methods:
- LDAP
- RADIUS
- Shared
- SAML
- New Authentication Methods:
- Version 10.4 introduced a new Authentication Option.
- New Authentication Method:
- Windows
- New Authentication Method:
- Version 11.3 introduced support for concurrent API sessions.
- Version 11.4 introduced updated support for SAML auth.
- The Gen1 API endpoint can be used by specifying the
-UseGen1APIparameter.
Close-PASSession
- The Gen1 API endpoint can be used by specifying the
-UseGen1APIparameter.
Get-PASAccountGroup
- Version 10.5 introduced a new API endpoint.
- The Gen1 API endpoint can be used by specifying the
-UseGen1APIparameter.
Add-PASAccount
- Version 10.4 introduced a new API endpoint.
- The Gen1 API endpoint can be used by using the ParameterSet which includes the
-passwordparameter.
Get-PASAccount
- 11.4 introduced ability to filter by modificationTime
- Version 10.4 introduced a new API endpoint.
- Supports:
- Get details of all matching accounts.
- Supports:
- The Gen1 API endpoint can be used by using the
-Keywords&-Safeparameters.- The Gen1 API is limited to returning the details of only 1 account.
Get-PASAccountPassword
- Version 10.1 introduced a new API endpoint.
- Supports:
- Specifying Reason for Access.
- Supplying Ticketing Information.
- Requesting specific password versions.
- Return of SSH key.
- Supports:
Remove-PASAccount
- Version 10.4 introduced a new API endpoint.
- The Gen1 API endpoint can be used by specifying the
-UseGen1APIparameter.
Set-PASAccount
- Version 10.4 introduced a new API endpoint.
- Supports:
- Add/Update/Remove single account property.
- Perform multiple update operations against account.
- Requires Parameters:
op(for single property update)operations(for multiple updates)
- Supports:
- The Gen1 API endpoint requires all of the account properties be passed to the function.
- Any current properties of the account not sent as part of the request will result in them being removed from the account.
Invoke-PASCPMOperation
- Version 9.10 introduced a new API endpoint.
- Supports:
- Verify/Change/Reconcile of password.
- Supports:
- Version 10.1 introduced a new API endpoint.
- Supports:
- Changing password to specific value.
- Changing password only in the vault.
- Supports:
- The Gen1 API endpoint can be used by:
- Using the
-ImmediateChangeByCPMparameter. - Specifying the
-UseGen1APIparameter.
- Using the
New-PASPSMSession
- Version 10.2 introduced a new API endpoint.
- Supports:
- Connection via PSM GW.
- Supports:
- Version 10.5 introduced a new API endpoint.
- Supports:
- AdHoc Connect.
- Supports:
Get-PASPSMRecording
- Version 10.6 introduced a new API endpoint.
- Supports:
- Get recording details by
RecordingID.
- Get recording details by
- Supports:
Get-PASPSMSession
- Version 10.6 introduced a new API endpoint.
- Supports:
- Get session details by
liveSessionId.
- Get session details by
- Supports:
New-PASOnboardingRule
- Version 10.2 introduced a new API endpoint.
- Supports:
- Additional filter options
- Requires Parameters:
DecisionSafeNameDecisionPlatformId
- Supports:
*-PASRequest*
- The functions related to requests (
Approve-PASRequest,Deny-PASRequest,Get-PASRequest,Get-PASRequestDetail,New-PASRequest&Remove-PASRequest), are documented as supported from version 9.10.- Reports received from
psPASusers, observing that these functions also work in version 9.9.
- Reports received from
Add-PASGroupMember
- Version 10.6 introduced a new API endpoint.
- Requires Parameters:
GroupIDmemberID
- Requires Parameters:
- The Gen1 API endpoint can be used by using the
GroupName&UserNameparameters. - Gen1 API depreciated from 12.3
Get-PASUser
- Version 10.9 introduced a new API endpoint.
- Supports:
- Additional query types.
- Supports:
- Version 10.10 introduced a new API endpoint.
- Supports:
- Get user by ID.
- Supports:
- Version 11.5 returns additional group membership detail for user accounts.
- Version 12.1 introduced new parameter to request
ExtendedDetailsfor a user. - Version 12.2 introduced new
sortparameter and ability to filter by UserName.
New-PASUser
- Version 10.9 introduced a new API endpoint.
- Supports:
- Additional property parameters.
- Supports:
- Gen1 API depreciated from 12.3
Unblock-PASUser
- Version 10.10 introduced a new API endpoint.
- Requires Parameters:
userID
- Requires Parameters:
- The Gen1 API endpoint can be used by using the
userNameparameter. - Gen1 API depreciated from 12.3
Get-PASDirectory
- Version 10.5 introduced a new API endpoint.
- Supports:
- Get directory details by id.
- Supports:
Add-PASDirectory
- Version 10.7 introduced a new API endpoint.
- Requires Parameters:
DCListParameter.
- Requires Parameters:
New-PASDirectoryMapping
- Version 10.7 introduced a new API endpoint.
- Supports:
VaultGroups.Location.LDAP Query.
- Supports:
- Version 10.10 introduced a new API endpoint.
- Supports:
UserActivityLogPeriod.
- Supports:
Set-PASDirectoryMapping
- Version 10.10 introduced a new API endpoint.
- Supports:
UserActivityLogPeriod.
- Supports:
Add-PASDiscoveredAccount
- Version 10.8 introduced a new API endpoint.
- Supports:
- Account Dependency & AWS specific parameters
- Supports:
- Version 11.7
- Supports
- Azure specific parameter
- Supports
Get-PASPlatform
- Version 11.1 introduced a new API endpoint.
- Supports:
- New options for finding platforms
- Supports:
- Version 11.4 introduced new API endpoints
- Parameters added to enable more filtering options for querying target platforms
- Parameters addded to request details of dependent, group & rotational group platforms.
- Version 9.10+ When specifying PlatformID
- if the platform properties contain a semicolon (‘;’), the API may not return the complete value.
- noted for ChangeCommand, ReconcileCommand & ConnectionCommand properties
- if the platform properties contain a semicolon (‘;’), the API may not return the complete value.
Remove-PASUser
- Version 11.1 introduced a new API endpoint.
- Supports:
- Delete User by ID
- Supports:
- Gen1 API depreciated from 12.3
Set-PASUser
- Version 11.1 introduced a new API endpoint.
- Supports:
- Additional parameters for updating users.
- Supports:
- Gen1 API depreciated from 12.3
Get-PASPTAEvent
- Version 11.3 introduced new parameters for filtering events
- Supports:
- status
- fromUpdateDate
- Supports:
- Version 11.4 introduced new parameters for filtering events
- Supports:
- accountID
- Supports:
Get-PASSafeMember
- Version 12.0 introduced a new API endpoint.
- Version 12.1 introduced new filter parameters.
- Version 12.2 introduces capability to get permissions of individual safe member.
Set-PASSafeMember
- Version 12.2 introduced a new API endpoint.
Remove-PASSafeMember
- Version 12.2 introduced a new API endpoint.
Add-PASSafeMember
- Version 12.1 introduced a new API endpoint.
Add-PASSafe
- Version 12.0 introduced a new API endpoint.
Get-PASSafe
- Version 12.0 introduced a new API endpoint.
- Version 12.1 introduced a new parameter
extendedDetails. - Version 12.1 introduces capability to get details of individual safe using the Gen2 API.
Remove-PASSafe
- Version 12.1 introduced a new API endpoint.
Find-PASSafe
- External changes to the API mean
Find-PASSafecannot be used past version 11.7. - Equivalent API functionality exists in
Get-PASSafeusing theGen2ParameterSet.
Get-PASGroup
- Version 12.0 introduced
includeMembersparameter. - Version 12.2 introduced new
sortparameter.
Set-PASSafe
- Version 12.2 introduced new API endpoint