CyberArk Terminal Utility (CTU) is a terminal interface that utilizes REST API to automate changes to CyberArk Enterprise Password Vault system. Built Using CyberArk PowerShell module psPAS, and CyberArk RestAPI.
(follow this Reddit post)
- First version released on 8/25/2017 (v1.0), with a limited functionality to manage safe permissions (see Current Functions below).
- If you want to test this version, choose number 3 (Safe Permissions Management) from the main menu, and choose any option from the submenu.
- The goal is to continue developing this tool by adding more functions in future releases.
- Currently I don't have access to CyberArk test server anymore, as soon as I do I will continue adding more features.
CyberArk Enterprise Password Vault is an enterprise solution designed to secure, audit and control access to privileged accounts in any organization, and automate the process of changing passwords of service accounts. The solution enables companies to mitigate the risk of unauthorized access to privileged accounts, and reduce the time & resources needed to maintain privileged accounts security, to better protect sensitive systems from compromise. CyberArk PVWA (Password Vault Web Access) is the web application, where users can retrieve passwords and manage safes.
More about CyberArk Enterprise Password Vault in the official website.
CyberArk uses the web app as a GUI interface to manage the system, which makes it a bit difficult to perform bulk changes and automate changes to the vaulted accounts. Fortunately, CyberArk released CyberArk REST API V9.9 which allows terminal communications with the system.
CyberArk Terminal Utility (CTU) utilizes REST API to create a terminal interface that allows administrator to access CyberArk PVWA server and manage the system from a terminal interface on PowerShell. The main features are:
- Establishing a secure connection to your PVWA, and credentials will be handled as a PSCredentials Object (following the best practice)
- Navigating through common options with a simple menu.
- Importing bulk changes from an Excel file (
import-csvcmdlet used for .csv, custom function created for .xls & .xlsx) - Confirming the number of changes before executing them.
- Generating logs to the Logs folder of all changes made via CTU.
- PowerShell version 4.0 or above - (check your PS version using
$PSVersionTable.PSVersionin PowerShell), install/update PowerShell using this site Windows Management Framework - CyberArk version 9.7 or above - update using the official CyberArk documentation (may the force be with you!)
- Enable CyberArk PAS REST API/Web Service
- Make sure you have the appropriate permissions to the Vaults/Safes you want to change
- Download it on your computer (using the green button above) or clone it using the following command:
git clone https://github.com/zshehri/CTU- Or update the existing folder:
git pullTo run CTU.ps1, you'd probably need to allow running scripts downloaded form the internet for this PowerShell session.
Open a new PowerShell as an admin, and paste the following command to allow running the script:
powershell -ExecutionPolicy ByPassand then run the script:
C:\path to CTU folder\CTU.ps1As soon as you're done from CTU, close the current PowerShell session to revert back to same ExecutionPolicy. (This workaround is the easiest, read more about other options).
The menu should be clear enough for how to use the script. All inputs, outputs, and errors will handled through the terminal console.
Review the code before running it, you'll find tags that would help you customizing the tool for your needs:
[TEMP]: you can hardcode your PVWA address in the tool, so you don't need to retype it every time.[DEV]: changes made but never tested, so I commented them out. If you want to contribute, here you go![DEBUG]: of course you may have some errors along the way, search for this tag and enable the commented line to show verbose errors when needed.
-
The initial motive of this script is to modify hundreds of user access permissions to safes, so users can be assigned one of the roles -below- describing the permissions they will get:
- User: Access to only use resources in the safe (vaulted passwords), list all safe users, and view audit trails.
- Owner: Access to manage resources in the safe, unlock accounts, and manage users access.
- System: All permissions are granted (meant for system accounts, such as PVWA default accounts ...)
-
These roles will be imported from an excel file, following the template.
-
You can change these roles/permissions as you like to fit your requirements (
Set-AssignSafeMemberfunction) -
The script worked like a charm, and successfully applied permission changes to over 500 users from an excel file.
Please note: this is an unofficial project and still under development!
Be aware that CTU is run at your own risk and while the script has been written with the intention of minimizing the potential for unintended consequences, the author and contributors cannot be held responsible for any misuse or script problems.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Ziyad Alshehri
- Review known issues, and comments on this Reddit post
- Fork the repo
- Use the updated psPAS (review compatibility)
- Push your changes to your fork
- Write a good commit message
- Submit a pull request
- Keep pull requests limited to a single issue
- Discussion, or necessary changes may be needed before merging the contribution.
-Pete Maan: for psPAS module which was extremely helpful to interface with CyberArk RestAPI using PowerShell
-Joe Garcia: for the official CyberArk RestAPI documentation, and for Password Utility Upload PUU v2