public/Update-VPASSafeMember.ps1

<#
.Synopsis
   UPDATE SAFE MEMBER
   CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com
.DESCRIPTION
   USE THIS FUNCTION TO UPDATE A SAFE MEMBER OF A SAFE IN CYBERARK
.PARAMETER NoSSL
   If the environment is not set up for SSL, API calls will be made via HTTP not HTTPS (Not Recommended!)
.PARAMETER token
   HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc).
   If -token is not passed, function will use last known hashtable generated by New-VPASToken
.PARAMETER member
   Target unique safe member name
.PARAMETER safe
   Target unique safe name
.PARAMETER AllPerms
   Enables all safe permissions
.PARAMETER AllAccess
   Enables all Access safe permissions (UseAccounts, RetrieveAccounts, ListAccounts)
.PARAMETER AllAccountManagement
   Enables all AccountManagement safe permissions (AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts)
.PARAMETER AllMonitor
   Enables all Monitor safe permissions (ViewAuditLog, ViewSafeMembers)
.PARAMETER AllSafeManagement
   Enables all SafeManagement safe permissions (ManageSafe, ManageSafeMembers, BackupSafe)
.PARAMETER AllWorkflow
   Enables all Workflow safe permissions (RequestsAuthorizationLevel(1), AccessWithoutConfirmation)
.PARAMETER AllAdvanced
   Enables all Advanced safe permissions (CreateFolders, DeleteFolders, MoveAccountsAndFolders)
.PARAMETER UseAccounts
   Gives the ability use accounts in a safe (click the connect button)
.PARAMETER RetrieveAccounts
   Gives the ability to pull accounts credentials in a safe (click the Show/Copy buttons)
.PARAMETER ListAccounts
   Gives the ability to view accounts in a safe
.PARAMETER AddAccounts
   Gives the ability to add accounts in a safe
.PARAMETER UpdateAccountContent
   Gives the ability to manually update accounts secrets in a safe
.PARAMETER UpdateAccountProperties
   Gives the ability to update account properties in a safe (username field, address field, etc)
.PARAMETER InitiateCPMAccountManagementOperations
   Gives the ability to trigger the CPM to run a change, verify, or reconcile on accounts in a safe
.PARAMETER SpecifyNextAccountContent
   Gives the ability to specify what the next password the CPM will push to accounts in a safe
.PARAMETER RenameAccounts
   Gives the ability to modify the ObjectName of accounts in a safe
.PARAMETER DeleteAccounts
   Gives the ability to delete accounts from a safe
.PARAMETER UnlockAccounts
   Gives the ability to unlock or check-in locked account on someone else's behalf in a safe
.PARAMETER ManageSafe
   Gives the ability to modify safe details (DaysRetention, VersionRetention, Description, etc)
.PARAMETER ManageSafeMembers
   Gives the ability to add, remove, modify safe members on a safe
.PARAMETER BackupSafe
   Gives the ability to backup a safe
.PARAMETER ViewAuditLog
   Gives the ability to view the activities performed on accounts in a safe
.PARAMETER ViewSafeMembers
   Gives the ability to view safe members on a safe
.PARAMETER AccessWithoutConfirmation
   Gives the ability to access the safe without needing confirmation from an approver
.PARAMETER CreateFolders
   Gives the ability to create folders in a safe
.PARAMETER DeleteFolders
   Gives the ability to delete folders from a safe
.PARAMETER MoveAccountsAndFolders
   Gives the ability to move accounts and folders from one safe to another
.PARAMETER RequestsAuthorizationLevel
   Gives the ability to approve or deny users from using an account based on level (Level1, Level2, or none) in a safe
   Possible values: 0, 1, 2
.EXAMPLE
   $UpdateSafeMemberJSON = Update-VPASSafeMember -member {MEMBER VALUE} -safe {SAFE VALUE} -AllPerms
.EXAMPLE
   $UpdateSafeMemberJSON = Update-VPASSafeMember -member {MEMBER VALUE} -safe {SAFE VALUE} -AllAccess -AllMonitor
.EXAMPLE
   $UpdateSafeMemberJSON = Update-VPASSafeMember -member {MEMBER VALUE} -safe {SAFE VALUE} -UseAccounts -RetrieveAccounts -AllMonitor
.OUTPUTS
   JSON Object (SafeMemberDetails) if successful
   $false if failed
#>

function Update-VPASSafeMember{
    [OutputType('System.Object',[bool])]
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Enter target SafeMember to update (for example: 'Vault Admins')",Position=0)][String]$member,
        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Enter safe of target SafeMember to update (for example: TestSafe1)",Position=1)][String]$safe,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)][Switch]$AllPerms,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)][Switch]$AllAccess,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=4)][Switch]$AllAccountManagement,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=5)][Switch]$AllMonitor,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=6)][Switch]$AllSafeManagement,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=7)][Switch]$AllWorkflow,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=8)][Switch]$AllAdvanced,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=9)][Switch]$UseAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=10)][Switch]$RetrieveAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=11)][Switch]$ListAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=12)][Switch]$AddAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=13)][Switch]$UpdateAccountContent,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=14)][Switch]$UpdateAccountProperties,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=15)][Switch]$InitiateCPMAccountManagementOperations,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=16)][Switch]$SpecifyNextAccountContent,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=17)][Switch]$RenameAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=18)][Switch]$DeleteAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=19)][Switch]$UnlockAccounts,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=20)][Switch]$ManageSafe,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=21)][Switch]$ManageSafeMembers,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=22)][Switch]$BackupSafe,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=23)][Switch]$ViewAuditLog,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=24)][Switch]$ViewSafeMembers,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=25)][Switch]$AccessWithoutConfirmation,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=26)][Switch]$CreateFolders,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=27)][Switch]$DeleteFolders,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=28)][Switch]$MoveAccountsAndFolders,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=29)][ValidateSet(0,1,2)][int]$RequestsAuthorizationLevel,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=30)][hashtable]$token,
        [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=31)]
        [Switch]$NoSSL

    )

    Begin{
        $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL = Get-VPASSession -token $token
    }
    process{

        Write-Verbose "SUCCESSFULLY PARSED PVWA VALUE"
        Write-Verbose "SUCCESSFULLY PARSED TOKEN VALUE"
        Write-Verbose "SUCCESSFULLY PARSED MEMBER VALUE"
        Write-Verbose "SUCCESSFULLY PARSED SAFE VALUE"


        Write-Verbose "INITIALIZING SET PERMISSIONS"
        $AllPermsChecked = 0
        $AllAccessChecked = 0
        $AllAccountManagementChecked = 0
        $AllMonitorChecked = 0
        $AllWorkflowChecked = 0
        $AllAdvancedChecked = 0
        $AllSafeManagementChecked = 0

        #CHECKING SECTION PERMISSIONS
        Write-Verbose "CHECKING SET PERMISSIONS"
        if($AllPerms){$AllPermsChecked = 1}else{$AllPermsChecked = 0}
        if($AllAccess){$AllAccessChecked = 1}else{$AllAccessChecked = 0}
        if($AllAccountManagement){$AllAccountManagementChecked = 1}else{$AllAccountManagementChecked = 0}
        if($AllMonitor){$AllMonitorChecked = 1}else{$AllMonitorChecked = 0}
        if($AllWorkflow){$AllWorkflowChecked = 1}else{$AllWorkflowChecked = 0}
        if($AllAdvanced){$AllAdvancedChecked = 1}else{$AllAdvancedChecked = 0}
        if($AllSafeManagement){$AllSafeManagementChecked = 1}else{$AllSafeManagementChecked = 0}

        #SETTING SECTION PERMISSIONS
        if($AllPermsChecked -eq 1){
            Write-Verbose "ALL PERMISSIONS CHECKED"
            $pUseAccounts = $true
            $pRetrieveAccounts = $true
            $pListAccounts = $true
            $pAddAccounts = $true
            $pUpdateAccountContent = $true
            $pUpdateAccountProperties = $true
            $pInitiateCPMAccountManagementOperations = $true
            $pSpecifyNextAccountContent = $true
            $pRenameAccounts = $true
            $pDeleteAccounts = $true
            $pUnlockAccounts = $true
            $pManageSafe = $true
            $pManageSafeMembers = $true
            $pBackupSafe = $true
            $pViewAuditLog = $true
            $pViewSafeMembers = $true
            $pRequestsAuthorizationLevel = 1
            $pAccessWithoutConfirmation = $true
            $pCreateFolders = $true
            $pDeleteFolders = $true
            $pMoveAccountsAndFolders = $true
        }
        if($AllAccessChecked -eq 1){
            Write-Verbose "ALL ACCESS PERMISSIONS CHECKED"
            $pUseAccounts = $true
            $pRetrieveAccounts = $true
            $pListAccounts = $true
        }
        if($AllAccountManagementChecked -eq 1){
            Write-Verbose "ALL ACCOUNT MANAGEMENT PERMISSIONS CHECKED"
            $pAddAccounts = $true
            $pUpdateAccountContent = $true
            $pUpdateAccountProperties = $true
            $pInitiateCPMAccountManagementOperations = $true
            $pSpecifyNextAccountContent = $true
            $pRenameAccounts = $true
            $pDeleteAccounts = $true
            $pUnlockAccounts = $true
        }
        if($AllSafeManagementChecked -eq 1){
            Write-Verbose "ALL SAFE MANAGEMENT PERMISSIONS CHECKED"
            $pManageSafe = $true
            $pManageSafeMembers = $true
            $pBackupSafe = $true
        }
        if($AllMonitorChecked -eq 1){
            Write-Verbose "ALL MONITOR PERMISSIONS CHECKED"
            $pViewAuditLog = $true
            $pViewSafeMembers = $true
        }
        if($AllWorkflowChecked -eq 1){
            Write-Verbose "ALL WORKFLOW PERMISSIONS CHECKED"
            $pRequestsAuthorizationLevel = 1
            $pAccessWithoutConfirmation = $true
        }
        if($AllAdvancedChecked -eq 1){
            Write-Verbose "ALL ADVANCED PERMISSIONS CHECKED"
            $pCreateFolders = $true
            $pDeleteFolders = $true
            $pMoveAccountsAndFolders = $true
        }

        #CHECKING SINGLE PERMISSIONS
        if($AllPermsChecked -eq 0 -and $AllAccessChecked -eq 0){
            Write-Verbose "ANALYZING USE ACCOUNTS PERMISSION"
            if($UseAccounts){$pUseAccounts = $true}else{$pUseAccounts = $false}
            Write-Verbose "ANALYZING RETRIEVE ACCOUNTS PERMISSION"
            if($RetrieveAccounts){$pRetrieveAccounts = $true}else{$pRetrieveAccounts = $false}
            Write-Verbose "ANALYZING LIST ACCOUNTS PERMISSION"
            if($ListAccounts){$pListAccounts = $true}else{$pListAccounts = $false}
        }
        if($AllPermsChecked -eq 0 -and $AllAccountManagementChecked -eq 0){
            Write-Verbose "ANALYZING ADD ACCOUNTS PERMISSION"
            if($AddAccounts){$pAddAccounts = $true}else{$pAddAccounts = $false}
            Write-Verbose "ANALYZING UPDATE ACCOUNT CONTENT PERMISSION"
            if($UpdateAccountContent){$pUpdateAccountContent = $true}else{$pUpdateAccountContent = $false}
            Write-Verbose "ANALYZING UPDATE ACCOUNT PROPERTIES PERMISSION"
            if($UpdateAccountProperties){$pUpdateAccountProperties = $true}else{$pUpdateAccountProperties = $false}
            Write-Verbose "ANALYZING INITIATE CPM ACCOUNT MANAGEMENT OPERATIONS PERMISSION"
            if($InitiateCPMAccountManagementOperations){$pInitiateCPMAccountManagementOperations = $true}else{$pInitiateCPMAccountManagementOperations = $false}
            Write-Verbose "ANALYZING SPECIFY NEXT ACCOUNT CONTENT PERMISSION"
            if($SpecifyNextAccountContent){$pSpecifyNextAccountContent = $true}else{$pSpecifyNextAccountContent = $false}
            Write-Verbose "ANALYZING RENAME ACCOUNTS PERMISSION"
            if($RenameAccounts){$pRenameAccounts = $true}else{$pRenameAccounts = $false}
            Write-Verbose "ANALYZING DELETE ACCOUNTS PERMISSION"
            if($DeleteAccounts){$pDeleteAccounts = $true}else{$pDeleteAccounts = $false}
            Write-Verbose "ANALYZING UNLOCK ACCOUNTS PERMISSION"
            if($UnlockAccounts){$pUnlockAccounts = $true}else{$pUnlockAccounts = $false}
        }
        if($AllPermsChecked -eq 0 -and $AllSafeManagementChecked -eq 0){
            Write-Verbose "ANALYZING MANAGE SAFE PERMISSION"
            if($ManageSafe){$pManageSafe = $true}else{$pManageSafe = $false}
            Write-Verbose "ANALYZING MANAGE SAFE MEMBERS PERMISSION"
            if($ManageSafeMembers){$pManageSafeMembers = $true}else{$pManageSafeMembers = $false}
            Write-Verbose "ANALYZING BACKUP SAFE PERMISSION"
            if($BackupSafe){$pBackupSafe = $true}else{$pBackupSafe = $false}
        }
        if($AllPermsChecked -eq 0 -and $AllMonitorChecked -eq 0){
            Write-Verbose "ANALYZING VIEW AUDIT LOG PERMISSION"
            if($ViewAuditLog){$pViewAuditLog = $true}else{$pViewAuditLog = $false}
            Write-Verbose "ANALYZING VIEW SAFE MEMBERS PERMISSION"
            if($ViewSafeMembers){$pViewSafeMembers = $true}else{$pViewSafeMembers = $false}
        }
        if($AllPermsChecked -eq 0 -and $AllWorkflowChecked -eq 0){
            Write-Verbose "ANALYZING ACCESS WITHOUT CONFIRMATION PERMISSION"
            if($AccessWithoutConfirmation){$pAccessWithoutConfirmation = $true}else{$pAccessWithoutConfirmation = $false}
            Write-Verbose "ANALYZING REQUESTS AUTHORIZATION LEVEL PERMISSION"
            if($RequestsAuthorizationLevel -eq 0){$pRequestsAuthorizationLevel = 0}
            elseif($RequestsAuthorizationLevel -eq 1){$pRequestsAuthorizationLevel = 1}
            elseif($RequestsAuthorizationLevel -eq 2){$pRequestsAuthorizationLevel = 2}
        }
        if($AllPermsChecked -eq 0 -and $AllAdvancedChecked -eq 0){
            Write-Verbose "ANALYZING CREATE FOLDERS PERMISSION"
            if($CreateFolders){$pCreateFolders = $true}else{$pCreateFolders = $false}
            Write-Verbose "ANALYZING DELETE FOLDERS PERMISSION"
            if($DeleteFolders){$pDeleteFolders = $true}else{$pDeleteFolders = $false}
            Write-Verbose "ANALYZING MOVE ACCOUNTS AND FOLDERS PERMISSION"
            if($MoveAccountsAndFolders){$pMoveAccountsAndFolders = $true}else{$pMoveAccountsAndFolders = $false}
        }

        Write-Verbose "INITIALIZING PARAMETERS FOR API CALL"
        $permissions = @{}

        if($pUseAccounts){
            Write-Verbose "ADDING USE ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ UseAccounts = $true }
        }
        if($pRetrieveAccounts){
            Write-Verbose "ADDING RETRIEVE ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ RetrieveAccounts = $true }
        }
        if($pListAccounts){
            Write-Verbose "ADDING LIST ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ ListAccounts = $true }
        }
        if($pAddAccounts){
            Write-Verbose "ADDING ADD ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ AddAccounts = $true }
        }
        if($pUpdateAccountContent){
            Write-Verbose "ADDING UPDATE ACCOUNT CONTENT PERMISSION TO API CALL"
            $permissions += @{ UpdateAccountContent = $true }
        }
        if($pUpdateAccountProperties){
            Write-Verbose "ADDING UPDATE ACCOUNT PROPERTIES PERMISSION TO API CALL"
            $permissions += @{ UpdateAccountProperties = $true }
        }
        if($pInitiateCPMAccountManagementOperations){
            Write-Verbose "ADDING INITIATE CPM ACCOUNT MANAGEMENT OPERATIONS PERMISSION TO API CALL"
            $permissions += @{ InitiateCPMAccountManagementOperations = $true }
        }
        if($pSpecifyNextAccountContent){
            Write-Verbose "ADDING SPECIFY NEXT ACCOUNT CONTENT PERMISSION TO API CALL"
            $permissions += @{ SpecifyNextAccountContent = $true }
        }
        if($pRenameAccounts){
            Write-Verbose "ADDING RENAME ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ RenameAccounts = $true }
        }
        if($pDeleteAccounts){
            Write-Verbose "ADDING DELETE ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ DeleteAccounts = $true }
        }
        if($pUnlockAccounts){
            Write-Verbose "ADDING UNLOCK ACCOUNTS PERMISSION TO API CALL"
            $permissions += @{ UnlockAccounts = $true }
        }
        if($pManageSafe){
            Write-Verbose "ADDING MANAGE SAFE PERMISSION TO API CALL"
            $permissions += @{ ManageSafe = $true }
        }
        if($pManageSafeMembers){
            Write-Verbose "ADDING MANAGE SAFE MEMBERS PERMISSION TO API CALL"
            $permissions += @{ ManageSafeMembers = $true }
        }
        if($pBackupSafe){
            Write-Verbose "ADDING BACKUP SAFE PERMISSION TO API CALL"
            $permissions += @{ BackupSafe = $true }
        }
        if($pViewAuditLog){
            Write-Verbose "ADDING VIEW AUDIT LOG PERMISSION TO API CALL"
            $permissions += @{ ViewAuditLog = $true }
        }
        if($pViewSafeMembers){
            Write-Verbose "ADDING VIEW SAFE MEMBERS PERMISSION TO API CALL"
            $permissions += @{ ViewSafeMembers = $true }
        }
        if($pRequestsAuthorizationLevel -eq 1){
            Write-Verbose "ADDING REQUESTS AUTHORIZATION LEVEL PERMISSION TO API CALL"
            $permissions += @{ RequestsAuthorizationLevel1 = $true }
        }
        elseif($pRequestsAuthorizationLevel -eq 2){
            Write-Verbose "ADDING REQUESTS AUTHORIZATION LEVEL PERMISSION TO API CALL"
            $permissions += @{ RequestsAuthorizationLevel2 = $true }
        }
        if($pAccessWithoutConfirmation){
            Write-Verbose "ADDING ACCESS WITHOUT CONFIRMATION PERMISSION TO API CALL"
            $permissions += @{ AccessWithoutConfirmation = $true }
        }
        if($pCreateFolders){
            Write-Verbose "ADDING CREATE FOLDERS PERMISSION TO API CALL"
            $permissions += @{ CreateFolders = $true }
        }
        if($pDeleteFolders){
            Write-Verbose "ADDING DELETE FOLDERS PERMISSION TO API CALL"
            $permissions += @{ DeleteFolders = $true }
        }
        if($pMoveAccountsAndFolders){
            Write-Verbose "ADDING MOVE ACCOUNTS AND FOLDERS PERMISSION TO API CALL"
            $permissions += @{ MoveAccountsAndFolders = $true }
        }

        $params = @{
            MemberName = $member
            SearchIn = $searchin
            Permissions = $permissions
        } | ConvertTo-Json

        try{
            Write-Verbose "MAKING API CALL TO CYBERARK"

            if($ISPSS){
                if($NoSSL){
                    Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS"
                    $uri = "http://$PVWA/PasswordVault/api/Safes/$safe/Members/$member/"
                }
                else{
                    Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS"
                    $uri = "https://$PVWA/PasswordVault/api/Safes/$safe/Members/$member/"
                }
            }
            else{
                if($NoSSL){
                    Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS"
                    $uri = "http://$PVWA/PasswordVault/api/Safes/$safe/Members/$member"
                }
                else{
                    Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS"
                    $uri = "https://$PVWA/PasswordVault/api/Safes/$safe/Members/$member"
                }
            }

            if($sessionval){
                $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method PUT -Body $params -ContentType "application/json" -WebSession $sessionval
            }
            else{
                $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method PUT -Body $params -ContentType "application/json"
            }
            Write-Verbose "PARSING DATA FROM CYBERARK"
            Write-Verbose "RETURNING JSON OBJECT"
            return $response
        }catch{
            Write-Verbose "UNABLE TO UPDATE SAFE MEMBER"
            Write-VPASOutput -str $_ -type E
            return $false
        }
    }
    End{

    }
}