Issue with CPM permissions in Add-PASSafeMember.ps1 script

[Wim-Dams]

Describe the issue
I really love this PsPas module but when we upgrade to version 5.0.0 suddenly all new created safes didn't have the CPM permissions anymore.
When we just use the Add-PASSafeMember script like below it set's all permissions, except InitiateCPMAccountManagementOperations=True; SpecifyNextAccountContent=True;

CommandUsed =
$result = $PermissionObject.Permissions | Add-PASSafeMember -SafeName $SafeName -MemberName $UserName -SearchIn $SearchInValue -ErrorAction Stop

Possible fix
My current quickfix was to add the following to these 2 parameters.
[parameter(
Mandatory = $true,
ValueFromPipelinebyPropertyName = $true,
ParameterSetName = 'Gen2'
)]

In the script itself it uses "{ $PSItem -match '^Gen2' }" so everything that starts with Gen2, like Gen2-CPM is excepted so I guess the issue is in command "ConvertTo-SortedPermission -Gen2" where you only to a case check on the complete value and discard all the rest.

I'm not sure my quickfix was a good one.

Your Environment
Include relevant details about your environment

• PowerShell Version: 5.1
• psPAS Version: 5.0.0
• CyberArk Version: 12.1

[pspete]

Thanks for the report @Wim-Dams , will find some time to take a look.

[Wim-Dams]

Hi Pete, Thank you very much for looking into this. Issue only happens when you pipe your object to the Add-PASSafeMember command. When you really specify the individual parameters it indeed works. Connect-ScriptAccount #Remove-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300" $SafePermissions = [PSCustomObject]@{ UseAccounts = $True ListAccounts = $True RetrieveAccounts = $True InitiateCPMAccountManagementOperations = $True SpecifyNextAccountContent = $True } #$SafeType = get-DefaultSafePermissions | where SafeType -eq Personal | where userobject -eq "0005_GS_CSK_PERS_" #$SafePermissions = $Safetype.permissions $SafePermissions | Add-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300" -SearchIn "ActiveDirectory" | Select-Object -ExpandProperty Permissions #Add-PASSafeMember -SafeName "PERS_U30300" -MemberName "U30300" -UseAccounts $True -InitiateCPMAccountManagementOperations $True -SpecifyNextAccountContent $True | Select-Object -ExcludeProperty Permissions Get-PASSafeMember -SafeName "PERS_U30300" | where UserName -eq U30300 useAccounts : True retrieveAccounts : True listAccounts : True addAccounts : False updateAccountContent : False updateAccountProperties : False initiateCPMAccountManagementOperations : False specifyNextAccountContent : False renameAccounts : False deleteAccounts : False unlockAccounts : False manageSafe : False manageSafeMembers : False backupSafe : False viewAuditLog : False viewSafeMembers : False accessWithoutConfirmation : False createFolders : False deleteFolders : False moveAccountsAndFolders : False requestsAuthorizationLevel1 : False requestsAuthorizationLevel2 : False safeUrlId : PERS_U30300 safeName : PERS_U30300 safeNumber : 54 memberId : 106 memberName : U30300 memberType : User membershipExpirationDate : isExpiredMembershipEnable : False isPredefinedUser : False permissions : @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False; updateAccountContent=False; updateAccountProperties=False; initiateCPMAccountManagementOperations=False; specifyNextAccountContent=False; renameAccounts=False; deleteAccounts=False; unlockAccounts=False; manageSafe=False; manageSafeMembers=False; backupSafe=False; viewAuditLog=False; viewSafeMembers=False; accessWithoutConfirmation=False; createFolders=False; deleteFolders=False; moveAccountsAndFolders=False; requestsAuthorizationLevel1=False; requestsAuthorizationLevel2=False} UserName : U30300 Van: Pete Maan ***@***.***> Verzonden: zaterdag 22 mei 2021 2:07 Aan: pspete/psPAS ***@***.***> CC: Wim-Dams ***@***.***>; Mention ***@***.***> Onderwerp: Re: [pspete/psPAS] Issue with CPM permissions in Add-PASSafeMember.ps1 script (#349) Hi @Wim-Dams <https://github.com/Wim-Dams> - the issue is not reproducible here. Add-PASSafeMember -SafeName issue_349 -MemberName pspete ` -InitiateCPMAccountManagementOperations $true ` -SpecifyNextAccountContent $true | Select-Object -ExpandProperty Permissions useAccounts : False retrieveAccounts : False listAccounts : False addAccounts : False updateAccountContent : False updateAccountProperties : False initiateCPMAccountManagementOperations : True specifyNextAccountContent : True renameAccounts : False deleteAccounts : False unlockAccounts : False manageSafe : False manageSafeMembers : False backupSafe : False viewAuditLog : False viewSafeMembers : False accessWithoutConfirmation : False createFolders : False deleteFolders : False moveAccountsAndFolders : False requestsAuthorizationLevel1 : False requestsAuthorizationLevel2 : False Can you provide more information? Do the permissions get added if the -UseGen1API switch is specified? What is the content of $PermissionObject.Permissions? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#349 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUEUM2JZF4IB6GVCF4GTW2TTO3YS7ANCNFSM45GUIQMQ> . <https://github.com/notifications/beacon/AUEUM2O3MUFJX3BNKBC75EDTO3YS7A5CNFSM45GUIQM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGJY4DRI.gif>

[pspete]

Hi @Wim-Dams - yes, initially I couldn't replicate, but then noticed the same regarding piping an object into the function.
Fix incoming (already present in the issue-349 branch).

Thanks for reporting this, very much appreciated!