Account Groups

The PrivilegedAccountGroup Class

PrivilegedAccountGroup is a Python class that represent a Cyberark Account Group to avoid dictionary manipulation in code. Most of the following function works with objects of this class.

It has the following mandatory attributes:

  • name: Cyberark name of the account group (“sample_group_name”)

  • group_platform: The group platform (eg “sample_group_platform”)

  • safeName: The safe in which the account is stored (eg DBA-Safe).

It has the following extra attributes:

  • id: Cyberark unique ID of the account group (eg 43_391)

Functions

async list_by_safe(self, safe_name: str)

List all groups for a given safe

Parameters:

safe_name – name of the safe

Returns:

a list of PrivilegedAccountGroups

async get_account_group_id(self, group_name: str, safe: str)

Get account_group_id with the group_name and the safe

Parameters:

  • group_name – the name of the group

  • safe – The name of the safe

Returns:

The group ID

async members(self, group)

Returns the list of members (PrivilegedAccount) for a given PrivilegedAccountGroup

Parameters:

group – PrivilegedAccountGroup or group_id

Returns:

List of members of a group

async add(self, group_name: str, group_platform: str, safe_name: str)

Add a privileged address group using group name, group platform and safe name

Parameters:

  • group_name – group name

  • group_platform – group platform

  • safe_name – safe name

Returns:

group id

async add_privileged_account_group(self, account_group: PrivilegedAccountGroup)

Add a privileged account group using a Privileged Account Group object

Parameters:

account_group – a PrivilegedAccountGroup object

Returns:

group id

async add_member(self, account: (<class 'aiobastion.accounts.PrivilegedAccount'>, <class 'str'>), group: (<class 'aiobastion.accountgroup.PrivilegedAccountGroup'>, <class 'str'>))

Add accounts to a group (specified by PrivilegedAccountGroup object or group_id)

Parameters:

  • account – PrivilegedAccount or account_id

  • group – PrivilegedAccountGroup or group_id (get it with

Returns:

dict with {‘AccountID’ : ‘acc_id’}

Raises:

CyberarkAPIException with err.http_status == 400 if account was already in a group

async delete_member(self, account: (<class 'aiobastion.accounts.PrivilegedAccount'>, <class 'str'>), group: (<class 'aiobastion.accountgroup.PrivilegedAccountGroup'>, <class 'str'>))

Delete the member of an account group

Parameters:

  • account – PrivilegedAccount or account_id

  • group – PrivilegedAccountGroup or privileged_account_id

Returns:

Boolean

async move_account_group(self, account_group_name: str, src_safe: str, dst_safe: str)

Move an account_group and its members from a safe to another safe

Parameters:

  • account_group_name

  • src_safe

  • dst_safe – Where to store the account group

Returns:

the new account group ID, or False if no group was found

async move_all_account_groups(self, src_safe, dst_safe, account_filter: dict = None)

Move all accounts groups from a safe to another safe * Members of the account groups are also moved ! *

Parameters:

  • src_safe – Source safe

  • dst_safe – Destination safe

  • account_filter – filter : filter on accounts base file category, for example : {“platformId”: “Unix-SSH”}