Accounts
In the following table, Account design a PrivilegedAccount object described below.
Section |
Description |
---|---|
Search and find accounts in the vault |
|
Create accounts |
|
get, update, link, delete and move accounts |
|
Change, reconcile, verify, set or get passwords |
|
Disable or resume password management, get CPM Status |
|
Add or remove account to an account group |
|
Other account related function, connect, get ID, find FC path… |
The PrivilegedAccount Class
PrivilegedAccount is a Python class that represent a Cyberark Account to avoid dictionary manipulation in code. Most of the following function works with objects of this class. It was made the most generic possible, however you can completely customize it you way using inheritance.
- It has the following mandatory attributes:
name: Cyberark name of the account (eg unixsrv01-dbadmin).
platformId: ID of the platform (eg UnixSSH).
safeName: The safe in which the account is stored (eg DBA-Safe).
- It has the following extra attributes:
userName: Username of the account (eg dbadmin)
address: Address of the account (eg unixsev01)
id: Cyberark unique ID of the account (eg 12-451)
secret: The password of the account
secretManagement: A dictionary with the secret management infos
secretType: The type of password (“password” or “key”)
platformAccountProperties: A dictionary with all optional file categories
remoteMachinesAccess: A dictionary with the remote machines access infos
- it has the following methods :
get_name : return the computed name “address-username”
to_json: return a dict representation of the Object
cpm_status: return the CPM status of the account
last_modified : return the last modified time (days since last password change)
- About linked account index :
reconcile account index: 3 - you should NOT change it unless your system has different custom value.
logon account index: 2 - this is different from the installation (1). The default value is kept at 2 to avoid breaking existing users. You can override it to 1 by providing a “custom.LOGON_ACCOUNT_INDEX” value in your config.
Calling functions
Finding accounts
- async search_account_by(keywords=None, username=None, address=None, safe=None, platform=None, **kwargs) list
- This function allow to search using one or more parameters and return list of address id.This is the easiest way to retrieve accounts from the vault.It allows you to either search on given keywords, or more precisely on an account attribute.
For example:
accounts = await search_account_by(username="admin", safe="Linux-SRV", my_custom_FC="Database")
- Parameters:
keywords – free search
username – username search (field “userName”)
address – IP address search (field “address”)
safe – search in particular safe
platform – search by platform name (no space) (field “platformId”)
kwargs – any searchable key = value
- Returns:
A list of PrivilegedAccounts
⚠️ Note: This function doesn’t populate the secret field (password), you have to make a separated call if you want to get it.
- async search_account(self, expression: str)
This function search an address using free text search and return a list a Privileged Account objects
- Parameters:
expression – List of keywords to search for in accounts, separated by a space.
- Returns:
List of PrivilegedAccount objects
ℹ️ See also search_account_by function
- async search_account_iterator(self, keywords=None, username=None, address=None, safe=None, platform=None, **kwargs) AsyncIterator[PrivilegedAccount]
- This function allow to search using one or more parameters and return list of address id.
- Parameters:
keywords – free search
username – username search (field “userName”)
address – IP address search (field “address”)
safe – search in particular safe
platform – search by platform name (no space) (field “platformId”)
kwargs – any searchable key = value
- Returns:
an async generator of PrivilegedAccounts
ℹ️ See also search_account_by
- async search_account_paginate(self, page: int = 1, size_of_page: int = 1000, safe: str = None, search: str = None, **kwargs)
Search accounts in a paginated way
- Parameters:
search – free search
page – The page number (starting at 1)
size_of_page – the size of pages (max 1000)
safe – the safe name, if wanted
kwargs – whatever file category you want to find
- Returns:
A dictionary with keys:
accounts : This is a list of matched account for the given page
has_next_page : A boolean hat indicated if there is a next page
ℹ️ For your convenience you can use platform=”PF-NAME” instead of platformID (and thus if you have a custom “platform” FC it will not be considered).
- async search_account_by_ip_addr(self, address: PrivilegedAccount | str)
This function will search an account by IP address by checking if “address” is a valid IPv4 address and checking if “Address” property of the account is exactly the given address. You can also provide an PrivilegedAccount, the function will search on its address property
- Parameters:
address – A PrivilegedAccount object or IPv4 valid address
- Returns:
A list of “PrivilegedAccount” objects
Creating accounts
- async add_account_to_safe(self, account: PrivilegedAccount | List[PrivilegedAccount]) str
This function support list of PrivilegedAccount as argument
This function creates the PrivilegedAccount (or the list of PrivilegedAccount) in the account’s safe (the safe attribute of the account). If the account(s) already exists, then raises a CyberarkAPIException
- Parameters:
account – PrivilegedAccount or list ofPrivilegedAccount
- Returns:
account_id or list(account_id | exceptions)
- Raises:
CyberarkAPIException – If there is something wrong
Account management
- async update_file_category(self, account, file_category, new_value)
Update the file category (or list of FC) with the new value (or list of new values) If the FC does not exist, it will create it
- Parameters:
account – address, list of accounts, account_id, list of accounts id
file_category – a file category or a list of file category
new_value – the new value of the list of new values
- async update_platform(self, account: PrivilegedAccount | List[PrivilegedAccount], new_platform: str)
This function updates the account’s (or list) platform
- Parameters:
account – PrivilegedAccount, list of Privileged Accounts
new_platform – The new plaform ID (e.g. Unix-SSH)
- Returns:
True if succeeded
- async update_single_fc(self, account, file_category, new_value, operation='replace')
Update / Delete / Create a File Category for an account or a list of accounts The path of the file_category is (hopefully) automatically detected
- Parameters:
account – address, list of accounts, account_id, list of accounts id
file_category – the File Category to update
new_value – The new value of the FC
operation – Replace, Remove or Add
- Returns:
The updated PrivilegedAccount or the list of updated PrivilegedAccount
- Raises:
AiobastionException – if the FC was not found in the Vault
CyberarkAPIException – if another error occured
- async update_using_list(self, account, data) PrivilegedAccount | List[PrivilegedAccount]
This function support list of PrivilegedAccount as argument
This function updates an account (or list) with the data list of changes. For more infos, check CyberArk doc.Valid operations are : Replace, Remove or AddFor example:
# insert here logon to vault and retrieve an account data = [ {"path": "/name", "op": "replace", "value": new_name}, {"path": "/address", "op": "replace", "value": new_address}, {"path": "/platformId", "op": "replace", "value": new_platformId}, ] is_updated = await epv.account.update_using_list(account, data)
- Parameters:
account – address, list of accounts, account_id, list of accounts id
data – The list of FC to change.
- Returns:
The updated PrivilegedAccount or the list of updated PrivilegedAccount
- async move(self, account: PrivilegedAccount | List[PrivilegedAccount], new_safe: str)
Delete the account (or list) and recreate it (or them) in with the same parameters and password in the new safe.
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
new_safe – New safe to move the account(s) into
- Returns:
Boolean that indicates if the operation was successful
- async link_account(self, account: PrivilegedAccount, link_account: PrivilegedAccount, extra_password_index: int, folder='Root') bool
Links the account of the given PrivilegedAccount (or the list of accounts) to the given PrivilegedAccount
- Parameters:
account – The target address
link_account – The linked address (reconcile or logon address)
extra_password_index – 1 for logon, 3 for reconcile
folder – “Root” by default
- Returns:
True if success, exception otherwise
- async link_logon_account(self, account: PrivilegedAccount | List[PrivilegedAccount], logon_account: PrivilegedAccount)
- This function links the account (or the list of accounts) to the given logon account⚠️ The “logon” Account is supposed to have an index of 2
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
logon_account – The logon PrivilegedAccount object
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed
- async link_reconciliation_account(self, account: PrivilegedAccount | List[PrivilegedAccount], reconcile_account: PrivilegedAccount)
- This function links the account (or the list of accounts) to the given reconcile account⚠️ The “reconcile” Account is supposed to have an index of 3
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
reconcile_account – The reconciliation PrivilegedAccount object
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed
- async link_reconcile_account_by_address(self, acc_username, rec_acc_username, address)
This function links the account with the given username and address to the reconciliation account with the given rec_account_username and the given address
- Parameters:
acc_username – username of the account to link
rec_acc_username – username of the reconciliation account
address – address of both accounts
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed
- async unlink_account(self, account: PrivilegedAccount | List[PrivilegedAccount], extra_password_index: int)
This function unlinks the account of the given account (or the list of accounts) | ⚠️ Double-check the linked account index on your platform.
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
extra_password_index – The index of the account that must be unlinked
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed:
- async remove_logon_account(self, account: PrivilegedAccount | List[PrivilegedAccount])
- This function unlinks the logon account of the given account (or the list of accounts)⚠️ The “logon” Account index is default to 2 but can be set differently on the platformYou can change it by setting custom:LOGON_ACCOUNT_INDEX in your config file
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed:
- async remove_reconcile_account(self, account: PrivilegedAccount | List[PrivilegedAccount])
- This function unlinks the reconciliation account of the given account (or the list of accounts)⚠️ The “reconcile” Account is supposed to have an index of 3You can change it by setting custom:RECONCILE_ACCOUNT_INDEX in your config file
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If link failed:
- async delete(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str])
This function support list of PrivilegedAccount as argument
This deletes the account (or list).⚠️ If this is an SSH Key, this function will delete it on the Vault but not on systems!- Parameters:
account – PrivilegedAccount or list(PrivilegedAccount) to delete
- Returns:
True if succeeded
- Raises:
CyberarkException – If delete failed
Password Actions
- async change_password(self, account: PrivilegedAccount | str, change_group=False)
- This function set the account (or list) for immediate change.Keep in mind that for list, exceptions are returned and not raised.
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
change_group – change entire group, default to False
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If change failed
- async reconcile(self, account: PrivilegedAccount | str)
- This function set the account (or list) for immediate reconciliation.Keep in mind that for list, exceptions are returned and not raised.
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If reconciliation failed
- async verify(self, account: PrivilegedAccount | str)
- This function set the account (or list) for immediate verification.Keep in mind that for list, exceptions are returned and not raised.
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
A boolean that indicates if the operation was successful.
- Raises:
CyberarkException – If verify failed
- async get_secret(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str])
Get the secret of an account, detecting if the secret type is password or key
- Parameters:
account – A PrivilegedAccount object, or a list of PrivilegedAccount objects
- Returns:
The password, key or list of passwords / keys.
- async get_password(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str], reason: str = None)
- Retrieve the password of an address✅ Use get_secret instead if you want to retrieve password or ssh_key
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
reason – The reason that is required to retrieve the password
- Returns:
Account password value (or list of passwords)
- Raises:
CyberarkException – If retrieve failed
- async get_password_aim(self, **kwargs)
- Retrieve secret password from the Central Credential Provider (AIM) GetPassword Web Service information.
- ℹ️ The following parameters are optional searchable keys, see CyberArk documentation in
Developer/Central Credential Provider/Call the Central Credential Provider Web Service …/REST
- Parameters:
username – User account name
safe – Safe where the account is stored.
object – Name of the account to retrieve (unique for a specific safe).
folder – Name of the folder property
address – Address account property
database – Database account property
policyid – Policy account property
reason – The reason for retrieving the password. This reason will be audited in the Credential Provider audit log.
query – Defines a free query using account properties, including Safe, folder, and object. When this method is specified, all other search criteria (Safe/Folder/ Object/UserName/Address/PolicyID/Database) are ignored and only the account properties that are specified in the query are passed to the Central Credential Provider in the password request.
queryformat – Defines the query format, which can optionally use regular expressions. Possible values are: Exact or Regexp
failrequestonpasswordchange – Boolean, Whether or not an error will be returned if this web service is called when a password change process is underway.
- Returns:
namedtuple of (secret, detail)
secret = passworddetail = dictionary from the Central Credential Provider (AIM) GetPassword Web Service.- Raises:
CyberarkAIMnotFound – Account not found
CyberarkAPIException – HTTP error or CyberArk error
CyberarkException – Runtime error
AiobastionException – AIM configuration setup error
- async get_secret_aim(self, account: PrivilegedAccount | List[PrivilegedAccount], reason: str = None)
This function support list of PrivilegedAccount as argument
This function update the secret attribute of the PrivilegedAccount with the password returned by the AIM Web service. If the account is not found, the secret is set to None.- Parameters:
account (PrivilegedAccount, list) – A PrivilegedAccount object, or a list of PrivilegedAccount objects
reason – The reason for retrieving the password. This reason will be audited in the Credential Provider audit log. (optional)
- Returns:
PrivilegedAccount Object updated, if the password is not found the secret will be None
- Raises:
CyberarkAPIException – HTTP error or CyberArk error
CyberarkException – Runtime error
AiobastionException – AIM configuration setup error
- async get_ssh_key(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str])
Retrieve the SSH Key of an account
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
SSH key value, or a list of ssh key values
- async get_secret_versions(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str], reason: str = None)
Retrieve the secret versions
- Parameters:
account – Privileged Account or address id
reason – The reason that is required to retrieve the password
- Returns:
Account password value
- async set_password(self, account, password)
Set the password for the given address in the Vault
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
password – new password to set
- Returns:
True if success
- Raises:
CyberarkException – If set password failed (your platform enforce complexity, or you don’t have rights)
- async set_next_password(self, account, password)
Set the next password for the given address to be set by the CPM
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
password – new password to set
- Returns:
True if change was successfully planned.
- async restore_last_cpm_version(self, account: PrivilegedAccount, cpm)
Find in the history of passwords the last password set by the CPM and updates the password accordingly in the Vault
- Parameters:
account – a PrivilegedAccount object
cpm – the name of the CPM who set the password
- Returns:
True if success
- Raises:
AiobastionException – if no CPM version was found
- async restore_last_cpm_version_by_cpm(self, account: PrivilegedAccount, cpm)
Find in the history of passwords the last password set by the CPM and schedule a password change with this value
- Parameters:
account – a PrivilegedAccount object
cpm – the name of the CPM who set the password
- Returns:
True if success
- Raises:
AiobastionException – if there is no CPM version for this account
Password management
- async disable_password_management(self, account: PrivilegedAccount | List[PrivilegedAccount], reason: str = '')
This disables the account (or list) password management
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
reason – The reason of disabling password management (defaults to empty string)
- Returns:
The list of updated accounts, or exceptions
- Raises:
CyberarkException – If disabling failed.
- async resume_password_management(self, account: PrivilegedAccount | List[PrivilegedAccount])
This resume the account (or list) password management
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
The list of updated accounts, or exceptions
- Raises:
CyberarkException – If resuming failed.
- async get_cpm_status(self, account: PrivilegedAccount | List[PrivilegedAccount])
- Get the CPM status of an account or a list of accounts.✅ You can also use the cpm_status() method of the object PrivilegedAccount
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
The secretManagement dictionary of the account.
- async activity(self, account: PrivilegedAccount | List[PrivilegedAccount])
Get account(s) activity
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
The activity dictionary as-is it is returned by CyberArk
- Raises:
CyberarkException – If call failed
- async last_cpm_error_message(self, account: PrivilegedAccount | List[PrivilegedAccount])
Get the last CPM Error message
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
The last CPM error status, or None
- Raises:
CyberarkException – If link failed
Account Group membership
- async get_account_group(self, account: PrivilegedAccount | List[PrivilegedAccount])
- Returns the GroupID of a given PrivilegedAccountTo get the group name, and more, check the Account Group section of this documentation.
- Parameters:
account (PrivilegedAccount, list) – PrivilegedAccount, list of Privileged Accounts
- Returns:
GroupID (which is not the group name)
- async add_member_to_group(self, account: PrivilegedAccount | List[PrivilegedAccount], group_name: str = '') str
This function support list of PrivilegedAccount as argument Add an address to a group
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
group_name – name of the group (or try the address username if empty)
- Returns:
AccountID
- async del_account_group_membership(self, account: PrivilegedAccount | List[PrivilegedAccount])
Find and delete the account_group membership of a PrivilegedAccount (or list)
- Parameters:
account (PrivilegedAccount, list) – a PrivilegedAccount object or a list of PrivilegedAccount objects
- Returns:
False if no group was remove, True is a group was deleted
- Raises:
CyberarkAPIException – if a group was found but deletion didn’t work
Miscellaneous
- async connect_using_PSM(self, account, connection_component, reason: str = '')
This function returns a file content (bytes) which is the equivalent RDP file of the “Connect” button
For example:
async with production_vault as epv: # find first active connexion component try: unique_id = await epv.platform.get_target_platform_unique_id(account.platformId) ccs = await epv.platform.get_target_platform_connection_components(unique_id) cc = None for _cc in ccs: if _cc["Enabled"]: cc = _cc["PSMConnectorID"] break except CyberarkException as err: # You are not Vault Admin self.assertIn("PASWS041E", str(err)) rdp_content = await epv.account.connect_using_PSM(account.id, cc) with open("connect_account.rdp", "w") as rdp_file: rdp_file.write(rdp_content)
- Parameters:
account – PrivilegedAccount or account_id
connection_component – the connection component to connect with
reason – the reason that is required to request access to this account
- Returns:
file_content
- Raises:
CyberarkAPIException – if an error occured
- detect_fc_path(self, fc: str)
Detect the path of the File Category
- Parameters:
fc – the name of the File Category
- Returns:
The string representing the Path to the FC
- async get_account(self, account_id) PrivilegedAccount | List[PrivilegedAccount]
This function support list of PrivilegedAccount as argument
This function returns a Privileged account object for a given account_id (or list of account_id)
- Parameters:
account_id – account_id or list(account_id)
- Returns:
PrivilegedAccount or list(PrivilegedAccount | exceptions)
- Raises:
CyberarkException – 404 if the account doesn’t exist.
- async get_account_id(self, account: PrivilegedAccount | str | List[PrivilegedAccount] | List[str])
Internal function to get account ID
- Parameters:
account – PrivilegedAccount object (or account_id) or list of mixed PrivilegedAccount and account_id
- Returns:
account_id or list of account_id
- is_valid_safename(self, name: str) bool
Check if the safename is a valid Vault safe name.
- Parameters:
name – Safe name to check
- Returns:
A boolean that indicates whether the username if valid or not.
- is_valid_username(self, username: str) bool
Check if the username is a valid Vault username
- Parameters:
username – username to check
- Returns:
A boolean that indicates whether the username if valid or not.