Import PA from Scan and set PA permissions using Powershell modules

Hello npascuas,

Thank you for contacting us regarding this matter.

May I ask if you have attempted to import from the scan that is mentioned in this article https://docs.devolutions.net/server/privileged-access-management/scan-configurations/?

Regarding PowerShell, have you tried using the DsPam cmdlet? Also, could you please provide me with the version of PowerShell you are currently using? You can find more information about PowerShell in this article https://docs.devolutions.net/rdm/windows/powershell-scripting/powershell-module/.

Furthermore, have you installed the Devolutions PowerShell module? And, can you tell me which version of DVLS you are currently using?

Please let me know, and I will do my best to assist you.

Best regards,

Hi Patrick,

We can import and setup the PA permissions manually as described in the article. However, we will be adding and modyfing the PA accounts in the Vault quite frequently. For that reason we want to automate that process using powershell.

I checked the DsPAM cmdlet and the support team advise to open a feature request to be able to import the account from the scan and to be able to setup the PA permissions using DVLS powershell module

The product version we are using are:

Devolutions Server version: 2023.3.10.0 
Powershell module version: 2023.3.2

Regards,
Nicolas Pascuas

Hello Nicolas,

Updating the permissions of a PAM account is indeed achievable. This can be done using those two steps:

1. Obtain the new permissions
   1. Get-DSPamAccountSecurity: This cmdlet retrieves the permissions associated with an existing account. It's especially handy if your aim is to replicate an already established permission set.
   2. New-DSPamSecurity: Use this to create a new permission object tailored for a particular role.
2. Update-DSPamAccount: Here, the 'Security' parameter is crucial as it allows you to apply the updated permissions obtained from the previous step.

Should you require a demonstrative example, please feel free to ask.

Additionally, to import of accounts from a scan, a ticket will be opened.

Best regards,
Maxime

Hi Maxime,

Thank you for the information, we will have an issue with the options you mentioned to update the permissions as we will be removing and adding new PA quite frequently. The first option to obtain the permissions option a wont work as there wont be 2 accounts with the same role. te only difference in the permissions on every PA is that only one user will have access to a PA. As we will have over 100 PA (one per user) we will need to create a new permission object for each PA.

We will be possible to request a feature to be able to set the permissions directly in the PA instead of creating the object.

Also could you please send me the demonstrative example.

Regards,

Nicolas

Hello Nicolas,

As requested. here is an example:

$paID = 'some-id'
$username = 'the desired username'

# Get the user's ID
$userResponse = Get-DSUser -All
$userId = $userResponse.Data | Where -Property Name -eq $username | Select -ExpandProperty ID

# Get the PAM Account (known ID)
$paResponse = Get-DSPamAccount -AccountID $paID
$pa = $paResponse.Data

# Create the permissions for the owner/manager/contributor roles
$roles = @("Owner", "Contributor", "Manager")
$permissions = @()

foreach ($role in $roles){
    $permissions += New-DSPamSecurity -Role $role -Mode Override -UserID $userId
}

# Update the PAM Account
Update-DSPamAccount -PamAccount $pa -Security $permissions

Regards,
Maxime

Hello Ncolas,

In the version of the module, 2023.3.6, we have introduced the ability to import accounts from scans into a PAM vault. This enhancement is supported by the addition of three commandlets (cmdlets), each designed to streamline different aspects of the import process:

• Get-DSPamScanConfiguration: This cmdlet allows users to retrieve the configurations. Useful to find the desired configuration.
• Get-DSPamScanResult: With this cmdlet, users can obtain the details of PAM accounts identified in the most recent scan, according to the previously set configuration.
• Import-DSPamScanResult: This final cmdlet enables the actual import of PAM accounts into the vault.

Here is an example:

$providerID = 'the-desired-pam-provider-ID'
$folderID = 'the-desired-pam-vault-or-folder-ID'
$configuration = Get-DSPamScanConfiguration -LiteralName 'ScanA';
$toImport = Get-DSPamScanResult -InputObject $configuration -Filter '@domain.net' -ExcludedManaged;
$providerResult = Get-DSPamProvider
$provider = $providerResult.Data | Where -Property ID -eq $providerID
$importResult = Import-DSPamScanResult -ScanResult $toImport -Provider $provider -FolderID $folderID

If you require assistance or have any questions, please feel free to reach out to us.

Best regards,
Maxime