Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 10.3
2
Important Notice
Conditions and Restrictions
This guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information and ideas belonging to CyberArk Software Ltd. which
are supplied solely for the purpose of assisting explicitly and properly authorized users of the
CyberArk software.
No part of its contents may be used for any other purpose, disclosed to any person or firm or
reproduced by any means, electronic and mechanical, without the express prior written
permission of CyberArk Software Ltd.
The software described in this document is furnished under a license. The software may be used
or copied only in accordance with the terms of that agreement.
Information in this document, including the text and graphics which are made available for the
purpose of illustration and reference only, is subject to change without notice. Corporate and
individual names and data used in examples herein are fictitious unless otherwise noted.
Third party components used in the CyberArk software may be subject to applicable terms and
conditions.
Acknowledgements
This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software written by Ian F. Darwin.
This product includes software developed by the ICU Project (http://site.icu-project.org/)
Copyright © 1995-2009 International Business Machines Corporation and other. All rights
reserved.
Copyright
© 2000-2018 CyberArk Software Ltd. All rights reserved.
CyberArk®, the CyberArk logo, and all other names and logos that appear in this Guide are
trademarks of CyberArk Software Ltd. and their respective owners.
Information in this document is subject to change without notice.
PASWS-10-3-0-1
Table of Contents
Add Account 84
Add Pending Account 88
Delete Account 93
Get Account Value 94
Get Password Value (from v10) 95
Change Credentials 98
Change credentials immediately 100
Change Credentials and Set Next Password 102
Change Credentials in the Vault 106
Verify credentials (up to v9.9.5) 108
Verify credentials (from v9.10) 109
Reconcile credentials 111
Get Account Details 113
Update Account Details 116
Check-in an exclusive account 121
List Activity by ID 122
Account Groups 125
Add Account Group 125
Add Account to Account Group 127
Get Account Group by Safe 128
Get Account Group Members 130
Delete Member from Account Group 132
Policy/ACL 134
List Policy/ACL 134
Add Policy/ACL 135
Delete Policy/ACL 138
Account/ACL 140
List Account/ACL 140
Add Account/ACL 142
Delete Account ACL 145
Onboarding Rules 147
Add Automatic Onboarding Rule 147
Delete Automatic Onboarding Rule 150
Get Automatic Onboarding Rules 152
My Requests 156
Create a Request 156
Get My Requests 167
Delete My Request 173
Get Details of My Requests 174
Confirm Requests 182
Get Incoming Request List 182
Get Details of a Request for Confirmation 188
Confirm Request 196
Reject Request 198
Connections 200
Connect Through PSM 200
Import Connection Component 204
Applications 207
List Applications 207
List a Specific Application 209
Add Application 211
The Privileged Account Security Web Services enable you to create, list, modify and
delete entities in Privileged Account Security solution from within programs and scripts.
In this section:
What’s New
What’s New
The following web services are now available:
Onboarding rules
Onboarding Rules enable you to create and manage predefined rules that automatically
onboard newly discovered accounts. This minimizes the time it takes to onboard and
securely manage accounts, reduces the time spent on reviewing pending accounts, and
prevents human errors that may occur during manual onboarding.
After accounts are discovered, they are automatically filtered by the onboarding rules and
provisioned in the Vault. Accounts that cannot be filtered by any of the rules are added to
the Pending Accounts list in the PVWA and can be reviewed and onboarded manually.
Add Onboarding Rule
Delete Onboarding Rule
Get Automatic Onboarding Rules, page 152
PSM connections
You can connect to an account through PSM using through RDP or a PSM gateway
(HTML5), as defined in the PVWA .
Connect Through PSM, page 200
Platforms
Administrators can import new platforms to associate with accounts.
Import Platform, page 81
Introduction
The PAS Web Services is a RESTful API that enables users to create, list, modify and
delete entities in Privileged Account Security solution from within programs and scripts.
The main purpose of the PAS Web Services is to automate tasks that are usually
performed manually using the UI, and to incorporate them into system and account-
provisioning scripts.
The PAS Web Services are installed as part of the PVWA installation, and can be used
immediately without any additional configuration. Make sure your CyberArk license
enables you to use the CyberArk PAS SDK. For more information, contact your
CyberArk support representative.
Note:
Although you can use HTTP requests, for security reasons, it is recommended
to use HTTPS. For more information about configuring the REST Web Service
API for HTTPS, refer to Configuring PAS REST API to work with HTTPS, page 10.
For example, to get a list of all privileged commands (OPM rules) associated with a
specific account, access the privileged commands path of that account with an HTTP/S
GET request, using the following format:
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Account/<AccountAdress>|<Accou
ntUserName>|<AccountPolicyId>/PrivilegedCommands
Example:
https://10.10.10.10/PasswordVault/WebServices/PIMServices.svc/Account/MyComp|root|
UnixSSH/PrivilegedCommands
As a result of the above request, a list of all privileged commands associated with the root
user of the machine MyComp appears, in JSON format.
Every HTTP/S request must contain an HTTP/S header field named Authorization that
contains the value of a session token received from the Logon method.
If you have an SSH key license, you can add new SSH keys and pending SSH keys to
the Vault as well as accounts. For more information, contact your CyberArk
representative.
The PAS Web Services can be accessed with any tool or language that enables you to
create HTTP/S requests and handle HTTP/S responses. For more information, refer to
the C# and Java examples in Usage Examples.
For information about the codes returned by the REST web services API commands,
refer to Return Codes.
Example:
<service behaviorConfiguration="defaultBehavior"
name="CyberArk.WSAuthentication.Cyberark.CyberArkAuthenticationSe
rvice">
<endpoint name="AuthEndpoint" address="/"
behaviorConfiguration="web" binding="webHttpBinding"
bindingConfiguration="httpsBinding"
contract="CyberArk.WSAuthentication.Cyberark.ICyberArkAuthenticat
ionService" />
</service>
<service behaviorConfiguration="defaultBehavior"
name="CyberArk.PasswordVault.WebServices.WF.PIMServices">
<endpoint name="PIMEndpoint" address="/"
behaviorConfiguration="web" binding="webHttpBinding"
bindingConfiguration="httpsBinding"
contract="CyberArk.PasswordVault.WebServices.WF.IPIMServices" />
</service>
Return Codes
The following table lists all the return codes that are returned from the REST Web
Services API.
Return Code
Description
Code Number
Success 200 The request succeeded. The actual response will depend
on the request method used.
Created 201 The request was fulfilled and resulted in a new resource
being created.
Bad request 400 The request could not be understood by the server due to
incorrect syntax.
Forbidden 403 The server received and understood the request, but will not
fulfill it. Authorization will not help and the request MUST
NOT be repeated.
Not Found 404 The server did not find anything that matches the Request-
URI. No indication is given of whether the condition is
temporary or permanent.
Conflict 409 The request could not be completed due to a conflict with
the current state of the resource.
API Commands
The Privileged Account Security API commands enable you to implement CyberArk’s
Web Services SDK. The following sections describe how to use them and give samples
that show typical implementations.
Note:
For every Web Services call except for Logon, the request must include an
HTTP/S header field named Authorization, containing the value of a session
token received from the Logon activity.
Authentication
CyberArk Authentication
CyberArk authentication is based on a user’s location in the Vault. Each user has their
own token that can be identified in the Vault with different credentials.
You can use the following web services for CyberArk authentication:
Logon
Logoff
Logon
This method authenticates a user to the Vault and returns a token that can be used in subsequent
web services calls. In addition, this method allows you to set a new password.
Users can authenticate using CyberArk, LDAP or RADIUS authentication.
This method is demonstrated in the sample code.
URL
https://<IIS_Server_
Ip>/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logo
n
Resource Information
HTTP method POST
Body parameters
{
"username":"<user_name>",
"password":"<password>",
"newPassword":"<password>",
"useRadiusAuthentication":"<bool>",
"connectionNumber":"<integer>"
}
Type String
Description The name of the user who will logon to the Vault.
Mandatory Yes
Default None
Parameter password
Type String
Mandatory Yes
Default None
Parameter newPassword
Type String
Description The new password of the user. This parameter is optional, and enables you
to change a password.
Mandatory No
Default None
Parameter useRadiusAuthentication
Type Boolean
Note:
The RADIUS challenge response is currently limited to 512
characters.
Valid values true/false
Mandatory No
Default false
Parameter connectionNumber
Type Integer
Description In order to allow more than one connection for the same user
simultaneously, each request should be sent with a different
'connectionNumber'.
Valid values 1-100
Mandatory No
Default None
Result
{
"CyberArkLogonResult":"<session token>"
}
Parameter CyberArkLogonResult
Type Long
Logoff
This method logs off the user and removes the Vault session. It is demonstrated in the
sample code.
URL
https://<IIS_Server_
Ip>/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logo
ff
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
}
Return Codes
Status code 200
Description OK
SAML Authentication
You can use the following web services for SAML authentication:
■ Logon
■ Logoff
Logon
This method authenticates a user to the Vault using SAML authentication and returns a
token that can be used in subsequent web services calls.
URL
https://<IIS_Server_
Ip>/PasswordVault/WebServices/auth/SAML/SAMLAuthenticationService.svc/Logon
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Body parameters
None
Result
{
"CyberArkLogonResult":"<session token>"
}
Logoff
This method logs off the user and removes the Vault session. This web service is used to
log off when the user authenticated with SAML authentication.
URL
https://<IIS_Server_
Ip>/PasswordVault/WebServices/auth/SAML/SAMLAuthenticationService.svc/Logoff
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Body parameters
None
Result
{
}
Return Codes
Status code 200
Description OK
Make sure that this user can access the the PVWA interface.
Make sure the user only has the permissions in the Vault that they require.
For information about securing communication when using the SDK, refer to the
following:
Securing Communication between Applications and the REST Web Services
Configuring Client Authentication via Client Certificates
You can use the following web services for Shared Logon authentication:
Logon
Logoff
f. Do not select any child nodes from the list. Click OK.
3. In the PVWA Web Services folder, change the Secure Communication settings:
a. Expand PVWA , and then expand WebServices.
b. Expand auth, and then right-click Shared; the Shared Properties window
appears.
c. In the Directory Security tab, in the Secure Communications area, click Edit;
the authentication settings for the Shared folder are displayed.
d. In Client certificates, select Require client certificates, then click OK.
e. Run iisreset.
Logon
This method authenticates to the Vault with a shared webservices user and returns a
token that will be used in subsequent web services calls. It is demonstrated in sample
code.
This is supported for CyberArk authentication only, and not for third party authentication.
URL
https://<IIS_Server_
Ip>/PasswordVault/WebServices/auth/Shared/RestfulAuthenticationService.svc/Logon
Resource Information
HTTP method POST
Body parameters
None
Result
{
"LogonResult":"<session token>"
}
Logoff
This method logs off the shared user and removes the Vault session.
URL
https://<IIS_Server_Ip>/PasswordVault/WebServices/auth/
Shared/RestfulAuthenticationService.svc/Logoff
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Body parameters
None
Result
{
}
Return Codes
Status code 200
Description OK
Note:
A user cannot manage their own public SSH keys.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/
{UserName}/AuthenticationMethods/SSHKeyAuthentication/AuthorizedKeys
Type String
Description The name of the user whose public SSH keys will be added.
Note:
This username is not case-sensitive.
Specify the name of any user in the Vault.
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
Note:
The public SSH key must be included as a JSON object in the request body.
{
"PublicSSHKey":"<public-key>"
}
Parameter PublicSSHKey
Type String
Description The content of the public SSH key as it appears in the authorized_keys file.
This parameter is required.
Mandatory Yes
Result
"AddUserAuthorizedKeyResult":
{
"KeyID":"<key-id>",
"PublicSSHKey":"<public-key>"
Return Codes
Status code 201
Note:
A user cannot manage their own public SSH keys.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/
{UserName}/AuthenticationMethods/SSHKeyAuthentication/AuthorizedKeys
Type String
Description The name of the user whose public SSH keys will be retrieved.
Note:
This username is not case-sensitive.
Specify the name of any user in the Vault.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"GetUserAuthorizedKeysResult":
[
{
"KeyID":"<key-id>",
"PublicSSHKey":"<public-key>"
},
{
"KeyID":"<key-id>",
"PublicSSHKey":"<public-key>"
}
]
}
Return Codes
Status code 200
Description OK
Note:
A user cannot manage their own public SSH keys.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/
{UserName}/AuthenticationMethods/SSHKeyAuthentication/AuthorizedKeys/
{KeyID}
Type String
Description The name of the user whose public SSH keys will be added.
Note:
This username is not case-sensitive.
Specify the name of any user in the Vault.
Parameter KeyID
Type String
Valid values The key ID, as returned from the GET method.
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
None
Return Codes
Status code 200
Server
Verify
This method returns the display name of the Vault configured in the
ServerDisplayName configuration parameter.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Verify
Resource Information
HTTP method GET
Body parameters
None
Result
{
"ServerName":"<Vault_Name>",
"ServerID":"<Unique Vault_ID>",
"ApplicationName":"<PasswordVault>",
"AuthenticationMethods":"[{"Id":"authmethod","Enabled/Disabled":"true/false"}]"
}
Parameter ServerName
Type String
Parameter ServerID
Type Integer
Parameter ApplicationName
Type String
Parameter AuthenticationMethods
Type String
Description The authentication methods that can be used to authenticate to the Vault,
and whether or not they are enabled. For example, "windows".
Logo
This method returns the configuration of the logo that will be displayed in the CyberArk
SafeShare logon screen and account settings.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Logo? type=
{ImageType}
Type String
Default Square
Resource Information
HTTP method GET
Body parameters
None
Result
Status Stream
Server
This method returns the display name of the Vault configured in the
ServerDisplayName configuration parameter.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Server
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"ServerName":"<Vault_Name>" ,
"ExternalVersion":"<ExternalVersion>",
"InternalVersion":"<InternalVersion>"
}
Parameter ServerName
Type String
configuration parameter.
Parameter ExternalVersion
Type String
Parameter InternalVersion
Type String
Users
Add User
This method adds a new user to the Vault.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"UserName":"<string>",
"InitialPassword":"<string>",
"Email":"<string>",
"FirstName":"<string>",
"LastName":"<string>",
"ChangePasswordOnTheNextLogon":<bool>,
"ExpiryDate":"<string>",
"UserTypeName":"<string>",
"Disabled":<bool>,
"Location":"<string>"
Parameter UserName
Type String
Default None
Parameter InitialPassword
Type String
Description The password that the user will use to log on the first time. This password
must meet the password policy requirements.
Default None
Parameter Email
Type String
Default None
Parameter FirstName
Type String
Default None
Parameter LastName
Type String
Default None
Parameter ChangePasswordOnTheNextLogon
Type Boolean
Description Whether or not the user must change their password when they log on for
the first time.
Valid values true/false
Default true
Parameter ExpiryDate
Description The date when the user will expire and become disabled.
Default Never
Parameter UserTypeName
Type String
Default EPVUser
Parameter Disabled
Type Boolean
Valid values true/false
Default false
Parameter Location
Type String
Default Root
Result
{
"FirstName":"<string>",
"LastName":"<string>",
"UserName":"<string>",
"Email":"<string>",
"Source":"<string>",
"UserTypeName":"<string>",
"Expired":"<bool>",
"Disabled":"<bool>",
"AgentUser":"<bool>",
"Suspended":"<bool>"
"Location":"<Vault Location>"
"ExpiryDate":"<date>"
}
Update User
This method updates an existing Vault user.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}
Type String
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Body parameters
{
"NewPassword":"<string>",
"Email":"<string>",
"FirstName":"<string>",
"LastName":"<string>",
"ChangePasswordOnTheNextLogon":<bool>,
"ExpiryDate":"<string>",
"UserTypeName":"<string>",
"Disabled":<bool>,
"Location":"<string>”
}
Type String
Description The user’s updated password. Make sure that this password meets the
password policy requirements.
Type String
Type String
Type String
Type Boolean
Description Whether or not the user must change their password in their next logon.
Valid values true/false
Type DateTime
Description The date and time when the user’s account will expire and become
disabled.
Type String
Type Boolean
Valid values true/false
Type String
Description The new Location of the updated user in the Vault hierarchy
Default -
Result
{
"FirstName":"<string>",
"LastName":"<string>",
"UserName":"<string>",
"Email":"<string>",
"Source":"<string>",
"UserTypeName":"<string>",
"ChangePasswordOnTheNextLogon":<bool>,
"Expired":"<string>",
"ExpiryDate":"<string>",
"Disabled":"<bool>",
"AgentUser":"<bool>",
"Suspended":"<bool>",
"Location":"<string>"
}
Parameter FirstName
Type String
Parameter LastName
Type String
Parameter UserName
Type String
Parameter Email
Type String
Parameter Source
Type String
Description Whether the user was created in the PrivateArk Client or the PVWA, or is
an external user who was created from an LDAP directory.
Valid values LDAP/Internal
Parameter UserTypeName
Type String
Description The new user type of this user, as specified in the CyberArk license.
Parameter ChangePasswordOnTheNextLogon
Type Boolean
Description Whether or not the user will be forced to change their password in their next
logon.
Parameter Expired
Type Boolean
Parameter ExpiryDate
Type DateTime
Description The date when the user’s account will expire and become disabled.
If the user account will never expire, ‘null’ will be returned.
Parameter Disabled
Type Boolean
Parameter Suspended
Type Boolean
Parameter AgentUser
Type Boolean
Valid values true/false
Parameter Location
Type String
Delete User
This method deletes a specific User in the Vault. It is demonstrated in the sample code.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}
Type String
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
}
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/User
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"FirstName":"<string>",
"LastName":"<string>",
"UserName":"<string>",
"Email":"<string>",
"Source":"<string>",
"UserTypeName":"<string>",
"Expired":"<bool>",
"Disabled":"<bool>",
"AgentUser":"<bool>",
"Suspended":"<bool>"
}
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"FirstName":"<string>",
"LastName":"<string>",
"UserName":"<string>",
"Email":"<string>",
"Source":"<string>",
"UserTypeName":"<string>",
"Expired":"<bool>",
"Disabled":"<bool>",
"AgentUser":"<bool>",
"Suspended":"<bool>"
}
Activate User
This method activates an existing Vault user who was suspended after entering incorrect
credentials multiple times.
Note:
This method activates a suspended user. It does not activate an inactive user.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}
Type String
Default None
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization (mandatory)
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
"Suspended":"<bool>"
}
Type Boolean
Valid values false
Result
{
"FirstName":"<string>",
"LastName":"<string>",
"UserName":"<string>",
"Email":"<string>",
"Source":"<string>",
"UserTypeName":"<string>",
"ChangePasswordOnTheNextLogon":<bool>,
"Expired":"<string>",
"ExpiryDate":"<string>",
"Disabled":"<bool>",
"AgentUser":"<bool>",
"Suspended":"<bool>",
"Location":"<string>"
}
Parameter FirstName
Type String
Parameter LastName
Type String
Parameter UserName
Type String
Parameter Email
Type String
Parameter Source
Type String
Description Whether the user was created in the PrivateArk Client or the PVWA, or is
an external user who was created from an LDAP directory.
Valid values LDAP/Internal
Parameter UserTypeName
Type String
Parameter ChangPasswordOnTheNextLogon
Type Boolean
Description Whether or not the user will be forced to change their password in their next
logon.
Parameter Expired
Type Boolean
Parameter ExpiryDate
Type DateTime
Description The date when the user’s account will expire and become disabled.
If the user account will never expire, ‘null’ will be returned.
Parameter Disabled
Type Boolean
Parameter Suspended
Type Boolean
Parameter AgentUser
Type Boolean
Valid values true/false
Parameter Location
Type String
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Groups/
{GroupName}/Users
Type String
Description The name of the group to which the user will be added.
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"UserName":"<string>"
}
Type String
Description The name of the user who will be added to the specified group.
Default -
Result
{
}
Return Codes
Status code 201
Safes
List Safes
This method returns information about all of the user’s Safes in the Vault. It is demonstrated in the
sample code.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
[
{
"Description":"<string>",
"LastUpdated":"<mm/dd/yyyy hh:mm:ss>",
"SafeDisplayName":"<string>",
"SafeMetaData":[
{
"Key":"ServiceName",
"Value":"<string>"
}
],
"SafeName":"<string>",
"SafePermissions":"<list>",
"SafeSizeInBytes":"<long>"
},
…
]
Note:
The time returned in
LastUpdated is in UTC format.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"GetSafeResult": {
"Description":"<string>",
"ManagingCPM":"<CPM user>",
"NumberOfDaysRetention":<1-3650>,
"NumberOfVersionsRetention":<1-999>,
"OLACEnabled":<true/false>,
"SafeName":"<string>"
}
}
Add Safe
This method adds a new Safe to the Vault.
The user who runs this web service requires the following permission in the Vault:
■ Add Safes
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"safe":{
"SafeName":"<Safe name>",
"Description":"<Description>",
"OLACEnabled":<true/false>,
"ManagingCPM":"<CPM user>",
"NumberOfVersionsRetention":<1-999>,
"NumberOfDaysRetention":<1-3650>
}
}
Type String
Do
n not start a Safe name with a space.
Parameter Description
Type String
Parameter OLACEnabled
Type Boolean
Description Whether or not to enable Object Level Access Control for the new Safe.
Valid values true/false
Parameter ManagingCPM
Type String
Description The name of the CPM user who will manage the new Safe.
Valid values An existing CPM user or "" to prevent the CPM from managing the Safe.
Type Numeric
Description The number of retained versions of every password that is stored in the
Safe.
Specify either this parameter or NumberOfDaysRetention.
If you specify this parameter the NumberOfDaysRetention parameter is
disabled.
Valid values 1-999
Type Numeric
Description The number of days for which password versions are saved in the Safe.
Specify either this parameter or NumberOfVersionsRetention If you specify
this parameter the NumberOfVersionsRetention parameter is disabled.
Valid values 1-3650
Result
{
"safe":{
Return Codes
Status code 201
Update Safe
This method updates a single Safe in the Vault. The user who runs this web service requires the
following permissions:
In the Vault:
■ Manage Safes
In the Safe:
■ View Safe Members
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}
Type String
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"safe":{
"SafeName":"<The name of the Safe>",
"Description":"<Description of the Safe>",
"OLACEnabled":<true/false>,
"ManagingCPM":”<Name of CPM user managing the Safe>”,
"NumberOfVersionsRetention":<1-999>,
"NumberOfDaysRetention":<1-3650>
}
}
Parameter SafeName
Type String
Description The new name of the Safe, if you want to change it.
Specify
n up to 28 characters.
The
n following characters aren’t allowed: \/:*<>".|
Do
n not start a Safe name with a space.
Parameter Description
Type String
Parameter OLACEnabled
Type Boolean
Valid values true/false
Parameter ManagingCPM
Type String
Description Name of the CPM user who will manage the Safe.
Valid values An existing CPM user or "" to prevent the CPM from managing the Safe.
Type Numeric
Description The number of versions of every password that is stored in the Safe.
Specify either this parameter or NumberOfDaysRetention.
If you specify this parameter, the NumberOfDaysRetention parameter is
disabled.
Valid values 1-999
Type Numeric
Description The number of days that versions are stored in the Safe.
Specify either this parameter or NumberOfVersionsRetention. If you
specify this parameter, the NumberOfVersionsRetention parameter is
disabled.
Valid values 1-3650
Result
{
"Safe":{
"SafeName":"<The name of the Safe>",
"Description":"<Description for the Safe>",
"OLACEnabled":<true/false>,
"ManagingCPM":"<Name of CPM user managing the Safe>",
"NumberOfVersionsRetention":<1-999>,
"NumberOfDaysRetention":<1-3650>
}
}
Return Codes
Status code 200
Delete Safe
This method deletes a Safe from the Vault.
The user who runs this web service requires the following permission in the Vault:
■ Manage Safe
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}
Type String
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 204
Description No content
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes?query=
{Query}
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"SearchSafesResult":[ :{
"SafeName":"<Safe name>",
"Description":"<Description>",
"OLACEnabled":<true/false>,
"ManagingCPM":"<CPM user>",
"NumberOfVersionsRetention":<1-999>,
"NumberOfDaysRetention":<1-3650>
},
},
…
]
}
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeName}/AccountGroups
Type String
Description The name of the Safe where the account groups are.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"GroupID":<The group ID>,
"GroupName":<The group name>,
"GroupPlatformID":<The group platform ID>,
"Safe":<The group Safe name>
}
Parameter GroupID
Type String
Parameter GroupName
Type String
Parameter GroupPlatformID
Type String
Parameter Safe
Type String
Description The name of the Safe where the account groups are.
Return Codes
Status code
Description
Safe Members
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/
{SafeName}/Members
Type String
Description The name of the Safe whose Safe members will be listed.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"UserName":"<String>",
"Permissions":
{
…
}
"UserName":"<String>",
"Permissions":
{
…
}
}
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/
{SafeName}/Members
Type String
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"member":{
"MemberName":"<The name of the user to add as a Safe member>",
"SearchIn":"<Search for the member in the Vault or Domain>",
"MembershipExpirationDate":"<MM\DD\YY or empty if there is no
expiration date>",
"Permissions":<User’s permissions in the Safe>
[
{"Key":"UseAccounts", "Value":<true/false>},
{"Key":"RetrieveAccounts", "Value":<true/false>},
{"Key":"ListAccounts", "Value":<true/false>},
{"Key":"AddAccounts", "Value":<true/false>},
{"Key":"UpdateAccountContent", "Value":<true/false>},
{"Key":"UpdateAccountProperties", "Value":<true/false>},
{"Key":"InitiateCPMAccountManagementOperations",
"Value":<true/false>},
{"Key":"SpecifyNextAccountContent", "Value":<true/false>},
{"Key":"RenameAccounts", "Value":<true/false>},
{"Key":"DeleteAccounts", "Value":<true/false>},
{"Key":"UnlockAccounts", "Value":<true/false>},
{"Key":"ManageSafe", "Value":<true/false>},
{"Key":"ManageSafeMembers", "Value":<true/false>},
{"Key":"BackupSafe", "Value":<true/false>},
{"Key":"ViewAuditLog", "Value":<true/false>},
{"Key":"ViewSafeMembers", "Value":<true/false>},
{"Key":"RequestsAuthorizationLevel", "Value":<0/1/2>},
{"Key":"AccessWithoutConfirmation", "Value":<true/false>},
{"Key":"CreateFolders", "Value":<true/false>},
{"Key":"DeleteFolders", "Value":<true/false>},
{"Key":"MoveAccountsAndFolders", "Value":<true/false>}
]
}
Type String
Note:
The MemberName must not contain '&' (ampersand).
Parameter SearchIn
Type String
Description The Vault or Domain to search for the user or group to add as a Safe
member.
Default Vault
Parameter MembershipExpirationDate
Type String
Default no expiration
Parameter Permissions
Permissions
Parameter UseAccounts
Type Boolean
Valid values true/false
Parameter RetrieveAccounts
Type Boolean
Valid values true/false
Parameter ListAccounts
Type Boolean
Valid values true/false
Parameter AddAccounts
Type Boolean
Description Add accounts in the Safe. Users who are given AddAccounts authorization
receive UpdateAccountProperties
as well. Users who have this permission automatically
have UpdateAccountProperties as well.
Valid values true/false
Parameter UpdateAccountContent
Type Boolean
Valid values true/false
Parameter UpdateAccountProperties
Type Boolean
Valid values true/false
Parameter InitiateCPMAccountManagementOperations
Type Boolean
Valid values true/false
Parameter SpecifyNextAccountContent
Type Boolean
Description Specify the password that will be used when the CPM changes the
password value. This parameter can only be specified when
InitiateCPMAccountManagementOperations is set to true.
When InitiateCPMAccountManagementOperations
is set to false this parameter is automatically set to false.
Valid values true/false
Parameter RenameAccounts
Type Boolean
Valid values true/false
Parameter DeleteAccounts
Type Boolean
Valid values true/false
Parameter UnlockAccounts
Type Boolean
Valid values true/false
Parameter ManageSafe
Type Boolean
Valid values true/false
Type Boolean
Description Add and remove Safe members, and update their authorizations in the
Safe.
Valid values true/false
Parameter BackupSafe
Type Boolean
Description Create a backup of a Safe and its contents, and store in another location.
Valid values true/false
Parameter ViewAuditLog
Type Boolean
Valid values true/false
Parameter ViewSafeMembers
Type Boolean
Valid values true/false
Parameter RequestsAuthorizationLevel
Type Numeric
■ 2 – authorization level 2
Valid values 0/1/2
Parameter AccessWithoutConfirmation
Type Boolean
Description Access the Safe without confirmation from authorized users. This
overrides the Safe properties that specify that Safe members require
confirmation to access the Safe.
Valid values true/false
Parameter CreateFolders
Type Boolean
Valid values true/false
Parameter DeleteFolders
Type Boolean
Valid values true/false
Parameter MoveAccountsAndFolders
Type Boolean
Description Move accounts and folders in the Safe to different folders and subfolders.
Valid values true/false
Result
{
"member":{
"MemberName":"<The name of the Safe member who has just been
added>",
"SearchIn":"<The Vault or Domain where the user or group was found>",
"MembershipExpirationDate":"<MM\DD\YY> or empty if there is no
expiration date"
"Permissions":
{
"UseAccounts":<true/false>
"RetrieveAccounts":<true/false>
"ListAccounts":<true/false>
"AddAccounts":<true/false>
"UpdateAccountContent":<true/false>
"UpdateAccountProperties":<true/false>
"InitiateCPMAccountManagementOperations":<true/false>
"SpecifyNextAccountContent":<true/false>
"RenameAccounts":<true/false>
"DeleteAccounts":<true/false>
"UnlockAccounts":<true/false>
"ManageSafe":<true/false>
"ManageSafeMembers":<true/false>
"BackupSafe":<true/false>
"ViewAuditLog":<true/false>
"ViewSafeMembers":<true/false>
"RequestsAuthorizationLevel":<0/1/2>
"AccessWithoutConfirmation":<true/false>
"CreateFolders":<true/false>
"DeleteFolders":<true/false>
"MoveAccountsAndFolders":<true/false>
}
}
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/
{SafeName}/Members/{MemberName}
Type String
Parameter MemberName
Type String
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"member":{
"MembershipExpirationDate":"<MM\DD\YY or empty for no expiration>",
"Permissions":<User’s permissions in the Safe>
[
{"Key":"UseAccounts", "Value":<true/false>},
{"Key":"RetrieveAccounts", "Value":<true/false>},
{"Key":"ListAccounts", "Value":<true/false>},
{"Key":"AddAccounts", "Value":<true/false>},
{"Key":"UpdateAccountContent", "Value":<true/false>},
{"Key":"UpdateAccountProperties", "Value":<true/false>},
{"Key":"InitiateCPMAccountManagementOperations", "Value":<true/false>},
{"Key":"SpecifyNextAccountContent", "Value":<true/false>},
{"Key":"RenameAccounts", "Value":<true/false>},
{"Key":"DeleteAccounts", "Value":<true/false>},
{"Key":"UnlockAccounts", "Value":<true/false>},
{"Key":"ManageSafe", "Value":<true/false>},
{"Key":"ManageSafeMembers", "Value":<true/false>},
{"Key":"BackupSafe", "Value":<true/false>},
{"Key":"ViewAuditLog", "Value":<true/false>},
{"Key":"ViewSafeMembers", "Value":<true/false>},
{"Key":"RequestsAuthorizationLevel", "Value":<0/1/2>},
{"Key":"AccessWithoutConfirmation", "Value":<true/false>},
{"Key":"CreateFolders", "Value":<true/false>},
{"Key":"DeleteFolders", "Value":<true/false>},
{"Key":"MoveAccountsAndFolders", "Value":<true/false>}
]
}
}
Parameter MembershipExpirationDate
Type String
Description Defines when the user`s Safe membership expires. Specify “” for no
expiration date.
Parameter Permissions
Type Boolean/Numeric
Permissions
Parameter UseAccounts
Type Boolean
Valid values true/false
Parameter RetrieveAccounts
Type Boolean
Valid values true/false
Parameter ListAccounts
Type Boolean
Valid values true/false
Parameter AddAccounts
Type Boolean
Description Add accounts in the Safe. Users who are given AddAccounts authorization
receive UpdateAccountProperties
as well. Users who have this permission automatically
have UpdateAccountProperties as well.
Valid values true/false
Parameter UpdateAccountContent
Type Boolean
Valid values true/false
Parameter UpdateAccountProperties
Type Boolean
Valid values true/false
Parameter InitiateCPMAccountManagementOperations
Type Boolean
Valid values true/false
Parameter SpecifyNextAccountContent
Type Boolean
Description Specify the password that will be used when the CPM changes the
Valid values true/false
Parameter RenameAccounts
Type Boolean
Valid values true/false
Parameter DeleteAccounts
Type Boolean
Valid values true/false
Parameter UnlockAccounts
Type Boolean
Valid values true/false
Parameter ManageSafe
Type Boolean
Valid values true/false
Type Boolean
Description Add and remove Safe members, and update their authorizations in the
Safe.
Valid values true/false
Parameter BackupSafe
Type Boolean
Description Create a backup of a Safe and its contents, and store in another location.
Valid values true/false
Parameter ViewAuditLog
Type Boolean
Valid values true/false
Parameter ViewSafeMembers
Type Boolean
Valid values true/false
Parameter RequestsAuthorizationLevel
Type Numeric
Valid values 0/1/2
Parameter AccessWithoutConfirmation
Type Boolean
Description Access the Safe without confirmation from authorized users. This
overrides the Safe properties that specify that Safe members require
confirmation to access the Safe.
Valid values true/false
Parameter CreateFolders
Type Boolean
Valid values true/false
Parameter DeleteFolders
Type Boolean
Valid values true/false
Parameter MoveAccountsAndFolders
Type Boolean
Description Move accounts and folders in the Safe to different folders and subfolders.
Valid values true/false
Result
{
"member":{
"MemberName":"<The name of the Safe member >",
"MembershipExpirationDate":"<MM\DD\YY or empty for no expiration date>"
"Permissions":
{
"UseAccounts":<true/false>
"RetrieveAccounts":<true/false>
"ListAccounts":<true/false>
"AddAccounts":<true/false>
"UpdateAccountContent":<true/false>
"UpdateAccountProperties":<true/false>
"InitiateCPMAccountManagementOperations":<true/false>
"SpecifyNextAccountContent":<true/false>
"RenameAccounts":<true/false>
"DeleteAccounts":<true/false>
"UnlockAccounts":<true/false>
"ManageSafe":<true/false>
"ManageSafeMembers":<true/false>
"BackupSafe":<true/false>
"ViewAuditLog":<true/false>
"ViewSafeMembers":<true/false>
"RequestsAuthorizationLevel":<0/1/2>
"AccessWithoutConfirmation":<true/false>
"CreateFolders":<true/false>
"DeleteFolders":<true/false>
"MoveAccountsAndFolders":<true/false>
}
}
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/
{SafeName}/Members/{MemberName}
Type String
Description The name of the Safe from which to delete the member.
Type String
Description The name of the Safe member to delete from the Safe’s list of members.
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 200
Platforms
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Platforms/{PlatformName}
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"PlatformID":<Platform ID>
"Properties":<list of key\value>
"Active":<is active>
}
Parameter PlatformID
Type String
Parameter Properties
Type List
Description List of all the parameters with their values from the Policy INI file of specific
platform
Parameter Active
Type true/false
Description According to the Master Policy and relevant exception (if it exists).
Return Codes
Status code 200
Import Platform
This method enables administrators to import a new platform.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/API/Platforms/Import
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"ImportFile": {zip file byte array}
}
Default -
Result
{
"PlatformID": "PlatformID"
}
Parameter PlatformID
Type String
Return Codes
Status 201
code
Status 400
code
Status 403
code
Description Forbidden
The user creating the request must have the correct permissions, and must
be in the Vault Admins group
Status 409
code
Description Conflict
Platform already exists
Status 500
code
Accounts
Add Account
This method adds a new privileged account or SSH key to the Vault.
Note:
You require an additional license to add SSH keys to the Vault. For more
information, contact your CyberArk representative.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Account
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"account" : {
"safe":"<Safe name>",
"platformID":"<Existing Platform ID>",
Type String
Type String
Valid values Platform ID
Parameter address
Type String
Description The name or address of the machine where the account will be used.
Parameter accountName
Type String
Type String
Valid values Password
Parameter username
Type String
Description The name of the user who will use the account on the target machine.
Parameter groupName
Type String
Description The name of the group with which the account will be associated .
Parameter groupPlatformID
Type String
Parameter disableAutoMgmt
Type Boolean
Description Whether or not automatic management will be disabled for this account.
Valid values true/false
Default false
Parameter disableAutoMgmtReason
Type String
Description The reason why the account was disabled for auto-management.
This parameter is only relevant if disableAutoMgmt is set to "true".
Valid values -
Parameter dynamicProperties
Type List
Valid values -
Parameter ExtraPass1Name
Type String
Valid values -
Parameter ExtraPass1Folder
Type String
Valid values Folder
Default "Root"
Parameter ExtraPass1Safe
Type String
Parameter ExtraPass3Name
Type String
Parameter ExtraPass3Folder
Type String
Valid values Folder
Default "Root"
Parameter ExtraPass3Safe
Type String
Result
{
}
Return Codes
Status code 201
Note:
In order to add SSH keys to the Vault, you require an additional license. For
more information, contact your CyberArk representative.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/PendingAccounts
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"pendingAccount":{
"UserName":"<user name>",
"Address":"<address>",
"AccountDiscoveryDate":"<YYYY-MM-DDThh:mm:ssZ>",
"AccountEnabled":"<enabled/disabled>",
"AccountOSGroups":"<group name>",
"AccountType":"<domain/local>",
"Domain":"<domain name>",
"PasswordNeverExpires":"<true/false>",
"OSVersion":"<OS version>",
"OU":"<OU>",
"AccountCategory":"<Privileged/Non-privileged>",
"UserDisplayName":"<user display name>",
"AccountDescription":"<description>",
"GID":"<GID>",
"UID":"<UID>",
"OSType":"<Windows/Unix>",
"DiscoveryPlatformType":"<platform name>",
"MachineOSFamily":"<workstation/server>",
"LastLogonDate":"<YYYY-MM-DDThh:mm:ssZ>",
"LastPasswordSetDate":"<YYYY-MM-DDThh:mm:ssZ>",
"AccountExpirationDate":"<YYYY-MM-DDThh:mm:ssZ>",
"AccountCategoryCriteria":"<criteria>"
}
}
Type String
Type String
Description The name or address of the machine where the account is used.
Type String
Description The date when the account was discovered. This parameter uses the
following standard: YYYY-MM-DDThh:mm:ssZ
Parameter OSType
Type String
Valid values Windows/Unix
Parameter AccountEnabled
Type String
Note:
Domain accounts are discovered in the Active Directory, and
local accounts are discovered on machines.
Valid values enabled/disabled
Parameter AccountOSGroups
Type String
Description The name of the group that the account belongs to (eg, Administrators,
Operators, etc.)
Parameter AccountType
Type String
Valid values domain/local
Parameter DiscoveryPlatformType
Type String
Parameter Domain
Type String
Parameter LastLogonDate
Type String
Description The date when this account was last used to logon, as defined in the
discovery source. This parameter uses the following standard: YYYY-MM-
DDThh:mm:ssZ
Parameter LastPasswordSet
Type String
Description The date when this password was last set, as defined in the discovery
source. This parameter uses the following standard: YYYY-MM-
DDThh:mm:ssZ
Parameter PasswordNeverExpires
Type String
Description Whether or not this password ever expires, as defined in the discovery
source.
If this parameter is not set, it will automatically be set to N/A.
Valid values true/false
Parameter OSVersion
Type String
Parameter OU
Type String
Valid values OU
Parameter AccountCategory
Type String
Valid values Privileged/Non-privileged
Parameter AccountCategoryCriteria
Type String
Parameter UserDisplayName
Type String
Parameter AccountDescription
Type String
Description A description of the user, as defined in the discovery source. This will be
saved as an account after it is added to the pending accounts.
Valid values -
Parameter AccountExpirationDate
Type String
Description The expiration date of the account, as defined in the discovery source. This
parameter uses the following standard: YYYY-MM-DDThh:mm:ssZ
Parameter UID
Type String
Valid values User ID
Parameter GID
Type String
Valid values Group ID
Parameter MachineOSFamily
Type String
Valid values Workstation/Server
Result
None
Return Codes
Status code 201
Delete Account
This method deletes a specific account in the Vault.
The user who runs this web service requires the following permission in the Vault:
■ Delete accounts
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}
Type Number
Description The unique ID of the account to delete. This is retrieved by the Get Account
Details web service.
Valid values Account ID
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 204
Description No content
Note:
The ability to retrieve credentials using this REST API is intended for human
use only and is not recommended for applications or automated processes,
where application-based authentication is required.
For application or automated processes use cases, please refer to Application
Identity Manager (AIM) documentation.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}/Credentials
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
[
{
"Credentials":"VALUE"
} ]
Note:
The ability to retrieve credentials using this REST API is intended for human
use only and is not recommended for applications or automated processes,
where application-based authentication is required.
For application or automated processes use cases, please refer to Application
Identity Manager (AIM) documentation.
This method can be used from v10 and replaces the Get Account Value method.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/Accounts/
{accountId}/Password/Retrieve
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
reason:"<Reason>",
TicketingSystemName: "<Ticketing system>",
TicketId: "<Ticketid>",
Version: <version number>,
ActionType: "<action type - show\copy\connect>
isUse: <true\false>,
Machine: "<my remote machine address>"
}
Parameter Reason
Type String
Valid values -
Default -
Parameter TicketId
Type String
Valid values -
Default -
Parameter TicketingSystem
Type String
Valid values -
Default -
Parameter IsUse
Type Boolean
Valid values true/false
Default false
Parameter ActionType
Type String
Valid values show/copy/connect
Default -
Parameter Machine
Type String
Valid values -
Default -
Parameter Version
Type integer
Description The version number of the required password. If there are no previous
versions, the current password/key version is returned.
Default -
Result
"<myPassword>"
Return Codes
Status 400
code
Status 400
code
Status 400
code
Description PASWS090E Failed to get content. Reason: Input parameter for [TicketID]
value is invalid. <reaon for ticket validation error>
Status 401
code
Description PASWS041E Failed to get content. Reason: You are not authorized to
perform this action.
Status 404
code
Description PASWS040E Failed to get content. Reason: Content of account was not
found.
Change Credentials
This method marks the account for an immediate password change by the CPM to a new random
password.
The user who runs this web service requires the following permission in the Safe where the
privileged account is stored:
■ Initiate CPM password management operations
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}/ChangeCredentials
Type Number
Description The unique account ID of the account to change. This is retrieved by the
Get Account Details web service.
Valid values Account ID
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"ImmediateChangeByCPM":<Yes/No>,
"ChangeCredsForGroup":<Yes/No>,
}
Parameter ImmediateChangeByCPM
Type String
Description Whether or not the account will be immediately changed by the CPM.
Specify Yes to initiate a password change by the CPM.
Valid values Yes/No
Parameter ChangeCredsForGroup
Type String
Description Whether or not to change the password in all accounts that belong to the
same group.
This parameter is only relevant for accounts that belong to an account
group.
If this parameter does not belong to a group then it will be ignored.
Valid values Yes/No
Default Yes
Result
{
}
Return codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Accounts/<AccountID>/Change
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"ChangeEntireGroup" : true
}
Parameter ChangeCredsForGroup
Type Boolean
Description Whether or not the CPM will change the credentials in all the accounts that
belong to the same group.
This parameter is only relevant for accounts that belong to an account
group, and if this parameter does not belong to a group, it will be ignored. If
this account is part of an account group and this value is not specified, the
default value will be applied.
Valid values true/false
Default true
Return codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/passwordvault/api/Accounts/<AccountID>/SetNextPassword
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"ChangeImmediately" : true,
"NewCredentials": "<credentials>"
}
Parameter ChangeImmediately
Type String
Description Whether or not the password will be changed immediately in the Vault.
Valid values -
Default -
Type String
Description The new account credentials that will be allocated to the account in the
Vault.
Note:
Digits are never placed as the first or last character of the password,
regardless of the password policy or specifications.
If the specified password contains leading and/or trailing white
spaces, they will automatically be removed.
Valid values -
Default -
Return Codes
Status 200
code
Description OK
Status 400
code
Status 400
code
Status 400
code
Description Automatic management for this account was disabled by the user
Status 400
code
Status 400
code
Description The {PolicyName} policy does not allow manual password changes.
Status 400
code
Status 400
code
Status 400
code
Description Setting the password for the next CPM change cycle is not supported for
accounts that belong to a rotational group.
Status 403
code
Status 403
code
Description You do not have permission to initiate a CPM password change operation
with a manual password.
Status 404
code
Status 500
code
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/passwordvault/api/Accounts/<AccountID>/Password/Update
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
Parameter ChangeCredsForGroup
Type String
Description Whether or not to change the password in all accounts that belong to the
same group.
This parameter is only relevant for accounts that belong to an account
group. If this parameter does not belong to a group, it will be ignored.
Valid values -
Default -
Parameter AutoGenerate
Type String
Description Whether or not the password will be generated according to the password
policy rules. If the CPM is not configured to enforce a password policy rule,
this parameter is irrelevant.
If the NewCredentails parameter contains a value, this parameter will be
ignored.
Valid values -
Default -
Type String
Description The new account credentials that will be allocated to the account in the
Vault.
Note:
Digits are never placed as the first or last character of the password,
regardless of the password policy or specifications.
If the specified password contains leading and/or trailing white
spaces, they will automatically be removed.
Valid values -
Default -
Return Codes
Status 200
code
Description OK
Status 400
code
Status 400
code
Status 400
code
Description The {PolicyName} policy does not allow manual password changes.
Status 403
code
Description You do not have permission to store the password. Make sure you have
store permissions on the {SafeName} Safe.
Status 404
code
Status 500
code
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}/VerifyCredentials
Type Number
Description The unique account ID of the account to change. This is retrieved by the
Get Account Details web service.
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Accounts/<AccountID>/Verify
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Return codes
Status code 200
Description OK
Status code 400
Status code 403
Status code 404
Status code 500
Reconcile credentials
This method marks an account for automatic reconciliation by the CPM.
The user who runs this web service requires the following permission in the Safe where the
privileged account is stored:
■ Initiate CPM password management operations
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Accounts/<AccountID>/Reconcile
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Return codes
Status code 200
Description OK
Status code 400
Note:
This method does not display the actual password.
If ten or more accounts are found, the Count Output parameter will show 10.
URL
Note:
Make sure there are no spaces in the URL.
http://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Query parameters
The following parameters can be specified in the URL to filter the result:
Parameter Keywords
Type String
Description Specify a keyword to search for. If you specify multiple keywords, the
search will include all the keywords. Separate keywords with a space.
Parameter Safe
Type String
Description Specify the name of a Safe to search. The search will be carried out only in
the Safes in the Vault that you are authorized to access.
Examples
The following example shows how to retrieve an account with address: 10.10.1.1, user: root,
Safe: called UNIXAccountsSafe.
Example:
/PasswordVault/WebServices/PIMServices.svc/Accounts?Keywords=10.10.1.1,root&Saf
e
=UNIXAccountsSafe
Body parameters
None
Result
Note:
Only the account properties that are currently defined will be returned.
{
"Count":<the number of accounts that were found>,
"accounts":[
{
"AccountID":"<ID of Account1>",
"Properties":
[
{"Key":"Safe", "Value":"<Account1’s safe name>"},
{"Key":"Folder", "Value":"<Account1’s folder name>"},
{"Key":"Name", "Value":"<The name of Account1>"},
{"Key":"UserName", "Value":"<The username of Account1>"},
{"Key":"Address", "Value":"<The address of Account1>"}
]
"Internal Properties":
[
{"Key":"CPMInternal", "Value":"<Account1’s CPM’s internal reason>"},
{"Key":"ResetImmediately", "Value":"<ChangeTask, VerifyTask or
ReconcileTask>"},
{"Key":"NoGenerate", "Value":"<…>"}
]
}
]
}
Parameter Count
Type Integer
Description The number of accounts that were found by the requested query.
Parameter AccountID
Type Integer
Parameter Safe
Type String
Parameter Folder
Type String
Parameter Name
Type String
Parameter Additional account properties that are defined, including internal properties.
Return Codes
Status code 200
To move accounts to a different folder, Safe members require the following permission:
■ Move accounts/folders
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
IP>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}
Type String
Description The unique ID of the account to update. This is retrieved by the Get
Account Service.
Valid values Account ID
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Query parameters
The following parameters can be specified in the URL to filter the result:
Parameter Folder
Type String
Parameter AccountName
Type String
Parameter DeviceType
Type
Description The device type to update. Make sure you specify all required parameters.
Different device types require different parameters. For more information,
refer to Appendix A: Account Properties in the Privileged Account Security
Implementation Guide.
Parameter PlatformID
Type String
Description The Platform ID of the new platform to assign to this account. Make sure
you specify all required parameters.
Different platforms require different parameters. For more information, refer
to Appendix A: Account Properties in the Privileged Account Security
Implementation Guide.
Valid values Platform ID
Parameter Address
Type String
Description The new name or address of the machine where the account will be used.
Parameter UserName
Type String
Description The updated name of the user who will use the account on the target
machine.
Parameter GroupName
Type String
Description The name of the group with which the account is associated.
To create a new group, specify the group platform ID in the
GroupPlatformID property, then specify the group name. The group will
then be created automatically.
Parameter GroupPlatformID
Type String
Parameter Properties
Type List
Examples
In the following example all properties were sent with the original value except for the
account address, which will be updated from 1.1.1.1 to 10.10.10.10:
Example:
{
"Accounts":
{
"Folder":"Root",
"AccountName":"Operating System-WinDesktopLocal-
1.1.1.1-Administrator",
"PlatformID":"WinDesktopLocal",
"DeviceType":"Operating System",
"Address":"10.10.10.10",
"UserName":"Administrator"
}
}
In the following example, a new account group name was entered to replace an existing
account group name in the optional GroupName field:
Example:
{
"Accounts":
{
"Folder":"Root",
"AccountName":"Operating System-WinDesktopLocal-
1.1.1.1-Administrator",
"PlatformID":"WinDesktopLocal",
"DeviceType":"Operating System",
"Address":"10.10.10.10",
"UserName":"Administrator",
"GroupName":"WindowsAccountGroup"
}
}
In the following example, department and geographical location properties are added to
an existing account with properties:
Example:
{
"Accounts":
{
"Folder":"Root",
"AccountName":"Operating System-WinDesktopLocal-
1.1.1.1-Administrator",
"PlatformID":"WinDesktopLocal",
"DeviceType":"Operating System",
"Address":"10.10.10.10",
"UserName":"Administrator",
"GroupName":"WindowsAccountGroup",
"Properties":[{
"Key":"Department", "Value":"Finance"},
{"Key":"GeoLocation", "Value":"UK"}]
}
}
Body parameters
None
Result
{
}
Return Codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Accounts/<AccountID>/CheckIn
Type String
Valid values Account ID
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Return codes
Status code 200
Description OK
Status code 400
Status code 403
Description Account cannot be changed in this mode due to missing permissions of the
user.
Status code 404
Status code 500
List Activity by ID
This method returns the activities of a specific account that is identified by its account ID.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Accounts/
{AccountID}/Activities
Type String
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"AccountName":"<string>",
"Path":"<string>",
"ActivityCode":"<integer>",
"Activity":"<string>",
"Time":"<string>",
"UserName":"<string>",
"ClientID":"<integer>",
"Reason":"<string>",
"MoreInfo":"<details>"
…
}
Parameter AccountName
Type String
Parameter Path
Type String
Parameter ActivityCode
Type Integer
Parameter Activity
Type String
Parameter Time
Type DateTime
Description The date and time when the activity took place.
Parameter UserName
Type String
Parameter Client ID
Type Integer
Description The ID of the CyberArk client from which the user connected and performed
the activity.
Parameter Reason
Type String
Parameter MoreInfo
Type String
Account Groups
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/AccountGroups/
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"GroupName": "<Group name>",
Type String
Type String
Type String
Description The name of the Safe where the group will be created.
Result
{
}
Parameter GroupID
Type String
Parameter GroupName
Type String
Parameter GroupPlatformID
Type String
Parameter Safe
Type String
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/AccountGroups/{GroupID}/Members
Type String
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"AccountID": "<account ID>"
}
Type String
Description The ID of the account that will be added as a member to the group.
Result
{
}
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/AccountGroups?Safe=<SafeName>
Type String
Description The name of the Safe where the account groups are.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"GroupID":<The group ID>,
"GroupName":<The group name>,
"GroupPlatformID":<The group platform ID>,
"Safe":<The group Safe name>
}
Parameter GroupID
Type String
Parameter GroupName
Type String
Parameter GroupPlatformID
Type String
Parameter Safe
Type String
Description The name of the Safe where the account groups are.
Return codes
Status code
Description
Note:
All members of account groups must be stored in the same Safe as the group itself.
The user performing this task must have the following permissions in the Safe:
■ Add accounts
■ Update account content
■ Update account properties
■ Create folders
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/API/AccountGroups/<GroupID>/Members
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
[
{
"AccountID": "<ID of Account1>",
"SafeName": "<Account’s safe name>",
"PlatformID": "<Account’s Platform ID>",
"Address": "<The address of the account>",
"UserName": "<The username of the account>",
},
...
]
Parameter AccountID
Type String
Parameter Safe
Type String
Description The name of the Safe where the privileged account is stored.
Parameter PlatformID
Type String
Parameter Address
Type String
Parameter Username
Type String
Return codes
Status code
Description
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/API/AccountGroups/<GroupID>/Members/<AccountID>
Type String
Parameter AccountID
Type String
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
None
Return codes
Status code 204
Description Deleted
Policy/ACL
List Policy/ACL
This method gets a list of the privileged commands (OPM rules) associated with this
policy.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Policy/
{PolicyId}/PrivilegedCommands
Type String
Description The ID of the policy for which the privileged commands will be listed.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
Parameter PolicyId
Type text
Result
{
"ListPolicyPrivilegedCommandsResult":
[
{"Command":"<command>",
"CommandGroup":"<true/false>",
"Id":"<number>",
"Type":"<Policy/Account>",
"IsGroup":"<true/false>",
"PermissionType":"<Allow/Deny>",
"PolicyId":"<policyID>",
"Restrictions":"<restrictions string, delimited by ;>",
"UserName":"<userName>"},
{…},
{…}
]
}
Return Codes
Status code 200
Description OK
Add Policy/ACL
This method adds a new privileged command rule to the policy.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Policy/
{PolicyId}/PrivilegedCommands
Type String
Description The ID of the policy to which the new privileged command rule will be
added.
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"Command":"<Command>",
"CommandGroup":<true/false>,
"PermissionType":"<Allow/Deny>",
"Restrictions":"<Restrictions>",
"UserName":"<UserName>"
}
Parameter Command
Type text
Parameter CommandGroup
Type bool
Valid values True/False
Parameter PermissionType
Type text
Valid values Allow/Deny
Parameter PolicyId
Type text
Parameter Restrictions
Type text
Parameter UserName
Type text
Result
{
"AddPolicyPrivilegedCommandResult":
{
"Command":"<command>",
"CommandGroup":"<true/false>",
"Id":"<number>",
"IsGroup":"<true/false>",
"Type":"<Policy/Account>",
"PermissionType":"<Allow/Deny>",
"PolicyId":"<policyID>",
"Restrictions":"<restrictions string, delimited by ;>",
"UserName":"<userName>"}
}
Return Codes
Status code 201
Delete Policy/ACL
This method deletes all privileged commands rules associated with the policy.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Policy/
{PolicyId}/PrivilegedCommands/{Id}
Type String
Description The ID of the policy from which the privileged commands will be deleted.
Parameter Id
Type String
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
Parameter PolicyId
Type text
Parameter Id
Type number
Result
None
Return Codes
Status code 204 (empty content)
Account/ACL
List Account/ACL
This method gets a list of the privileged commands (OPM rules) associated with this account.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Account/
{AccountAddress}|{AccountUserName}|
{AccountPolicyId}/PrivilegedCommands
Type String
Description The address of the account whose privileged commands will be listed.
Parameter AccountUserName
Type String
Parameter AccountPolicyId
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"ListAccountPrivilegedCommandsResult":
[
{"Command":"<command>",
"CommandGroup":"<true/false>",
"Id":"<number>",
"Type":"<Policy/Account>",
"IsGroup":"<true/false>",
"PermissionType":"<Allow/Deny>",
"PolicyId":"<policyID>",
"Restrictions":"<restrictions string, delimeted by ;>",
"UserName":"<userName>"},
{…},
{…}
]
}
Return Codes
Status code 200
Description OK
Add Account/ACL
This method adds a new privileged command rule to the account.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Account/
{AccountAddress}|{AccountUserName}|
{AccountPolicyId}/PrivilegedCommands
Type String
Description The address of the account to which a new privileged command will be
added.
Parameter AccountUserName
Type String
Parameter AccountPolicyId
Type String
Resource Information
HTTP method PUT
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"Command":"<Command>",
"CommandGroup":<true/false>,
"PermissionType":"<Allow/Deny>",
"Restrictions":"<Restrictions>",
"UserName":"<UserName>"
}
Parameter AccountPolicyId
Type text
Valid values -
Parameter AccountAddress
Type text
Parameter AccountUserName
Type text
Parameter Command
Type text
Parameter CommandGroup
Type bool
Valid values True/False
Parameter PermissionType
Type text
Valid values Allow/Deny
Parameter Restrictions
Type text
Parameter UserName
Type text
Result
{
"AddAccountPrivilegedCommandResult":
{
"Command":"<command>",
"CommandGroup":"<true/false>",
"Id":"<number>",
"IsGroup":"<true/false>",
"Type":"<Policy/Account>",
"PermissionType":"<Allow/Deny>",
"PolicyId":"<policyID>",
"Restrictions":"<restrictions string, delimeted by ;>",
"UserName":"<userName>"}
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Account/
{AccountAddress}|{AccountUserName}|
{AccountPolicyId}/PrivilegedCommands/{id}
Type String
Description The address of the account for which the privileged command will be
deleted.
Parameter AccountUserName
Type String
Parameter AccountPolicyID
Type String
Parameter Id
Type String
Resource Information
HTTP method GET/POST/PUT/DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 204 (empty content)
Onboarding Rules
Note:
Before you run this API, do the following:
Create the Safe and the reconcile account according to the rule’s definition.
Associate the reconcile account with the platform that is defined in the rule.
Make sure that the user whose credentials will be used for this session is a member of
the Safe specified in the TargetSafeName parameter with the Add accounts
permission.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/AutomaticOnboardingRules
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid A session token that was returned from the “Logon” method, encoded in
values BASE 64.
Body parameters
{
"TargetPlatformId": "<platform ID>",
"TargetSafeName": "<Safe name>",
"IsAdminIDFilter": <False>,
"MachineTypeFilter": "<Server>",
"SystemTypeFilter": "<Windows>",
"UserNameFilter": "<filter>",
"UserNameMethod": "<Begins>",
"AddressFilter": "<filter>",
"AddressMethod": "<Equals>",
"AccountCategoryFilter": "<Any>",
"RuleName": "<rule name>",
"RuleDescription": "<description>"
}
Type String
Description The ID of the platform that the onboarded account will be associated with.
Default -
Type String
Description The name of the Safe where the onboarded account will be stored.
Default -
Parameter IsAdminIDFilter
Type Boolean
Description Whether or not only accounts with the following admin ID will be onboarded
automatically according to this rule.
Unix accounts whose UID is 0
Windows accounts whose SID ends with 500
If this value is set to false, the admin ID will not be considered and all
accounts matching the rule will be onboarded.
Valid values true/false
Default false
Parameter MachineTypeFilter
Type String
Valid values Any/Workstation/Server
Default Any
Type String
Default -
Parameter UserNameFilter
Type String
Default -
Parameter UserNameMethod
Type String
Description The method to use when applying the username filter (Equals / Begins with
/ Ends with). This parameter is ignored if UserNameFilter is not specified.
Valid values Equals/Begins/Ends
Default Equals
Parameter AddressFilter
Type String
Description The IP address or DNS domain name of the machine by which to filter.
Default -
Parameter AddressMethod
Type String
Description The method to use when applying the address filter (Equals / Begins with /
Ends with). This parameter is ignored if AddressFilter is not specified.
Valid values Equals/Begins/Ends
Default Equals
Parameter AccountCategoryFilter
Type String
Valid values Any/Privileged/Non-privileged
Default Any
Parameter RuleName
Type String
Parameter RuleDescription
Type String
Default -
Return Codes
Status code 201
Description Conflict (if a rule exists with identical filters or the same rule name)
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/AutomaticOnboardingRules/{id}
Type Number
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid A session token that was returned from the “Logon” method, encoded in
values BASE 64.
Body parameters
None
Return Codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/AutomaticOnboardingRules/
{?name=<rulename1,rulename2,...>}
Type String
Description A filter that specifies the rule name. Separate a list of names with commas.
If none of the specified rules exist, the API returns an empty list.
If a value for this parameter is not specified, the API returns all of the rules.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid A session token that was returned from the “Logon” method, encoded in
values BASE 64.
Body parameters
None
Result
{
"AutomaticOnboardingRules": [
{
"RuleId": <ID>,
"RuleName": "<rule name>",
"TargetPlatformId": "<platform ID>",
"TargetDeviceType": "<device type>",
"TargetSafeName": "<Safe name>",
"IsAdminIDFilter": <filter>,
"MachineTypeFilter": "<filter>",
"SystemTypeFilter": "<filter>",
"UserNameFilter": "<filter>",
"CreationTime": <time>,
"RulePrecedence": <precedence>,
"UserNameMethod": "<Equals>",
"AddressFilter": "<filter>",
"AddressMethod": "<Equals>",
"AccountCategoryFilter": "<Any>",
"RuleDescription": "<description>",
"LastOnboardedTime": <time>
},
],
"Total": <number>
}
Parameter RuleId
Type Number
Parameter RuleName
Type String
Description Name of the rule. This is either auto-generated or specified by the user when
the rule is created.
Parameter TargetPlatformId
Type String
Description The ID of the platform that the onboarded account will be associated with.
Parameter TargetDeviceType
Type String
Parameter TargetSafeName
Type String
Description The name of the Safe where the onboarded account will be stored.
Security requirement: If the user is not an owner of the Safe, a null string will
be returned.
Parameter IsAdminIDFilter
Type Boolean
Description Whether or not only accounts with the following admin ID will be onboarded
automatically according to this rule.
Unix accounts whose UID is 0
Windows accounts whose SID ends with 500
If this value is set to false, the admin ID will not be considered and all
accounts matching the rule will be onboarded.
Parameter MachineTypeFilter
Type String
Parameter SystemTypeFilter
Type String
Parameter UserNameFilter
Description String
Parameter CreationTime
Type Time
Description The date and time when the rule was created.
Parameter RulePrecedence
Type Number
Parameter UserNameMethod
Type String
Parameter AddressFilter
Type String
Description The IP address or DNS domain name of the machine by which to filter.
Parameter AddressMethod
Type String
Parameter AccountCategoryFilter
Type String
Parameter RuleDescription
Type String
Parameter LastOnboardedTime
Type Time
Description The last time that an account was successfully onboarded using this rule.
Return Codes
Status code 200
My Requests
Create a Request
This method creates an access request for a specific account. This account may be either
a password account or an SSH Key account.
URL
Note:
Make sure there are no spaces in the URL.
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Body parameters
{
:"accountId": "<Account id>",
"reason":"<Reason>",
"TicketingSystemName": "<Ticketing system>",
"TicketId": "<Ticketid>",
"ConnectionComponent":"<Connection compmonent id>",
"MultipleAccessRequired":<true\false>,
"FromDate":<0-max integer>,
"ToDate":<0-max integer>,
"AdditionalInfo":
{
"<Additional Info name>":"<Addition Info value>",
"<Additional Info name>":"<Addition Info value>"
},
"UseConnect":<true\false>,
"ConnectionParams":
{
"<Connection parameter name>":
{
"value":"<Connection parameter value>",
"ShouldSave<true\false>"
},
<Connection parameter name>:
{
"value":"<Connection parameter value>",
"ShouldSave<true\false>"
}
}
}
Type String
Parameter Reason
Type String
Parameter TicketingSystemName
Type String
Parameter TicketID
Type String
Parameter MultipleAccess
Type Boolean
Parameter FromDate
Type Integer
Description If the request is for a timeframe, the time from when the user wants to
Parameter ToDate
Type Integer
Description If the request is for a timeframe, the time until when the user wants to
access the account, in Unix time.
Parameter AdditionalInfo
Description Additional information included in the request. A list of values that are
predefined in configuration.
Parameter UseConnect
Type Boolean
Description Whether or not the request is for connection through the PSM.
Parameter ConnectionComponent
Type String
Description If the connection is through PSM, the name of the connection component to
connect with, as defined in the configuration.
Parameter ConnectionParams
Type List
Connection Parameters
Parameter value
Type String
Valid values Text
Default -
Parameter ShouldSave
Type Boolean
Description Whether or not this value will be saved with the account for future attempts
to connect to the remote machine.
Valid values true/false
Default false
Result
{
"RequestID":"<ID>",
"SafeName":"<Safe>",
"RequestorUserName":"<username>",
"RequestorReason":"(Ticket ID=<ticketid>)(Ticketing System=<ticketing
system>) (Emergency=<true/false>)(RefNo=<number>)
(PSMRemoteMachine=<machine>) <reason>",
"UserReason":"<reason>",
"CreationDate":<time/date>,
"Operation": "<operation>",
"ExpirationDate":<time/date>,
"OperationType":<operation>,
"AccessType":"<type>",
"ConfirmationsLeft":<number>,
"AccessFrom":<time/date>,
"AccessTo":<time/date>,
"Status":<status>,
"StatusTitle":"<title>",
"InvalidRequestReason":<number>,
"CurrentConfirmationLevel":<number>,
"RequiredConfirmersCountLevel2":<number>,
"TicketingSystemProperties":{
"Name":"name",
"Number":"<number>",
"Status":"<number>"
},|
"AdditionalInfo":{},
"AccountDetails":{
"AccountID":"<id>",
"Properties":{
"Address":"<address>",
"Safe":"<safe>",
"Folder":"<folder>",
"Name":"<accountname>",
"PolicyID":"<policy>",
"PlatformName":"<platform>",
"DeviceType":"<device>",
"LastVerifiedDate":"<date/time>",
"LastModifiedDate":"<date/time>",
"LastModifiedBy":"<user>",
"LastUsedDate":"<date/time>",
"LastUsedBy":"<username>",
"Username":"<username>",
"LockedBy":"<username>",
"CPMDisabled":"<reason>",
"CPMStatus":"<status>",
"ManagedByCPM":"<True/False>",
"DeletedBy":"<username>",
"DeletionDate":"<date/time>",
"ImmediateCPMTask":"<string>",
"LastCPMTask":"<string>",
"CreationDate":"<date/time>",
"IsSSHKey":"<true/false>",
"CreationMethod":"<string>",
"CPMErrorDetails":"<error>",
"RetriesCount":"<number>",
"LastFailDate":"<date/time>",
"LastTask":"<task>"
}
},
"Confirmers":[
{
"Type":<type>,
"ID":<id>,
"Name":"<name>",
"Action":<number>,
"Reason":"<reason>",
"ActionDate":<date/time>,
"AdditionalDetails":{},
"Members":null
}
]
}
Parameter RequestID
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Parameter SafeName
Type Text
Description The name of the Safe where the account being requested is stored .
Parameter RequestorUserName
Type Text
Parameter RequestorReason
Type Text
Description The requestor's reason for accessing the account, and any additional
information.
Parameter Ticket ID
Type Text
Type Text
Parameter Emergency
Type Boolean
Parameter RefNo
Type Integer
Parameter PSMRemoteMachine
Type Text
Description The address of the remote machine to access using the account in this
request.
Parameter UserReason
Type Text
Description The reason given by the user for accessing the account in this request.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter Operation
Type Text
Description The operation that will be performed with the account in this request.
Parameter ExpirationDate
Type Integer
Description The time when the request will expire, in Unix time.
Parameter OperationType
Type Integer
Parameter AccessType
Type Text
Parameter ConfirmationsLeft
Type Integer
Description The number of confirmers who still need to respond to the request.
Parameter AccessFrom
Type Integer
Description The time from when the account is needed, in Unix time.
Parameter AccessTo
Type Integer
Description The time until when the account is needed, in Unix time.
Parameter Status
Type Integer
Parameter StatusTitle
Type Text
Parameter InvalidRequestReason
Type Integer
Description If the request is invalid, this indicates what caused it to become invalid:
0 - None
1 - Expired
2 - Already been used
4 - Missing supervisors
8 - Confirmation setting have changed
16 - Object has been deleted
32 - Incompatible client version
64 - Access time expired
128 - Rejected
Parameter CurrentConfirmationLevel
Type Integer
Parameter RequiredConfirmersCountLevel2
Type Integer
TicketingSystemProperties
Parameter Name
Type Text
Parameter Number
Type Integer
Parameter Status
Type Integer
AdditionalInfo
AccountDetails
Parameter AccountID
Type Text
Properties
Parameter Address
Type Text
Description The address of the machine where the account is used (IP or machine
name).
Parameter Safe
Type Text
Parameter Folder
Type Text
Parameter Name
Type Text
Parameter PolicyID
Type Text
Parameter PlatformName
Type Text
Parameter DeviceType
Type Text
Parameter LastVerifiedDate
Type Date/time
Parameter LastModifiedDate
Type Date/time
Parameter LastModifiedBy
Type Text
Description The name of the user who last modified the account specified in this
request.
Parameter LastUsedDate
Type Date/time
Description The last time when the account specified in this request was used.
Parameter LastUsedBy
Type Text
Description The name of the last user who accessed the account specified in this
request.
Parameter Username
Type Text
Description The name of the last user who accessed the account specified in this
request.
Parameter LockedBy
Type Text
Description If the account specified in this request is locked, the name of the user
locking it.
Parameter CPMDisabled
Type Text
Parameter CPMStatus
Type Text
Description The status of CPM management for the account specified in this request.
Parameter ManagedByCPM
Type Boolean
Description Whether or not the account specified in this request is managed by the
CPM.
Parameter DeletedBy
Type Text
Description The name of the user who deleted the account specified in this request.
Parameter DeletionDate
Type Date/time
Description The time when the account specified in this request was deleted.
Parameter ImmediateCPMTask
Type Text
Description If the account is flagged for an immediate CPM task, the task that will be
performed.
Parameter LastCPMTask
Type Text
Description The last CPM task that was performed on the account specified in the
request.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter IsSSHKey
Type Boolean
Parameter CreationMethod
Type Text
Parameter CPMErrorDetails
Type Text
Description Details of any CPM errors that were issued for this account.
Parameter RetriesCount
Type Integer
Description The number of times that this account tried to log on to a remote machine.
Parameter LastFailDate
Type Date/time
Description The last time this account failed to log on to a remote machine.
Parameter LastTask
Type Text
Description The last task that this account was used for.
Confirmers
Parameter Type
Type Integer
Parameter ID
Type Integer
Parameter Name
Type Text
Parameter Action
Type Integer
Parameter Reason
Type Text
Parameter ActionDate
Type Integer
Description The time when the confirmer performed their action, in Unix time.
AdditionalDetails
Members
Get My Requests
This method returns a list of the end user's requests.
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip/PasswordVault/api/MyRequests?onlywaiting=
{bool}&expired={bool}
Type Boolean
Valid values true/false
Default false
Parameter Expired
Type Boolean
Valid values true/false
Default false
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"Requests": [
{
"RequestID": "<Request ID, SafeName_RequestID>",
"SafeName": "<Safe name>",
"RequestorUserName": "<Requestor user name>",
"RequestorReason": "<Requestor reason>",
"UserReason": "<User reason>",
"CreationDate": <Request creation date (Unix time)>,
"Operation" : <request operation description>,
"ExpirationDate": <Request expiration date (Unix time)>,
"OperationType": <Which operation was requested>,
"AccessType": "< OneTime\Multiple Access>",
"ConfirmationsLeft": <How many confirmers are still needed>,
"AccessFrom": <When the access time frame starts(Unix time)>,
"AccessTo": <When the access time frame ends (Unix time)>,
"Status": <Request Status>,
"StatusTitle": <Request Status description>,
"InvalidRequestReason": <Why request become invalid>,
"CurrentConfirmationLevel": <The request confirmation level>,
"RequiredConfirmersCountLevel2": <Level 2 confirmers that are still needed>,
"TicketingSystemProperties": {
"Name": "<Ticketing system name>",
"Number": <Ticket number>
"Status": <1/2/3>
},
"AdditionalInfo": {
"Reference No": "<???>",
"Emergency": "<Is it an emergency request>"
},
"AccountDetails": {
"AccountID": "<Internal account ID>",
"Properties": {
"Name": "<Account name in the vault>",
"Folder": "<Folder>",
"Safe": "<Safe>",
"Address": "<Address, can be IP or machine name>",
"UserName": "<User name>",
"LastUsedDate": "<Account last used date >"
}
}
…
]
}
Parameter RequestID
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Parameter SafeName
Type Text
Description The name of the Safe where the account being requested is stored .
Parameter RequestorUserName
Type Text
Parameter RequestorReason
Type Text
Description The requestor's reason for accessing the account, and any additional
information.
Parameter UserReason
Type Text
Description The reason why the user is requesting access to the account.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter Operation
Type Text
Parameter ExpirationDate
Type Integer
Description The time when the request will expire, in Unix time.
Parameter OperationType
Type Integer
Parameter AccessType
Type Text
Parameter ConfirmationsLeft
Type Integer
Description The number of confirmers who still need to respond to the request.
Parameter AccessFrom
Type Integer
Description The time from when the account is needed, in Unix time.
Parameter AccessTo
Type Integer
Description The time until when the account is needed, in Unix time.
Parameter Status
Type Integer
Parameter StatusTitle
Type Text
Parameter InvalidRequestReason
Type Integer
Description If the request is invalid, this indicates what caused it to become invalid:
0 - None
1 - Expired
2 - Already been used
4 - Missing supervisors
8 - Confirmation setting have changed
16 - Object has been deleted
32 - Incompatible client version
64 - Access time expired
128 - Rejected
Parameter CurrentConfirmationLevel
Type Integer
Parameter RequiredConfirmersCountLevel2
Type Integer
TicketingSystemProperties
Parameter Name
Type Text
Parameter Number
Type Integer
Parameter Status
Type Integer
AdditionalInfo
Parameter Reference No
Type Integer
Parameter Emergency
Type Boolean
AccountDetails
Parameter AccountID
Type Text
Properties
Parameter Name
Type Text
Parameter Folder
Type Text
Parameter Safe
Type Text
Parameter Address
Type Text
Description The address of the machine where the account is used (IP or machine
name).
Parameter UserName
Type Text
Description The name of the user who will use the account.
Parameter LastUsedDate
Type Integer
Description The last time the account was used, in Unix time.
Delete My Request
This method deletes a request made by a user.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/myrequests/{RequestID}
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
}
Return Codes
Status code 204
Description No content
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/myrequests/{RequestID}
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"RequestorFullName": "<Requestor full name>",
"RequestID": "<request ID, SafeName_RequestID>",
"SafeName": "<Safe name>",
"RequestorUserName": "<Requestor user name>",
"RequestorReason": "<Requestor reason>",
"UserReason": "<User reason>",
"CreationDate": <Request creation date (Unix time)>,
"Operation" : <request operation description>,
"ExpirationDate": <Request expiration date (Unix time)>,
"OperationType": <Which operation was requested>,
"AccessType": "< OneTime\Multiple Access>",
"ConfirmationsLeft": <How many confirmers are still needed>,
"AccessFrom": <When the access time frame starts(Unix time)>,
"AccessTo": <When the access time frame ends (Unix time)>,
"Status": <Request Status>,
"StatusTitle": <Request Status description>,
"InvalidRequestReason": <Why request become invalid>,
"CurrentConfirmationLevel": <The request confirmation level>,
"RequiredConfirmersCountLevel2": <Level 2 confirmers that are still needed>,
"TicketingSystemProperties": {
"Name": "<Ticketing system name>",
"Number": <Ticket number>,
"Status": <1/2/3>
},
"AdditionalInfo": {
"Reference No": "<external reference number>",
" EmergencyIndication": "<Is it an emergency request>"
},
"AccountDetails": {
"AccountID": "<Full account id, SafeID_ObjectID>",
"Properties": {
"Name": "<Object name in the vault>",
"Folder": "<The object folder name in the vault >",
"Safe": "<The object safe name in the vault>",
"Address": "<The account address, IP or machine name>",
"UserName": "<The account name in the target machine>",
"LastUsedDate": "<Last used date of this account>"
}
},
"Confirmers": [
{
"Type": <User\Group>,
"ID": <Internal confirmer ID>,
"Name": "<Confirmer name>",
"Action": <Which action this user perform>,
Parameter RequestID
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Parameter SafeName
Type Text
Description The name of the Safe where the account being requested is stored .
Parameter RequestorUserName
Type Text
Parameter RequestorReason
Type Text
Description The requestor's reason for accessing the account, and any additional
information.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter ExpirationDate
Type Integer
Description The time when the request will expire, in Unix time.
Parameter OperationType
Type Integer
Parameter AccessType
Type Text
Parameter ConfirmationsLeft
Type Integer
Description The number of confirmers who still need to respond to the request.
Parameter AccessFrom
Type Integer
Description The time from when the account is needed, in Unix time.
Parameter AccessTo
Type Integer
Description The time until when the account is needed, in Unix time.
Parameter Status
Type Integer
Parameter StatusTitle
Type Text
Parameter InvalidRequestReason
Type Integer
Description If the request is invalid, this indicates what caused it to become invalid:
0 - None
1 - Expired
2 - Already been used
4 - Missing supervisors
8 - Confirmation setting have changed
Parameter CurrentConfirmationLevel
Type Integer
Parameter RequiredConfirmersCountLevel2
Type Integer
TicketingSystemProperties
Parameter Name
Type Text
Parameter Number
Type Integer
Parameter Status
Type Integer
AdditionalInfo
Parameter Reference No
Type Integer
Parameter Emergency
Type Boolean
AccountDetails
Parameter AccountID
Type Text
Properties
Parameter Name
Type Text
Parameter Folder
Type Text
Parameter Safe
Type Text
Parameter Address
Type Text
Description The address of the machine where the account is used (IP or machine
name).
Parameter UserName
Type Text
Description The name of the user who will use the account.
Parameter LastUsedDate
Type Integer
Description The last time the account was used, in Unix time.
Confirmers
Parameter Type
Type Integer
Parameter ID
Type Integer
Parameter Name
Type Text
Parameter Action
Type Integer
1 – Confirm
2 – None
Parameter Reason
Type Text
Parameter ActionDate
Type Integer
Description The time when the confirmer performed their action, in Unix time.
AdditionalDetails
Parameter FullName
Type Text
Parameter Email
Type Text
Parameter Phone
Type Text
Members
Parameter UserID
Type Integer
Parameter UserName
Type Text
AdditionalDetails
Parameter FullName
Type Text
Parameter Email
Type Text
Parameter Phone
Type Text
Confirm Requests
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip/PasswordVault/api/IncomingRequests?onlywaiting={bool}&expired=
{bool}
Type Boolean
Valid values true/false
Default false
Parameter Expired
Type Boolean
Valid values true/false
Default false
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"IncomingRequests": [
{
"RequestorFullName": "<Requestor full name>",
"RequestID": "<Request ID, SafeName_RequestID>",
"SafeName": "<Safe name>",
"RequestorUserName": "<Requestor user name>",
"RequestorReason": "<Requestor reason>",
"UserReason": "<User reason>",
"CreationDate": <Request creation date (Unix time)>,
"Operation" : <request operation description>,
"ExpirationDate": <Request expiration date (Unix time)>,
"OperationType": <Which operation was requested>,
"AccessType": "< OneTime\Multiple Access>",
"ConfirmationsLeft": <How many confirmers are still needed>,
"AccessFrom": <When the access time frame starts(Unix time)>,
"AccessTo": <When the access time frame ends (Unix time)>,
"Status": <Request Status>,
"StatusTitle": <Request Status description>,
"InvalidRequestReason": <Why request become invalid>,
"CurrentConfirmationLevel": <The request confirmation level>,
"RequiredConfirmersCountLevel2": <Level 2 confirmers that are still needed>,
"TicketingSystemProperties": {
"Name": "<Ticketing system name>",
"Number": <Ticket number>
"Status": <1/2/3>
},
"AdditionalInfo": {
"Reference No": "<???>",
"Emergency": "<Is it an emergency request>"
},
"AccountDetails": {
"AccountID": "<Internal account ID>",
"Properties": {
"Name": "<Account name in the vault>",
"Folder": "<Folder>",
"Safe": "<Safe>",
"Address": "<Address, can be IP or machine name>",
"UserName": "<User name>",
"LastUsedDate": "<Account last used date >"
}
}
…
]
Parameter RequestorFullName
Type Text
Parameter RequestID
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Parameter SafeName
Type Text
Description The name of the Safe where the account being requested is stored .
Parameter RequestorUserName
Type Text
Parameter RequestorReason
Type Text
Description The requestor's reason for accessing the account, and any additional
information.
Parameter UserReason
Type Text
Description The reason why the user is requesting access to the account.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter Operation
Type Text
Parameter ExpirationDate
Type Integer
Description The time when the request will expire, in Unix time.
Parameter OperationType
Type Integer
Parameter AccessType
Type Text
Parameter ConfirmationsLeft
Type Integer
Description The number of confirmers who still need to respond to the request.
Parameter AccessFrom
Type Integer
Description The time from when the account is needed, in Unix time.
Parameter AccessTo
Type Integer
Description The time until when the account is needed, in Unix time.
Parameter Status
Type Integer
Parameter StatusTitle
Type Text
Parameter InvalidRequestReason
Type Integer
Description If the request is invalid, this indicates what caused it to become invalid:
0 - None
1 - Expired
2 - Already been used
4 - Missing supervisors
8 - Confirmation setting have changed
16 - Object has been deleted
32 - Incompatible client version
64 - Access time expired
128 - Rejected
Parameter CurrentConfirmationLevel
Type Integer
Parameter RequiredConfirmersCountLevel2
Type Integer
TicketingSystemProperties
Parameter Name
Type Text
Parameter Number
Type Integer
Parameter Status
Type Integer
AdditionalInfo
Parameter Reference No
Type Integer
Parameter Emergency
Type Boolean
AccountDetails
Parameter AccountID
Type Text
Properties
Parameter Name
Type Text
Parameter Folder
Type Text
Parameter Safe
Type Text
Parameter Address
Type Text
Description The address of the machine where the account is used (IP or machine
name).
Parameter UserName
Type Text
Description The name of the user who will use the account.
Parameter LastUsedDate
Type Integer
Description The last time the account was used, in Unix time.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/incomingrequests/{requestID}
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Body parameters
None
Result
{
"RequestorFullName": "<Requestor full name>",
"RequestID": "<request ID, SafeName_RequestID>",
"SafeName": "<Safe name>",
"RequestorUserName": "<Requestor user name>",
"RequestorReason": "<Requestor reason>",
"UserReason": "<User reason>",
"CreationDate": <Request creation date (Unix time)>,
"Operation" : <request operation description>,
"ExpirationDate": <Request expiration date (Unix time)>,
"OperationType": <Which operation was requested>,
"AccessType": "< OneTime\Multiple Access>",
"ConfirmationsLeft": <How many confirmers are still needed>,
"AccessFrom": <When the access time frame starts(Unix time)>,
"AccessTo": <When the access time frame ends (Unix time)>,
"Status": <Request Status>,
"StatusTitle": <Request Status description>,
"InvalidRequestReason": <Why request become invalid>,
"CurrentConfirmationLevel": <The request confirmation level>,
"RequiredConfirmersCountLevel2": <Level 2 confirmers that are still needed>,
"TicketingSystemProperties": {
"Name": "<Ticketing system name>",
"Number": <Ticket number>,
"Status": <1/2/3>
},
"AdditionalInfo": {
"Reference No": "<external reference number>",
" EmergencyIndication": "<Is it an emergency request>"
},
"AccountDetails": {
"AccountID": "<Full account id, SafeID_ObjectID>",
"Properties": {
"Name": "<Object name in the vault>",
"Folder": "<The object folder name in the vault >",
"Safe": "<The object safe name in the vault>",
"Address": "<The account address, IP or machine name>",
"UserName": "<The account name in the target machine>",
"LastUsedDate": "<Last used date of this account>"
}
},
"Confirmers": [
{
"Type": <User\Group>,
"ID": <Internal confirmer ID>,
"Name": "<Confirmer name>",
"Action": <Which action this user perform>,
Parameter RequestorFullName
Type Text
Parameter RequestID
Type Text
Description The request's unique ID, composed of the SafeName and internal
RequestID.
Parameter SafeName
Type Text
Description The name of the Safe where the account being requested is stored .
Parameter RequestorUserName
Type Text
Parameter RequestorReason
Type Text
Description The requestor's reason for accessing the account, and any additional
information.
Parameter CreationDate
Type Integer
Description The time when the request was created, in Unix time.
Parameter ExpirationDate
Type Integer
Description The time when the request will expire, in Unix time.
Parameter OperationType
Type Integer
Parameter AccessType
Type Text
Parameter ConfirmationsLeft
Type Integer
Description The number of confirmers who still need to respond to the request.
Parameter AccessFrom
Type Integer
Description The time from when the account is needed, in Unix time.
Parameter AccessTo
Type Integer
Description The time until when the account is needed, in Unix time.
Parameter Status
Type Integer
Parameter StatusTitle
Type Text
Parameter InvalidRequestReason
Type Integer
Description If the request is invalid, this indicates what caused it to become invalid:
0 - None
1 - Expired
2 - Already been used
4 - Missing supervisors
8 - Confirmation setting have changed
16 - Object has been deleted
32 - Incompatible client version
64 - Access time expired
128 - Rejected
Parameter CurrentConfirmationLevel
Type Integer
Parameter RequiredConfirmersCountLevel2
Type Integer
TicketingSystemProperties
Parameter Name
Type Text
Parameter Number
Type Integer
Parameter Status
Type Integer
AdditionalInfo
Parameter Reference No
Type Integer
Parameter EmergencyIndication
Type Boolean
AccountDetails
Parameter AccountID
Type Text
Properties
Parameter Name
Type Text
Parameter Folder
Type Text
Parameter Safe
Type Text
Parameter Address
Type Text
Description The address of the machine where the account is used (IP or machine
name).
Parameter UserName
Type Text
Description The name of the user who will use the account.
Parameter LastUsedDate
Type Integer
Description The last time the account was used, in Unix time.
Confirmers
Parameter Type
Type Integer
Parameter ID
Type Integer
Parameter Name
Type Text
Parameter Action
Type Integer
Parameter Reason
Type Text
Parameter ActionDate
Type Integer
Description The time when the confirmer performed their action, in Unix time.
AdditionalDetails
Parameter FullName
Type Text
Parameter Email
Type Text
Parameter Phone
Type Text
Members
Parameter UserID
Type Integer
Parameter UserName
Type Text
AdditionalDetails
Parameter FullName
Type Text
Parameter Email
Type Text
Parameter Phone
Type Text
Confirm Request
This method enables a request confirmer to confirm a single request, identified by its
request ID.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
Type Text
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"Reason": "<Confirmer reason>"
}
Parameter Reason
Type Text
Result
{
}
Return Codes
Status code 200
Reject Request
This method enables a request confirmer to reject a single request, identified by its
request ID.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
Type Text
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"Reason": "<Confirmer reason>"
}
Parameter Reason
Type Text
Result
{
}
Return Codes
Status code 200
Connections
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_Ip>/PasswordVault/api/Accounts/{accountId}/PSMConnect
Type String
Description The unique ID of the account to retrieve and use to connect to the target
system through PSM.
Resource information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Descriptio The token that identifies the session, encoded in BASE 64.
n
Parameter Accept
Type String
Descriptio PVWA
n Optional
configuratio Connection method
values
n
Note:
Returns the
HTML5
connection
data.
PSMGW must
be configured
before using
this REST API
in order to
receive a
PSMGW resp
onse.
Body parameters
{
"reason":"<Reason>",
"TicketingSystemName":"<Ticketing system>",
"TicketId":"<Ticketid>",
"ConnectionComponent":"<Connection component id>",
"ConnectionParams": {
"<Connection parameter name>": {
"value":"<Connection parameter value>",
"ShouldSave":<true\false>
},
"<Connection parameter name>": {
"value":"<Connection parameter value>",
"ShouldSave":<true\false>
}
}
}
Type String
Description The name of the connection component to connect with as defined in the
PVWA configuration
Parameter Reason
Type String
Parameter TicketingSystemName
Type String
Parameter TicketId
Type String
Parameter ConnectionParams
Type List
Example:
ConnectionParam:
{
LogonDomain:
{
value:"MyDomain",
ShouldSave:true
},
AllowMappingLocalDrives:
{
value: "Yes",
ShouldSave:false
}
}
Connection Parameters
Parameter value
Type String
Valid values Text
Default -
Parameter ShouldSave
Type Boolean
Description Whether or not this value will be saved with the account for future attempts
to connect to the remote machine.
Valid values true/false
Default false
Result
Response header
Parameter ConnectionMethod
Type Boolean
Description The method set in the ConnectionType parameter in the body parameters.
Values PSMGW
RDPFile
Response body
There are two possible responses, depending on the connection method.
R D P file
full address:s:<address>
server port:i:<port>
username:s:<username>
alternate shell:s:<username>
desktopwidth:i:<number>
desktopheight:i:<number>
screen mode id:i:<number>
redirectdrives:i:<number>
drivestoredirect:s:<string>
redirectsmartcards:i:<number>
EnableCredSspSupport:i:<number>
redirectcomports:i:<number>
remoteapplicationmode:i:<number>
use multimon:i:<number>
span monitors:i:<number>
P S MGW
{
"PSMGWURL": "<URL>",
"PSMGWRequest": "<Base64 Encoded Data>"
}
Parameter PSMGWURL
Type String
Description The full URL of the web server which serves the HTML5 service
Parameter PSMGWRequest
Type String
Description Base64 encoded data that is passed to the web server and is essential for
the actual web server HTML5 connection. This data is passed through the
web server HTTP Post request.
{
PSMGWRequest: <Base64Response>
}
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/API/ConnectionComponents/Import
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"ImportFile": {zip file byte array}
}
Default -
Result
{
"ConnectionComponentID": "ConnectionComponentID"
}
Parameter ConnectionComponentID
Type String
Return Codes
Status 201
code
Status 400
code
Status 403
code
Description Forbidden
The user creating the request must have the correct permissions, and must
be in the Vault Admins group
Status 409
code
Description Conflict
Connection component already exists
Status 500
code
Applications
List Applications
This method returns a list of all the applications in the Vault.
The user who runs this web service requires the following permission in the Vault:
■ Audit Users
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
Type String
Parameter Location
Type String
Valid values Location
Default \
Parameter IncludeSublocations
Type Boolean
Description Whether or not the search will be performed in sublocations of the specified
location.
Valid values true/false
Default true
Example:
/PasswordVault/WebServices/PIMServices.svc/Applications?Location=%5CApplications
&AppID=App-1
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"application": [
{
"AccessPermittedFrom":<string>,
"AccessPermittedTo":<string>,
"AllowExtendedAuthenticationRestrictions":<bool>,
"AppID":<string>,
"BusinessOwnerEmail":"<string>",
"BusinessOwnerFName":"<string>",
"BusinessOwnerLName":"<string>",
"BusinessOwnerPhone":"<string>",
"Description":"<string>",
"Disabled":<bool>,
"ExpirationDate":<string>,
"Location":"<string>"
}]
}
Return Codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
You cannot search for an application whose name includes @. To find these
applications, list all applications, then find the specific application in the returned
applications list.
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/{AppID}
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"application": [
{
"AccessPermittedFrom":<string>,
"AccessPermittedTo":<string>,
"AllowExtendedAuthenticationRestrictions":<bool>,
"AppID":"<string>",
"BusinessOwnerEmail":"<string>",
"BusinessOwnerFName":"<string>",
"BusinessOwnerLName":"<string>",
"BusinessOwnerPhone":"<string>",
"Description":"<string>",
"Disabled":<bool>,
"ExpirationDate":<mm/dd/yyyy>,
"Location":"<string>"
}
]
}
Return Codes
Status code 200
Add Application
This method adds a new application to the Vault.
The user who adds this application requires the following permission in the Vault:
■ Manage Users
URL
Note:
Make sure there are no spaces in the URL.
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
"application":{
"AppID":"<application Name>",
"Description":"<description of the application>",
"Location":”<existing location from the Vault>”,
"AccessPermittedFrom":<the hour that access is permitted to the application>,
"AccessPermittedTo":<the hour that access is permitted to the application>,
"ExpirationDate":<expiration date of the application>,
"Disabled":"<whether the application is disabled>",
"BusinessOwnerFName":"<business owner first name>",
"BusinessOwnerLName":"<business owner last name >",
"BusinessOwnerEmail":"<business owner email >",
Type String
Note:
Specify fewer than 128 characters.
Do not include ampersand (“&”).
Application names can include @, but a
search for applications cannot include
this character.
Parameter Description
Type String
Note:
Specify up to 29 characters.
Valid values -
Parameter Location
Type String
Note:
To insert a backslash in the location
path, use a double backslash.
Valid values -
Parameter AccessPermittedFrom
Type Integer
Valid values 0-23
Parameter AccessPermittedTo
Type Integer
Valid values 0-23
Parameter ExpirationDate
Type String
Valid values mm-dd-yyyy
Parameter Disabled
Type Boolean
Valid values true/false
Default false
Parameter BusinessOwnerFName
Type String
Note:
Specify up to 29 characters.
Valid values
Parameter BusinessOwnerLName
Type String
Valid values -
Parameter BusinessOwnerEmail
Type String
Valid values
Parameter BusinessOwnerPhone
Type String
Note:
Specify up to 24 characters.
Result
{
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
{AppID}/Authentications
Type String
Description The name of the application for which information about the authentication
methods are returned.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
"authentication":[
{
"AllowInternalScripts":<bool>,
"AppID":"<string>",
"AuthID":"<authID>",
"AuthType":<machineAddress/osUser/path/hashValue>,
"AuthValue":"<string>",
"Comment":"<string in case of hash authentication, else null>",
"IsFolder":"<string in case of path authentication, else null>"
}
]
}
Return Codes
Status code 200
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
{AppID}/
Type String
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 200
Add Authentication
This method adds a new authentication method to a specific application in the Vault.
The user who adds this authentication method requires the following permissions in the Vault:
■ Manage Users
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
{AppID}/Authentications/
Type String
Description The name of the application for which the user is adding a new
authentication method.
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
The web service parameters depend on the type of authentication specified in the URL.
{
"authentication":{
"AuthType":path,
"AuthValue":"<Path string>",
"IsFolder":<true/false>,
"AllowInternalScripts":<true/false>
}
}
Type String
Valid values machineAddress/osUser/path/hashValue
Type String
Valid values -
Parameter IsFolder
Type Boolean
Valid values true/false
Default false
Parameter AllowInternalScripts
Type Boolean
Valid values true/false
Default false
{
"authentication":{
"AuthType":hash,
"AuthValue":"<Hash string>",
"Comment":"<Comment>",
}
}
Type String
Valid values machineAddress/osUser/path/hashValue
Type String
Valid values -
Parameter Comment
Type String
Valid values Text
For OS user authentication:
{
"authentication":{
"AuthType":osUser,
"AuthValue":"<OS User Name>"
}
}
Type String
Valid values machineAddress/osUser/path/hashValue
Type String
Valid values -
{
"authentication":{
"AuthType":machineAddress,
"AuthValue":"<machine address>"
}
}
Type String
Valid values machineAddress/osUser/path/hashValue
Type String
Valid values -
For Certificate Serial Number authentication:
{
"authentication":{
"AuthType":"certificateserialnumber",
"AuthValue":"<certificate serial number string>",
"Comment":"<comment>",
}
}
Type String
Valid values certificateserialnumber
Type String
Parameter Comment
Type String
Valid values Text
Result
{
}
Return Codes
Status code 201
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/WebServices/PIMServices.svc/Applications/
{AppID}/Authentications/{AuthID}
Type String
Description The ID of the application in which the authentication method will be deleted.
Parameter AuthID
Type Integer
Resource Information
HTTP method DELETE
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
{
}
Return Codes
Status code 200
Monitor Sessions
Get Recordings
This method returns the details of recordings of PSM, PSMP or OPM sessions.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/API/Recordings?Limit=
{#}&Sort={Recording property}&offset={#}&Search={Search text}&Safe=
{Search text}&FromTime={UTC}&ToTime={UTC}&Activities={text}
The following values can be added in the URL. None of them are mandatory.
Parameter Limit
Type Integer
Description Determines the number of recordings that are returned in the list.
The maximum value is defined in the MaxRecords property in Options à
Privileged Session Management à General Setting à Search Properties.
Default 25
Parameter Sort
Type String
Description The sort can be done by each property on the recording file:
■ RiskScore
■ FileName
■ SafeName
■ FolderName
■ PSMVaultUserName
■ FromIP
■ RemoteMachine
■ Client
■ Protocol
■ AccountUserName
■ AccountAddress
■ AccountPlatformID
■ PSMStartTime
■ TicketID
The sort can be in ascending or descending order. To sort in descending
order, specify "-" (dash) before the recording property by which to sort.
Parameter Offset
Type Integer
Default 0
Parameter Search
Type String
Description Returns recordings that are filtered by properties that contain the specified
search text.
Parameter Safe
Type String
Parameter FromTime
Type Integer
Parameter ToTime
Type Integer
Parameter Activities
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
"Recordings": [
{
"SessionID": "<the session id>",
"SessionGuid": "<the session guide>",
"SafeName": "<the safe name>",
"FolderName": "<the folder name>",
"FileName": "<the file name>",
"Start": <the start date in unix time>,
"End": <the end date in unix time>,
"Duration": <the duration>,
"User": "<the use name>",
"RemoteMachine": "<the remote machine>",
"ProtectionDate": <the protection date in unix time>,
"ProtectedBy": "<the protected by user name>",
"ProtectionEnabled": <indication if the protection is enable>,
"AccountUsername": "<the account user name>",
"AccountPlatformID": "<the account platform ID>",
"AccountAddress": "<the account address>",
"PIMSuCommand": "<the PIMSU command>",
"PIMSuCWD": "<the PIMSU current working directory>",
"ConnectionComponentID": "<the connection component ID>",
"TicketID": "<the ticket ID>",
"FromIP": "<The IP address where the account was used>",
"Protocol": "<The protocol where the account was used>",
"Client": "<the client where the account was used>",
"RiskScore": <the risk score>,
"Severity": "<the savirity>",
"RecordingFiles": [
{
"FileName": "<The recording file name>",
"RecordingType": "<The recording type>",
Parameter SessionID
Type String
Description The ID's of the Safe and File where the specific recording session file
was saved. format: "<safeId>_<fileId>".
Parameter SessionGuid
Type String
Parameter SafeName
Type String
Description The name of the Safe where the specific recording was saved.
Parameter FolderName
Type String
Description The name of the folder where the specific recording was saved.
Parameter FileName
Type String
Parameter Start
Type Integer
Description The start date and time, in unix time, when the privileged session took
place.
Parameter End
Type Integer
Description The end date and time, in unix time, when the privileged session took
place.
Parameter Duration
Type -
Parameter User
Type String
Parameter RemoteMachine
Type String
Parameter ProtectionEnabled
Type Boolean
Description Whether or not a recording can be deleted automatically after the Safe
retention period on the Recordings Safe has expired.
Valid values true/false
Parameter ProtectedDate
Type Integer
Description The date, in unix time, when the recording was set to be protected.
Parameter ProtectedBy
Type String
Description The user who is currently protecting the recording (so it will not auto-
purge after retention period).
Account details
Parameter AccountPlatformID
Type String
Description The ID of the platform that the used account is associated with.
Parameter AccountUsername
Type String
Description The name of the user who accessed the account. String
Parameter AccountAddress
Type String
PSM details
Parameter ConnectionComponentID
Type String
Parameter TicketID
Type String
Description The ID of the ticket entered when using Ticketing System for
connection.
Parameter FromIP
Type String
Parameter Protocol
Type String
Parameter Client
Type String
Description The connection client (RDP\SSH etc.) that used in the PSM server.
Parameter RiskScore
Type String
Description The risk score that was given to the incidence. When there is no risk or
PTA doesn't scan the activity, the value is '-1'.
Parameter Severity
Type String
Parameter Id
Type String
Parameter Name
Type Integer
Parameter Url
Type String
Parameter Score
Type
Parameter StartDate
Type The start date and time, in unix time, of the security incident.
Description Integer
Parameter Id
Type String
Description The unique ID of the security session in which the incident occured.
Parameter Score
Type Integer
Parameter Severity
Type String
Parameter Value
Type String
Parameter Offset
Type String
Description
Parameter Score
Description Integer
Parameter Severity
Type String
TextRecording
Parameter FileName
Type String
Parameter RecordingType
Type Integer
Parameter LastReviewedBy
Type String
Parameter LastReviewedDate
Type Integer
Parameter FileSize
Type Integer
Description The size of the text recording of the privileged session (in bytes). For
live sessions (size isn't final yet), there is no value.
Parameter CompressedFileSize
Type Integer
Description The size of the compressed text recording of the privileged session (in
bytes). For live sessions (size isn't final yet), there is no value.
Parameter Format
Type String
VideoRecording
Parameter FileName
Type String
Parameter RecordingType
Type Integer
Parameter LastReviewedBy
Type String
Parameter LastReviewedDate
Type Integer
Parameter FileSize
Type Integer
Description The size of the video recording of the privileged session (in bytes). For
live sessions (size isn't final yet), there is no value.
Parameter CompressedFileSize
Type The size of the compressed text recording of the privileged session (in
bytes). For live sessions (size isn't final yet), there is no value.
Description Integer
Parameter Format
Type String
Description Text recording format. For now we use unlt "VID" for video files.
OPM details
Parameter PIMSuCommand
Type String
Description Commands that run using PIMSu. Relevant for OPM sessions only.
Parameter PIMSuCWD
Type String
Description Current working directory. Relevant for OPM sessions only when
running PIMSu command.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
http://<IIS_Server_Ip>/PasswordVault/API/LiveSessions?Limit=
{#}&Sort={Recording property}&offset={#}&Search={Search text}&Safe=
{Search text}&FromTime={UTC}&ToTime={UTC}&Activities={text}
The following values can be added in the URL. None of them are mandatory.
Parameter Limit
Type Integer
Description Determines the number of lives sessions that are returned in the list.
The maximum value is defined in the MaxRecords property in Options à
Privileged Session Management à General Setting à Search Properties.
Default 25
Parameter Sort
Type String
Description The sort can be done by each property on the recording file:
■ RiskScore
■ FileName
■ SafeName
■ FolderName
■ PSMVaultUserName
■ FromIP
■ RemoteMachine
■ Client
■ Protocol
■ AccountUserName
■ AccountAddress
■ AccountPlatformID
■ PSMStartTime
■ TicketID
The sort can be in ascending or descending order. To sort in descending
order, specify "-" (dash) before the recording property by which to sort.
Parameter Offset
Type Integer
Default 0
Parameter Search
Type String
Description Returns lives sessions that are filtered by properties that contain the
specified search text.
Parameter Safe
Type String
Description Returns lives sessions that use accounts from a specific Safe.
Parameter FromTime
Type Integer
Parameter ToTime
Type Integer
Parameter Activities
Type String
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
None
Result
"Recordings": [
{
"SessionID": "<the session id>",
"SessionGuid": "<the session guide>",
"SafeName": "<the safe name>",
"FolderName": "<the folder name>",
"FileName": "<the file name>",
"Start": <the start date in unix time>,
"End": <the end date in unix time>,
"Duration": <the duration>,
"User": "<the use name>",
"RemoteMachine": "<the remote machine>",
"ProtectionDate": <the protection date in unix time>,
"ProtectedBy": "<the protected by user name>",
"ProtectionEnabled": <indication if the protection is enable>,
"AccountUsername": "<the account user name>",
"AccountPlatformID": "<the account platform ID>",
"AccountAddress": "<the account address>",
"PIMSuCommand": "<the PIMSU command>",
"PIMSuCWD": "<the PIMSU current working directory>",
"ConnectionComponentID": "<the connection component ID>",
"TicketID": "<the ticket ID>",
"FromIP": "<The IP address where the account was used>",
"Protocol": "<The protocol where the account was used>",
"Client": "<the client where the account was used>",
"RiskScore": <the risk score>,
"Severity": "<the savirity>",
"RecordingFiles": [
{
"FileName": "<The recording file name>",
"RecordingType": "<The recording type>",
"LastReviewBy": "<The recording reviewer username>",
"LastReviewDate": "<The review date in unix time>",
"FileSize": "<The recording file size>",
"CompressedFileSize": "<The recording compressed file size>",
"Format": ""<The recording format>""
},
...
]
"IncidentDetails": {
"Incident": {
"Id": "<The incident id>",
"Url": "<The incident URL in PTA>",
"Score": <The incident score>,
"Name": "<The incident description>",
"StartDate": <The incident start date in unix time>
},
"Sessions": [
{
"Id": "<The session id>",
"Score": <The session score>,
"Severity": "<The session severity>",
"Commands": [
{
"Value": "<The command>",
"Offset": "<The command offset>",
"Score": <The command scort>,
"Severity": "<The command severity>"
},
...
]
},
...
]
},
...
]
Parameter SessionID
Type String
Description The ID's of the Safe and File where the specific recording session file
was saved. format: "<safeId>_<fileId>".
Parameter SessionGuid
Type String
Parameter SafeName
Type String
Description The name of the Safe where the specific recording was saved.
Parameter FolderName
Type String
Description The name of the folder where the specific recording was saved.
Parameter FileName
Type String
Parameter Start
Type Integer
Description The start date and time, in unix time, when the privileged session took
place.
Parameter End
Type Integer
Description The end date and time, in unix time, when the privileged session took
place.
Parameter Duration
Type -
Parameter User
Type String
Parameter RemoteMachine
Type String
Parameter ProtectionEnabled
Type Boolean
Description Whether or not a recording can be deleted automatically after the Safe
retention period on the Recordings Safe has expired.
Valid values true/false
Parameter ProtectedDate
Type Integer
Description The date, in unix time, when the recording was set to be protected.
Parameter ProtectedBy
Type String
Description The user who is currently protecting the recording (so it will not auto-
purge after retention period).
Account details
Parameter AccountPlatformID
Type String
Description The ID of the platform that the used account is associated with.
Parameter AccountUsername
Type String
Description The name of the user who accessed the account. String
Parameter AccountAddress
Type String
PSM details
Parameter ConnectionComponentID
Type String
Parameter TicketID
Type String
Description The ID of the ticket entered when using Ticketing System for
connection.
Parameter FromIP
Type String
Parameter Protocol
Type String
Parameter Client
Type String
Description The connection client (RDP\SSH etc.) that used in the PSM server.
Parameter RiskScore
Type String
Description The risk score that was given to the incidence. When there is no risk or
PTA doesn't scan the activity, the value is '-1'.
Parameter Severity
Type String
Parameter Id
Type String
Parameter Name
Type Integer
Parameter Url
Type String
Parameter Score
Type
Parameter StartDate
Type The start date and time, in unix time, of the security incident.
Description Integer
Parameter Id
Type String
Description The unique ID of the security session in which the incident occured.
Parameter Score
Type Integer
Parameter Severity
Type String
Parameter Value
Type String
Parameter Offset
Type String
Description
Parameter Score
Description Integer
Parameter Severity
Type String
TextRecording
Parameter FileName
Type String
Parameter RecordingType
Type Integer
Parameter LastReviewedBy
Type String
Parameter LastReviewedDate
Type Integer
Parameter FileSize
Type Integer
Description The size of the text recording of the privileged session (in bytes). For
live sessions (size isn't final yet), there is no value.
Parameter CompressedFileSize
Type Integer
Description The size of the compressed text recording of the privileged session (in
bytes). For live sessions (size isn't final yet), there is no value.
Parameter Format
Type String
VideoRecording
Parameter FileName
Type String
Parameter RecordingType
Type Integer
Parameter LastReviewedBy
Type String
Parameter LastReviewedDate
Type Integer
Parameter FileSize
Type Integer
Description The size of the video recording of the privileged session (in bytes). For
live sessions (size isn't final yet), there is no value.
Parameter CompressedFileSize
Type The size of the compressed text recording of the privileged session (in
bytes). For live sessions (size isn't final yet), there is no value.
Description Integer
Parameter Format
Type String
Description Text recording format. For now we use unlt "VID" for video files.
OPM details
Parameter PIMSuCommand
Type String
Description Commands that run using PIMSu. Relevant for OPM sessions only.
Parameter PIMSuCWD
Type String
Description Current working directory. Relevant for OPM sessions only when
running PIMSu command.
Return Codes
Status code
Description
Terminate a Session
This method enables the system to terminate an active PSM session immediately to
prevent high-risk activities.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<Server>:<port>/PasswordVault/API/LiveSessions/<LiveSessionId>/Terminate
Type String
Valid values -
Parameter Action
Type String
Valid values Terminate
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
}
Return Codes
Status 200
code
Description OK
This indicates that this method was triggered with the Session ID in UUID
format.
Status 200
code
Description OK
This indicates that this method was triggered with a Session ID that was
already used to run this method.
Status 400
code
Status 401
code
Description Unauthorized
The REST API was called with a token that is invalid due to its length.
Status 401
code
Description Unauthorized
The REST API was called with a token that is invalid as it contains a space.
Status 401
code
Description Unauthorized
The REST API was called with an expired token.
Status 403
code
Description Forbidden
This method was called without a token.
Status 403
code
Description Forbidden
This method was called without an Authorization header.
Status 403
code
Description Forbidden
The REST API was called with a token that is not a valid base-64 string, for
one of the following reasons:
It contains a non-base-64 character
It contains more than two padding characters
It contains an illegal character among the padding characters
Status 403
code
Description Forbidden
The Vault user must be allowed to terminate the session according to
'Terminating Live Sessions Users and Groups' definitions. If the PTA sends
a request to terminate a session, only the PTAAppUser or PTAUser can run
this REST API.
Status 403
code
Status 403
code
Description Forbidden
The REST API was called, although the AllowPSMNotifications
parameter is set to 'No'.
Status 404
code
Status 500
code
Status 500
code
Status 500
code
Suspend/Resume a Session
This method enables the system to suspend or resume PSM sessions with either of the
following actions:
Suspend Prevent a user from interacting with an active session until a security manager
resumes it. This allows security teams to review the potentially risky
session's audit trail to determine whether or not to allow the privileged user to
continue their work.
Resume Resume the suspended active session and allow the privileged user to
continue working.
.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<Server>:<port>/PasswordVault/API/LiveSessions/<LiveSessionId>/<Action>
Type String
Valid values -
Parameter Action
Type String
Resource Information
HTTP method POST
Header parameter
Parameter Authorization
Type String
Description The token that identifies the session, encoded in BASE 64.
Valid values A session token that was returned from the “Logon” method.
Body parameters
{
}
Return Codes
Status 200
code
Description OK
This indicates that this method was triggered with the Session ID in UUID
format.
Status 200
code
Description OK
This indicates that this method was triggered with a Session ID that was
already used to run this method.
Status 400
code
Status 401
code
Description Unauthorized
The REST API was called with a token that is invalid due to its length.
Status 401
code
Description Unauthorized
The REST API was called with a token that is invalid as it contains a space.
Status 401
code
Description Unauthorized
The REST API was called with an expired token.
Status 403
code
Description Forbidden
This method was called without a token.
Status 403
code
Description Forbidden
This method was called without an Authorization header.
Status 403
code
Description Forbidden
The REST API was called with a token that is not a valid base-64 string, for
one of the following reasons:
It contains a non-base-64 character
It contains more than two padding characters
It contains an illegal character among the padding characters
Status 403
code
Description Forbidden
The Vault user must be allowed to terminate the session according to
'Terminating Live Sessions Users and Groups' definitions. If the PTA sends
a request to terminate a session, only the PTAAppUser or PTAUser can run
this REST API.
Status 403
code
Status 403
code
Description Forbidden
Status 404
code
Status 500
code
Status 500
code
Status 500
code
Event Security
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<PTA_Server_host:Port>/API/Events/
The following values can be added in the URL. None of them are mandatory.
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid A session token that was returned from the “Logon” method.
values
Parameter lastUpdatedEventDate
Type Number
Description The starting date to get the security events from (calculated by the number
of seconds since 1970).
Valid
values
Body parameters
None
Result
Note:
This is an example of the result for an array of events.
[
{
"id": "5accdf736e227a21e4d58bc6",
"type": "PSMRiskyCommand",
"score": 81,
"createTime": 1523375983000,
"lastUpdateTime": 1523375983000,
"audits": [
{
"id": "5accdf736e2282449296961c",
"type": "PSM_SSH_COMMAND",
"sensorType": "VAULT",
"action": "PSM Command",
Parameter id
Type String
Description Event ID
Parameter type
Type String
Parameter score
Type Integer
Parameter createTime
Type Double
Parameter lastUpdateTime
Type Double
Description The last time the event was updated (represented in seconds)
Parameter audits
Type Array
audits
Parameter id
Type String
Description Audit ID
Parameter type
Type String
Parameter sensorType
Type String
Parameter action
Type String
Description The action of the audit. For example, Vault retrieve password, Vault logon,
PSM risky command , and so on
Parameter psmCommand
Type String
Parameter createTime
Type Double
Parameter vaultUser
Type String
Parameter account
Type
account
Parameter accountAsStr
Type String
Parameter type
Description String
Parameter account
Type
Parameter mtarget
Type String
mtarget
Parameter mOriginalAddress
Type String
Parameter mResolvedAddress
Type
mResolvedAddress
Parameter mAddress
Type String
Parameter mHostName
Type String
Parameter mFqdn
Type String
account
Parameter source
Type String
source
Parameter mOriginalAddress
Type String
Parameter mResolvedAddress
Type
mResolvedAddress
Parameter mAddress
Type String
Parameter mHostName
Type String
Parameter mFqdn
Type String
account
Parameter target
Type String
target
Parameter mOriginalAddress
Type String
Parameter mResolvedAddress
Type
mResolvedAddress
Parameter mAddress
Type String
Parameter mHostName
Type String
Parameter mFqdn
Type String
Parameter additionalData
Type String
additionalData
Parameter mitigationAction
Type String
Parameter sessionIsLive
Type String
Parameter matchPatterns
Type String
Description
Parameter sessionIDs
System Health
Privileged Account Security's System Health provides the Vault administrator with a high
level report of the health status of the different CyberArk components in PAS and AIM
environments.
Note:
The System Health overview is relevant for active-passive, on-prem deployments and
Distributed Vaults deployments.
The information returned by the REST APIs does not include built-in users or custom
user types.
System Details
This method returns details about specific components and all their installed instances,
and system health information for each one.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_
Ip>/PasswordVault/api/ComponentsMonitoringDetails/
{ComponentID}
Type String
Valid values PVWA/SessionManagement/CPM/AIM
Example:
https://<IIS_Server_Ip>/api/ComponentsMonitoringDetails/PVWA
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid A session token that was returned from the “Logon” method, encoded in
values BASE 64.
Result
{
"ComponentsDetails": [
{
"ComponentIP": "<ComponentIP>",
"ComponentUserName": "<ComponentUserName>",
"ComponentVersion": "<ComponentVersion>,
"ComponentSpecificStat": <details>
"IsLoggedOn": <true/false>,
"LastLogonDate": "<timestamp>"
},
]
}
Parameter ComponentIP
Type String
Parameter ComponentUserName
Type String
Parameter ComponentVersion
Type String
Parameter ComponentSpecificStat
Type Integer
Description Component specific information. Currently this is not supported and will
always return '-1'.
Parameter IsLoggedOn
Type Boolean
Parameter LastLogonDate
Type The last date/time when the component logged onto the Vault server.
Description Date
Return Codes
Status 200
code
Status 400
code
Status 500
code
System Summary
This method returns consolidated information about the Vault, PVWA, CPM,
PSM/PSMP, and AIM, including all clients that are relevant to each specific component.
URL
Note:
Make sure there are no spaces in the URL.
The following characters are not supported in URL values: + & %
https://<IIS_Server_Ip>/PasswordVault/api/ComponentsMonitoringSummary
Resource Information
HTTP method GET
Header parameter
Parameter Authorization
Type String
Valid values A session token that was returned from the “Logon” method, .
Result
For PVWA, CPM, PSM/PSMP, and AIM:
{
"Components": [
{
"ComponentID": "<ComponentID>",
"ComponentName": "<ComponentName>",
"Description": "<Description>",
"ConnectedComponentCount": <number>,
"ComponentTotalCount": <number>,,
"ComponentSpecificStat": <number>,
}
]
Parameter ComponentID
Type String
Parameter ComponentName
Type String
Parameter Description
Type String
Description The type of information that will be displayed based on the relative
component.
PVWA - active users
CPM - managed accounts
PSM/PSMP - concurrent sessions
AIM Credential Provider - application IDs
Parameter ConnectedComponentsCount
Type The number of logged on component users for the relative component.
Description Integer
Parameter ComponentTotalCount
Type Integer
Description The total number of component users for the component type in the Vault.
Parameter ComponentSpecificStat
Type Integer
For Vaults:
"Vaults": [
{
"IP": "<IP>",
"Role": "<Role>",
"IsLoggedOn": <true/false>
}
]
Parameter IP
Type String
Parameter Role
Type String
Parameter IsLoggedOn
Type Boolean
Description Whether or not the component user is currently logged on to the Vault and
replicating to the DR Vault.
Return Codes
Status 200
code
Status 500
code
Usage Examples
"CyberArkLogonResult";
const string JSON_GET_ACCOUNT_RES_HEADER =
"ListAccountPrivilegedCommandsResult";
const string HTTP_SESSION_TOKEN_HEADER =
"Authorization";
// PIM Fields
const string POLICY_ID = "UnixSSH";
const string ACCOUNT_ADDRESS = "10.10.10.10";
const string ACCOUNT_USERNAME = "root";
const string ACCOUNT_USERNAME = "root";
const string ACCOUNT_ID = ACCOUNT_ADDRESS + "|" +
ACCOUNT_USERNAME + "|" + POLICY_ID;
// Uri
const string PVWA_WS_URI =
@"https://myServ.org.com/PasswordVault/WebServices";
const string LONGON_AUTHENTICATION_URI = PVWA_
WS_URI + @"/auth/cyberark/CyberArkAuthenticationService.svc/logon";
const string LOGOFF_AUTHENTICATION_URI = PVWA_
WS_URI +
@"/auth/cyberark/CyberArkAuthenticationService.svc/logoff";
const string ACCOUNT_ACL_URI = PVWA_
WS_URI + @"/PIMServices.svc/Account/" + ACCOUNT_ID +
"/PrivilegedCommands";
// Variables
//===========
// HTTP objects
WebRequest restRequest;
WebResponse restResponse;
// For JSON serialization
JavaScriptSerializer jsonSerializer = new
JavaScriptSerializer();
// Workflow objects
string sessionToken = null;
object[] AccountAcls;
// Workflow
//===========
the uri.
restRequest.Method = VERB_METHOD_GET; // We
want to get all the acls so we use this verb (to add, we use
"PUT").
restRequest.ContentType = JSON_CONTENT_TYPE; //
set to json - necessary for serialization & deserialization of the
content
restRequest.Headers[HTTP_SESSION_TOKEN_HEADER] =
sessionToken; // we add the session token to each request.
using (restResponse = restRequest.GetResponse())
{
using (Stream responseStream =
restResponse.GetResponseStream())
{
// Read the response stream from the http
header.
StreamReader rdr = new StreamReader
(responseStream, Encoding.UTF8);
string rawJsonResult = rdr.ReadToEnd();
// verify that it returned a result.
if (string.IsNullOrEmpty(rawJsonResult))
throw new Exception("json result was not
created");
// deserialize the json and take the value
from it.
deserializedJsonDictionary =
(Dictionary<string, object>)jsonSerializer.DeserializeObject
(rawJsonResult);
AccountAcls = (object
[])deserializedJsonDictionary[JSON_GET_ACCOUNT_RES_HEADER];
foreach (Dictionary<string, object> command in
AccountAcls)
{
Console.WriteLine("PrivilegedCommand: {0},
{1}, {2}",
command["Command"],
command["PermissionType"],
command["UserName"]);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("An error occured while getting
Acls");
HandleError(ex);
}
// 3. logoff
try
{
restRequest = WebRequest.Create(LOGOFF_
}
}
else
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
}
}
//Variables
WebRequest restRequest;
WebResponse restResponse;
JavaScriptSerializer jsonSerializer = new
JavaScriptSerializer();
Dictionary<string, object> deserializedJsonDictionary;
string SessionToken = null;
object[] ApplicationIds;
//Authentication Connection String Assembly
Console.WriteLine("Enter Vault Username:"); //Get
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error occured creating
AppID");
HandleError(ex);
}
if (string.IsNullOrEmpty(rawJsonResult))
throw new Exception("Json result was
not created");
deserializedJsonDictionary =
(Dictionary<string, object>)jsonSerializer.DeserializeObject
(rawJsonResult);
ApplicationIds =
(object[])deserializedJsonDictionary[JSON_GET_
ACCOUNT_RES_HEADER];
foreach (Dictionary<string, object> AppID
in ApplicationIds)
{
Console.WriteLine("ApplicationID: {0}",
AppID["AppID"]);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("An error occured while
retrieving Application List");
HandleError(ex);
}
//Logoff
try
{
restRequest = WebRequest.Create(LOGOFF_
AUTHENTICATION_URI);
restRequest.Method = VERB_METHOD_POST;
restRequest.ContentType = JSON_CONTENT_TYPE;
restRequest.Headers[HTTP_SESSION_TOKEN_HEADER] =
SessionToken;
using (Stream requestStream =
restRequest.GetRequestStream())
{
byte[] inputStringBytes =
Encoding.UTF8.GetBytes("");
requestStream.Write(inputStringBytes, 0,
inputStringBytes.Length);
}
using (restResponse = restRequest.GetResponse())
{
using (Stream responseStream =
restResponse.GetResponseStream())
{
StreamReader rdr = new StreamReader
(responseStream, Encoding.UTF8);
string rawJsonResult = rdr.ReadToEnd();
}
}
catch (Exception ex)
{
Console.WriteLine("An error occured while logging
off");
HandleError(ex);
}
}
private static void HandleError(Exception ex)
{
if (ex is WebException)
{
WebException wex = ex as WebException;
HttpWebResponse res = ((HttpWebResponse)
(wex.Response));
switch (res.StatusCode)
{
case HttpStatusCode.Forbidden:
Console.WriteLine("An
Authentication error occured: " + res.StatusDescription);
break;
case HttpStatusCode.InternalServerError:
default:
Console.WriteLine("An error occured: "
+ res.StatusDescription);
break;
}
}
else
{
Console.WriteLine("An Error Occured: " +
ex.Message);
}
}
}
}
Troubleshooting
Problem: A delete request was sent to the Vault, and the following response was received:
405 Method not allowed.
Solution: Uninstall WebDAV on the IIS.