Rest API call "Add safe member" giving response as "ErrorCode":"CAWS00001E"

Hi Team,

When I am trying to add the “vault admin” safe member through postman to any safe , is adding successfully through postman . But it is throwing “403 forbidden” below response.
Actually I am expecting 201 response.

{“ErrorCode”:“CAWS00001E”,“ErrorMessage”:""}

Rest API call: POST method: {{BaseURL}}/PasswordVault/WebServices/PIMServices.svc/Safes/{{Safe}}/Members

BODY:
{

"member": {

    "MemberName":"vault admin",

    "SearchIn":"vault",

    "MembershipExpirationDate":"",

    "Permissions":

    [

        {"Key":"UseAccounts", "Value":true},

        {"Key":"RetrieveAccounts", "Value":true},

        {"Key":"ListAccounts", "Value":true},

        {"Key":"AddAccounts", "Value":true},

        {"Key":"UpdateAccountContent", "Value":true},

        {"Key":"UpdateAccountProperties", "Value":true},

        {"Key":"InitiateCPMAccountManagementOperations", "Value":true},

        {"Key":"SpecifyNextAccountContent", "Value":true},

        {"Key":"RenameAccounts", "Value":true},

        {"Key":"DeleteAccounts", "Value":true},

        {"Key":"UnlockAccounts", "Value":true},

        {"Key":"ManageSafe", "Value":true},

        {"Key":"ManageSafeMembers", "Value":true},

        {"Key":"BackupSafe", "Value":true},

        {"Key":"ViewAuditLog", "Value":true},

        {"Key":"ViewSafeMembers", "Value":true},

        {"Key":"RequestsAuthorizationLevel", "Value":2},

        {"Key":"AccessWithoutConfirmation", "Value":true},

        {"Key":"CreateFolders", "Value":true},

        {"Key":"DeleteFolders", "Value":true},

        {"Key":"MoveAccountsAndFolders", "Value":true}

    ]

}

}

Please review and suggest , what could be the issue.

Regards,
Phani.G

Hi All,

Just FYI, we faced this issue after we upgrade to V12.

Regards,
Phani.G

I found this error in PVWA App log:

2022-05-30 14:06:00,738 DEBUG [41] E5A76 4e000b7f-3397-4e7e-beb8-38fbac6be67c Casos Session Request[SetSessionInstanceCharacters] ended. [Casos]
2022-05-30 14:06:00,740 DEBUG [41] E5A76 4e000b7f-3397-4e7e-beb8-38fbac6be67c CyberArk.Services.Exceptions.VaultConnectionEndedException: Connection to the Vault was terminated.
at am9.i()
at am9.e()
at am9.d()
at am9.h()
at CyberArk.Authentications.WebServices.Filters.AuthenticationFilterBase.d__5.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.Http.Controllers.AuthenticationFilterResult.d__0.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() []
2022-05-30 14:06:00,742 DEBUG [41] E5A76 4e000b7f-3397-4e7e-beb8-38fbac6be67c Prerequisites failed CyberArk.Services.Exceptions.VaultConnectionEndedException: Connection to the Vault was terminated.
at am9.i()
at am9.e()
at am9.d()
at am9.h()
at CyberArk.Authentications.WebServices.Filters.AuthenticationFilterBase.d__5.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.Http.Controllers.AuthenticationFilterResult.d__0.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() [AccountsController]
2022-05-30 14:06:00,742 WARN [41] E5A76 4e000b7f-3397-4e7e-beb8-38fbac6be67c Prerequisites Response:: Code: 401. Content: {“ErrorCode”:“CAWS00001E”,“ErrorMessage”:“Connection to the Vault was terminated.”} [AccountsController]

Here’s the details on the call you need: Add Safe member

The call you’re using is using the Gen 1 structure. It would be good to check your API calls and move to the Gen 2 structure to get the most efficiency.

Hey @phanimngr,

What @julie said is definitely the answer. Since you’re now on v12, I would begin using the v2 API endpoints that begin as /PasswordVault/api/ instead of the v1 API endpoints that start as /PasswordVault/WebServices/PIMServices.svc/.

Also, I’m not sure what you’re using Postman for, but if it’s just to ease your management of safes, why don’t you give the cybr-cli (GitHub - infamousjoeg/cybr-cli: A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with @CyberArk suite of products.) a try? It comes with pre-loaded safe member roles based on CyberArk-defined best practices and common safe members to ease the creation of safes and authorization of safe members. It’s built to work on Windows, MacOS (M1 & Intel), as well as Linux.

I third that response. We recently upgraded to v12 and found that same exact issue. The call would successfully add the Vault Admin user, but would return a failure code. Changing to the v2 APIs fixed the problem for us.

Thanks @julie @joe.garcia @chris_barber !!!

It’s working with V2 API’s

Hi @joe.garcia ,

We are running PAS & conjur in both windows & linux .

To run this Cybr-cli commands on Windows 2019 64 bit machine, which zip file need to download(cybr-v0.1.10-beta-windows-amd64.zip.md5) , please suggest

image1411×850 79.1 KB

The .zip is all you need. Inside is a windows_cybr.exe that can be moved to your PATH or executed from the same directory. I usually rename it to cybr.exe and move it to a directory in my PATH. That way I can call cybr.exe in Command Prompt from anywhere.

The .zip.md5 is a hash file for verifying the contents. It’s not necessary.