# cyberark_user This module allows admins to Add, Delete, and Modify CyberArk Vault Users. The ability to modify consists of the following: * Enable User
* Disable User
* Add/Remove Group
* Set New Password
* Force "change password at next login"
* Modify User Information Fields
* Email
* First Name
* Last Name
* Expiry Date
* User Type
* Location
#### Limitations **Idempotency** - All actions taken in the playbook adhere to the Ansible idempotency guidelines _except_ for password change. If you have the playbook set to modify a password it will "modify" the password every time the playbook is run, even if it is the same password.
**Group Creation** - If the value for `group_name` does not exist in the Vault it will not create that group, the user action that was expected will fail. #### Available Fields ``` options: username: description: - The name of the user who will be queried (for details), added, updated or deleted. type: str required: True state: description: - Specifies the state needed for the user present for create user, absent for delete user. type: str choices: [ absent, present ] default: present cyberark_session: description: - Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session. type: dict required: True initial_password: description: - The password that the new user will use to log on the first time. - This password must meet the password policy requirements. - This parameter is required when state is present -- Add User. type: str new_password: description: - The user updated password. Make sure that this password meets the password policy requirements. type: str email: description: - The user email address. type: str first_name: description: - The user first name. type: str last_name: description: - The user last name. type: str change_password_on_the_next_logon: description: - Whether or not the user must change their password in their next logon. type: bool default: no expiry_date: description: - The date and time when the user account will expire and become disabled. type: str user_type_name: description: - The type of user. - The parameter defaults to C(EPVUser). type: str disabled: description: - Whether or not the user will be disabled. type: bool default: no location: description: - The Vault Location for the user. type: str group_name: description: - The name of the group the user will be added to. type: str ``` ## Example Playbooks This playbook will check if username `admin` exists, if it does not, it will provision the user in the Vault, add it to the `Auditors` group and set the account to be changed at first logon. ```yaml - name: Logon to CyberArk Vault using PAS Web Services SDK cyberark_authentication: api_base_url: https://components.cyberark.local use_shared_logon_authentication: yes - name: Create user, add to Group cyberark_user: username: admin first_name: "Cyber" last_name: "Admin" email: "cyber.admin@ansibledev.com" initial_password: PA$$Word123 user_type_name: EPVUser change_password_on_the_next_logon: yes group_name: Auditors state: present cyberark_session: '{{ cyberark_session }}' register: cyberarkaction - name: Logoff from CyberArk Vault cyberark_authentication: state: absent cyberark_session: '{{ cyberark_session }}' ``` This playbook will identify the user and delete it from the CyberArk Vault based on the `state: absent` parameter. ```yaml - name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication cyberark_authentication: api_base_url: "{{ web_services_base_url }}" use_shared_logon_authentication: yes - name: Removing a CyberArk User cyberark_user: username: "ansibleuser" state: absent cyberark_session: "{{ cyberark_session }}" register: cyberarkaction - name: Logoff from CyberArk Vault cyberark_authentication: state: absent cyberark_session: "{{ cyberark_session }}" ``` This playbook is an example of disabling a user based on the `disabled: true` value with that authentication using the credential set in Tower. ```yaml - name: Logon to CyberArk Vault using PAS Web Services SDK - Not use_shared_logon_authentication cyberark_authentication: api_base_url: "{{ web_services_base_url }}" username: "{{ password_object.password }}" password: "{{ password_object.passprops.username }}" use_shared_logon_authentication: no - name: Disabling a CyberArk User cyberark_user: username: "ansibleuser" disabled: true cyberark_session: "{{ cyberark_session }}" register: cyberarkaction - name: Logoff from CyberArk Vault cyberark_authentication: state: absent cyberark_session: "{{ cyberark_session }}" ```