Skip to content

PM-947: Commander IdP CLI commands - Track D#1869

Open
tbjones-ks wants to merge 1 commit intoPM-947-privileged-cloud-managementfrom
kpc-track-d-idp-commands
Open

PM-947: Commander IdP CLI commands - Track D#1869
tbjones-ks wants to merge 1 commit intoPM-947-privileged-cloud-managementfrom
kpc-track-d-idp-commands

Conversation

@tbjones-ks
Copy link
Contributor

@tbjones-ks tbjones-ks commented Mar 13, 2026
edited by atlassian bot
Loading

Summary

Implement end-to-end Commander CLI support for Identity Provider operations (provision, deprovision, group management) with full encryption, error handling, and record management.

Issue

Changes

  • Added field encryption for user and meta fields using PAM config record key (AES-GCM)
  • Added gateway response decryption for group list and provision responses
  • Added --domain flag to provision command with username format validation
  • Added --save-record / -s flag to save provisioned credentials as pamUser record with Azure User ID custom field
  • Added --delete-record / -d flag to deprovision command to remove associated vault record (auto-find by Azure User ID or explicit record UID)
  • Added _friendly_error() helper to parse Azure API errors into user-friendly messages
  • Updated _dispatch_idp_action() to check data.success in gateway responses

Commands Updated

  • pam idp user provision — encryption, --domain, --save-record, --folder
  • pam idp user deprovision — encryption, --delete-record
  • pam idp group list — response decryption, member count display
  • pam idp group add-user — encryption
  • pam idp group remove-user — encryption

Breaking Changes

None

Testing Performed

  • Manual testing completed
  • End-to-end testing against live Azure Entra ID
  • Tested provision with --save-record (record created with Azure User ID)
  • Tested deprovision with --delete-record (record auto-deleted)
  • Tested group add-user and remove-user
  • Tested friendly error messages (user not found, already member, etc.)

@tbjones-ks
Commander | kpc-track-d-idp-commands
5775832 
Change List:
   - Added field encryption for user/meta fields sent to gateway using record key
   - Added gateway response decryption for group list and provision commands
   - Added --domain flag to provision with validation for username format
   - Added --save-record flag to save provisioned user as pamUser record with Azure User ID
   - Added --delete-record flag to deprovision to remove associated pamUser record
   - Added friendly error message parsing for Azure API errors
   - Updated all IdP commands to check data.success in gateway responses
@tbjones-ks tbjones-ks force-pushed the kpc-track-d-idp-commands branch from ee9867e to 5775832 Compare March 13, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tbjones-ks