Adding a new Secret with Requires Approval enabled - PowerShell script

Root > Secret Server > API - Web Services
Sample script to add a new Secret with the "Requires Approval for Access" security setting enabled. In this example, we use an Active Directory Account Secret template and add a user and group as approvers:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# login info
    $url = 'https://yoursecretserverurl/webservices/sswebservice.asmx'
    $username = read-host "Enter your Secret Server username"
    $domain = ""
    $password = read-host "Password" -AsSecureString

function errorCheck {
    param($result)
    if($result -eq $null)
    {
        Throw "Error occurred. Result is null"
        exit
    }
    if($result.Errors.length -gt 0){
        "The following errors were received:"
        $result.Errors[0]
        exit
    }
}
function findFieldId {
    param($template, [string]$name)
    $template.Fields | ForEach-Object {
        if ($_.DisplayName -eq $name) {
            $fieldid = $_.Id
            return $_.Id
        }
    }
    if ($fieldid -eq $null) {
        Write-Host "No matching field ID was found."
        exit
    }
}
function setFieldValue {
    param($secret, [string]$fieldName, [string]$value)
    $wasFound = $false
    $secret.Items | ForEach-Object {
        if ($_.FieldDisplayName -eq $fieldName) {
            $_.Value = $value
            $wasFound = $true
        }
    }
    if(!$wasFound)
    {
        Write-Host "No matching field " $fieldName " was found on Secret. ("([string]::Join(",", ($secret.Items | ForEach-Object { $_.FieldDisplayName })))")"
        exit
    }
    return
}
function findTemplate {
    param($templateType)
    $result_temp = $proxy.GetSecretTemplates($token)
    errorCheck $result_temp
    $templates = $result_temp.SecretTemplates
    $templates | ForEach-Object {
        if($_.Name -eq $templateType){
            return $_
        }
    }
    if ($templates.length -lt 1) {
        Write-Host "No matching Secret template was found."
        exit
    }
}
function findFolderId {
    param($folderName)
    $result_folder = $proxy.SearchFolders($token, $folderName)
    errorCheck $result_folder
    return $result_folder.Folders[0].Id
}
function CreateNewSecret {
    param($newFolder, $newTemplate, $newDomain, $newUser, $newPassword)
    
    $proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
    # authenticate to Secret Server
    Write-Host "`nAuthenticating..."
    $result_auth = $proxy.Authenticate($username, [Runtime.InteropServices.Marshal]::PtrToStringAuto(
        [Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)), $domain, '')
    errorCheck $result_auth
    Write-Host "Authentication Successful."
    # obtain token
    $token = $result_auth.Token
    Write-Host "`nLoading Template " $newTemplate
    
    $template = findTemplate $newTemplate
    Write-Host "`nSecret Template Id" + $template.Id
    # if no password is provided, generate a new password
    if($newPassword.length -lt 1)
    {
        Write-Host "`nNo password provided: generating a new password..."
        $pwdId = (findFieldId $template "Password")
        $result_pwd = $proxy.GeneratePassword($token, $pwdId)
        errorCheck $result_pwd
        $newPassword = $result_pwd.GeneratedPassword
    }
    # ensure you are including ALL Secret fields here, even if they are empty
    #$secretItemFields = ((findFieldId $template "Domain"), (findFieldId $template "Username"), (findFieldId $template "Password"), (findFieldId $template "Notes"))
    #$secretItemValues = ($newDomain, $newUser, $newPassword, "", "")
 
    $folderId = findFolderId $newFolder
    $result_new = $proxy.GetNewSecret($token, $template.Id, $folderId)
    
    errorCheck $result_new
    $newSecret = $result_new.Secret
    $items = $newSecret.Items
    
    $secretName = $newDomain + "\" + $newUser
    $newSecret.Name = $secretName
    setFieldValue $newSecret "Domain" "thycotic.com"
    setFieldValue $newSecret "Username" "administrator"
    setFieldValue $newSecret "Password" "Password123"
    setFieldValue $newSecret "Notes" "This was created through the API."
    $result_add = $proxy.AddNewSecret($token, $newSecret)
    
    errorCheck $result_add
    
    Write-Host "`nSecret $secretName has been created."
    $updateSecret = $result_add.secret
    
    Write-Host "`nEnabling Requires Approval for Access..."
    
    # set IsChangeToSettings to be true to put changes in effect
    $updateSecret.SecretSettings.IsChangeToSettings = 1
    
    # enable request approval and specify approver(s)
    $updateSecret.SecretSettings.RequiresApprovalForAccess = 1
    # this will get the type of GroupOrUserRecord that will be used to identify the Approvers
    $type = $proxy.GetType().GetMethod("UpdateSecretPermission").GetParameters()[2].ParameterType.FullName
    
    $userRecord1 = New-Object -TypeName $type
    $userRecord2 = New-Object -TypeName $type
    $userRecord1.UserId = $null
    $userRecord1.GroupId = $null
    $userRecord1.IsUser = $true
    $userRecord1.Name = $username
    $userRecord1.DomainName = $domain
    $userRecord2.UserId = $null
    $userRecord2.GroupId = $null
    $userRecord2.IsUser = $false
    $userRecord2.Name = "Everyone"
    
    $updateSecret.SecretSettings.Approvers = @($userRecord1, $userRecord2)
    
    $result_update = $proxy.UpdateSecret($token, $updateSecret)
    errorCheck $result_update
    
    Write-Host "Require Approval enabled.`n"
    return
}
# provide new account information, including the destination folder and template type
$newFolder = 'admin'
$newTemplate = 'Active Directory Account'
$newDomain = 'mydomain.local'
$newUser = 'Jane Doe'
# leave password blank to generate a new one
$newPassword = ''
 
CreateNewSecret $newFolder $newTemplate $newDomain $newUser $newPassword

Add Feedback