Originated from discussion #252.
Today, generating a policy-compliant password on a brand-new secret requires a create-then-overwrite dance: provide a placeholder password to New-TssSecret, then call Invoke-TssSecretGeneratePassword against the resulting secret ID, then Set-TssSecretField to set the real value. Users have to write the placeholder first which is awkward and produces an audit-log entry that immediately gets overwritten.
Proposed designs (need to pick one before implementing)
-
-GeneratePassword switch on New-TssSecret. When set, the cmdlet calls the template's generate-password endpoint per password field on the template before posting the create.
- Pros: single call, discoverable, no placeholder ever exists.
- Cons: multi-password templates need a way to opt in/out per field (e.g.
-GeneratePassword accepting a list of field slugs, or default to "all password fields not already set in the stub").
-
New Get-TssTemplateGeneratedPassword cmdlet that returns a generated password for a given template + field; callers populate the SecretStub before New-TssSecret.
- Pros: composable, single-purpose, lets the caller inspect/transform the value before assignment.
- Cons: still a two-step flow.
Recommend evaluating both. The switch is the better default UX; the standalone cmdlet may still be worth having for the inspect-before-assign case. They are not mutually exclusive.
API references
Originated from discussion #252.
Today, generating a policy-compliant password on a brand-new secret requires a create-then-overwrite dance: provide a placeholder password to
New-TssSecret, then callInvoke-TssSecretGeneratePasswordagainst the resulting secret ID, thenSet-TssSecretFieldto set the real value. Users have to write the placeholder first which is awkward and produces an audit-log entry that immediately gets overwritten.Proposed designs (need to pick one before implementing)
-GeneratePasswordswitch onNew-TssSecret. When set, the cmdlet calls the template's generate-password endpoint per password field on the template before posting the create.-GeneratePasswordaccepting a list of field slugs, or default to "all password fields not already set in the stub").New
Get-TssTemplateGeneratedPasswordcmdlet that returns a generated password for a given template + field; callers populate theSecretStubbeforeNew-TssSecret.Recommend evaluating both. The switch is the better default UX; the standalone cmdlet may still be worth having for the inspect-before-assign case. They are not mutually exclusive.
API references
/secret-templates/generate-password/{secretFieldId}(POST), documented at https://updates.thycotic.net/secretserver/restapiguide/10.9/WinAuth/#operation--secret-templates-generate-password--secretfieldId--post/winauthwebservices/sswinauthwebservice.asmx?op=GeneratePassword