def test_delete_assignment(core_session, setup_generic_pe_command_with_no_rules):
logger.info("test_delete_assignment")
commandName, commandID = setup_generic_pe_command_with_no_rules
# Add 2 assignments
principalType = "Role"
principal = "System Administrator"
scopeType = "Global"
ruleID1, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
ruleID2, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Delete rule2
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID2)
assert isSuccess, f" Deleting rule assignment 2 failed: {result}"
result, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {result}"
# Make sure result doesn't have rule2 but has rule1
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID1, result, True), \
f"ruleID1 not present in list of pe assignments response"
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID2, result, False), \
f"ruleID2 present in list of pe assignments response"
def test_pe_del_command_scenario2(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources, create_manual_set):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario2 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server", object_ids=[added_system_id])['ID']
logger.debug(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to admin user on this set
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount,' \
'ManagePrivilegeElevationAssignment'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id,
"User")
assert result['success'], "setting collection permissions failed: " + result
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, assignments too
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignmnent explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_pe_can_execute_priv_command_sys_asmnt_no_user_in_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules_all_OS,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_cmd123" + guid()
sys_fqdn = "fqdn123" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
role = users_and_roles.populate_role({
'Name': "can_exec_role123" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj1 = users_and_roles.populate_user(
{'Name': 'can_exec_user123' + guid()})
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principalId=role['ID'],
scopeType="System",
scope=added_system_id,
principal=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj1.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_sys_asmnt_no_aduser_in_adgroup(
core_session, setup_generic_pe_command_with_no_rules,
setup_user_in_ad_group, setup_aduser, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="System",
scope=added_system_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
aduser1, _ = setup_aduser
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser1['SystemName'],
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert not results['Granted'], f"Granted should be false: {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_del_assignment_scenario1(core_session, setup_generic_pe_command_with_no_rules, users_and_roles,
create_resources):
commandName, commandID = setup_generic_pe_command_with_no_rules
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_assignment_scenario1 user_info: {user_info}")
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, "Unix")[0]['ID']
logger.debug(f"Successfully added a System: {added_system_id}")
# Give all permissions but the manage assignments permission to admin user on this system
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Did not set system permissions: {result}"
# Add assignment
principalType = "User"
principal = user_info['Name']
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting assignment explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}"
assert re.findall('unauthorized', result), \
f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}" \
f": {result}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system_set(core_session, create_manual_set,
setup_generic_pe_command_with_no_rules):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Create Set and the system to this set
set_id = create_manual_set(
core_session, "Server")['ID']
logger.info(f"Successfully created a set and added system to that set: {set_id}")
# Give all permissions to the admin on the set
permission_string = 'Grant,View,Edit,Delete'
result = SetsManager.set_collection_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
logger.info(result)
assert result['success'], "assigning collection permissions on the set for the user, failed: " + result
# Give all permissions but MA to the admin on the ResourceSet
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result = SetsManager.set_collection_resource_permissions(core_session, permission_string,
admin_user_name, admin_user_id, set_id)
assert result['success'], "assigning collection permissions on the resource set for the user failed: " + result
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "Collection"
scope = set_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_pe_del_assignment_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_assignment_scenario3: {user_info}")
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting assignment explicitly should fail
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting rule assignment with no manage permission on system passed: {ruleID}"
assert re.findall('unauthorized', result), \
f"Deleting rule assignment with no manage permission on system did not fail with unauthorized exception: {ruleID}"
def test_pe_del_command_scenario3(core_session, setup_pe_one_command_one_rule, users_and_roles):
commandName, commandID, ruleID = setup_pe_one_command_one_rule
requester_session = users_and_roles.get_session_for_user('Privilege Elevation Management')
response = requester_session.get_current_session_user_info()
user_info = response.json()['Result']
logger.debug(f"del_command_scenario3 - user_info: {user_info}")
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess, f"List assignments API call failed: {results}"
logger.debug(f"List pe assignments response: {results}")
assert PrivilegeElevation.check_rule_in_list_pe_assignments_response(ruleID, results, True), \
f"ruleID not present in list of pe assignments response"
# Deleting command should be successful, along with assignments
result, isSuccess = PrivilegeElevation.del_pe_command(requester_session, name=commandName)
assert isSuccess, f"Deleting command as a non-admin user with pe permission failed: {result}"
# Deleting assignment explicitly should fail, as assignment is already deleted
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(requester_session, ruleID)
assert not isSuccess, f"Deleting an already deleted assignment passed: {ruleID}"
assert re.findall('Privilege Elevation Assignment not found', result), \
f"Deleting an already deleted assignment failed with unknown exception: {result}"
def test_delete_assignment_sysadmin_without_ma_permission_on_system(core_session, create_resources,
setup_generic_pe_command_with_no_rules,
operating_system):
commandName, commandID = setup_generic_pe_command_with_no_rules
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add System
added_system_id = create_resources(core_session, 1, operating_system)[0]['ID']
logger.info(f"Successfully added a System: {added_system_id}")
# Give all permissions but MA to the admin
permission_string = 'Grant,View,Edit,Delete,ManageSession,AgentAuth,RequestZoneRole,AddAccount,UnlockAccount'
result, success = ResourceManager.assign_system_permissions(core_session, permission_string,
admin_user_name, admin_user_id, "User",
added_system_id)
assert success, f"Unable to set system permissions for admin: {result}"
# Add assignment
principalType = "User"
principal = admin_user_name
scopeType = "System"
scope = added_system_id
ruleID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(core_session, commandID=commandID,
scopeType=scopeType, scope=scope,
principalType=principalType, principal=principal)
assert isSuccess, f" Adding rule assignment failed"
# Make sure rule assignment is available
results, isSuccess = PrivilegeElevation.list_pe_assignments(core_session, command=commandName)
assert isSuccess and len(results['Result']) == 1, f"List assignments API call failed: {results}"
# Deleting assignment explicitly should pass
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID)
assert isSuccess, f"Deleting rule assignment with no manage permission on system as sysadmin failed: {ruleID}"
def test_pe_del_assignment_notexists(core_session):
ruleID = guid()
result, isSuccess = PrivilegeElevation.del_pe_rule_assignment(core_session, ruleID=ruleID)
assert not isSuccess, f" Deleting a non existing pe rule assignment passed: {ruleID}"
def test_pe_can_execute_priv_command_sys_asmnt_on_user(
core_session, setup_generic_pe_command_with_no_rules, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
commandName, commandID = setup_generic_pe_command_with_no_rules
# Get Admin info
admin_user = core_session.get_user()
admin_user_name = admin_user.get_login_name()
admin_user_id = admin_user.get_id()
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="User",
principal=admin_user_name,
scopeType="System",
scope=added_system_id,
principalId=admin_user_id,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principalID=asmnt_info['PrincipalId'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=admin_user_name,
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_set_asmnt_on_adgroup(
core_session, setup_user_in_ad_group,
setup_generic_pe_command_with_no_rules_all_OS, create_manual_set,
users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Windows",
sessiontype="Rdp")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules_all_OS
aduser, _, adgroup = setup_user_in_ad_group
if adgroup is None:
pytest.skip("Cannot create adgroup")
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Group",
principal=adgroup['DisplayName'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=aduser['SystemName'],
system=sys_name,
command="sc stop cagent")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
def test_pe_can_execute_priv_command_set_asmnt_on_non_sysadmin_role(
core_session, setup_generic_pe_command_with_no_rules,
create_manual_set, users_and_roles, cleanup_servers):
# Add System
sys_name = "test_pe_can_execute_priv_command" + guid()
sys_fqdn = "fqdn" + guid()
added_system_id, system_success_status = ResourceManager.add_system(
core_session,
name=sys_name,
fqdn=sys_fqdn,
computerclass="Unix",
sessiontype="Ssh")
assert system_success_status, f'Adding system failed returned status {system_success_status}'
logger.debug(f"Successfully added a System: {added_system_id}")
cleanup_servers.append(added_system_id)
# Create Set and the system to this set
set_id = create_manual_set(core_session,
"Server",
object_ids=[added_system_id])['ID']
logger.debug(
f"Successfully created a set and added system to that set: {set_id}")
commandName, commandID = setup_generic_pe_command_with_no_rules
role = users_and_roles.populate_role({
'Name': "can_exec_role" + guid(),
"Rights": ["Admin Portal Login"]
})
# Get User
userobj = users_and_roles.populate_user({'Name': 'user' + guid()})
#Add user to role
users_and_roles.add_user_to_role(userobj, role)
# Add assignment
asmnt_info = get_PE_ASSIGNMENTS_Data(commandID=commandID,
commandName=commandName,
principalType="Role",
principal=role['Name'],
scopeType="Collection",
scope=set_id,
principalId=None,
bypassChallenge=True)
asmntID, isSuccess = PrivilegeElevation.add_pe_rule_assignment(
core_session,
commandID=commandID,
scopeType=asmnt_info['ScopeType'],
scope=asmnt_info['Scope'],
principalType=asmnt_info['PrincipalType'],
principal=asmnt_info['Principal'],
byPassChallenge=True,
starts=asmnt_info['Starts'],
expires=asmnt_info['Expires'])
assert isSuccess, f"Adding assignment failed"
asmnt_info['ID'] = asmntID
results, isSuccess = PrivilegeElevation.can_execute_priv_command(
core_session,
user=userobj.get_login_name(),
system=sys_name,
command="sudo date")
assert isSuccess, f"CanExecutePrivilegeCommand failed, reason: {results}"
assert len(results['PrivilegeElevationCommands']
) == 1, f"Only single command should exist {results}"
results_assignments = results['PrivilegeElevationCommands'][0][
'Assignments']
assert len(results_assignments
) == 1 and results['Granted'], f"Granted should be true"
PrivilegeElevation.check_can_execute_priv_command_results(
asmnt_info, results['PrivilegeElevationCommands']
[0]), f"All params not matching {results}"
#clean up
errMsg, isSuccess = PrivilegeElevation.del_pe_rule_assignment(
core_session, asmntID)
assert isSuccess is True, f'PrivilegeElevation add assignment failed to clean up {errMsg}'
