Add an External AD group to the CyberArk safe permission

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

can we add an external AD group to the safe permission to grant access to the safe using PAM connector. ?
Also can we add an external AD user to the safe permission. ? i tried adding the searchIn attribute to my object request to add the user/group but its not helping. am I missing something. see my plan below…
<ProvisioningPlan nativeIdentity=“CN=CA_PCloud_Admins,OU=Groups,OU=CyberArk,DC=abc,DC=com” targetIntegration=“CyberArk-TargetCollector”>
<ObjectRequest application=“CyberArk Privilege Cloud” nativeIdentity=“CN=CA_PCloud_Admins,OU=Groups,OU=CyberArk,DC=abc,DC=com” op=“Modify” type=“Container”>
<Attributes>
<Map>
<entry key=“memberType” value=“Group”/>
<entry key=“searchIn” value=“abc.com”/>
</Map>
</Attributes>
<PermissionRequest op=“Add” rights=“useAccounts, retrieveAccounts, listAccounts, updateAccountProperties, initiateCPMAccountManagementOperations, specifyNextAccountContent, unlockAccounts, manageSafe, manageSafeMembers, backupSafe, viewAuditLog, viewSafeMembers, accessWithoutConfirmation, createFolders, deleteFolders, moveAccountsAndFolders, requestsAuthorizationLevel1” target=“PPA-Test11A” targetCollector=“CyberArk-TargetCollector”>
<Attributes>
<Map>
<entry key=“assignment” value=“true”/>
</Map>
</Attributes>
</PermissionRequest>
</ObjectRequest>
</ProvisioningPlan>

2

I’ve been struggling with the same issue. What worked for me when building the provisioning plan was to set the ProvisioningPlan nativeIdentity to the safe name, and set the ObjectRequest nativeIdentity to the objectGUID of the AD group.

Example plan:

<ProvisioningPlan nativeIdentity="SAFE_NAME" targetIntegration="CyberArk Target">
    <ObjectRequest application="CyberArk SCIM" nativeIdentity="EBB38BA3-ACE3-4744-BDAF-59190BEA4410" op="Modify" type="Container">
        <PermissionRequest op="Add" rights="addAccounts" target="SAFE_NAME" targetCollector="CyberArk Target">
            <Attributes>
                <Map>
                    <entry key="assignment" value="true" />
                </Map>
            </Attributes>
        </PermissionRequest>
    </ObjectRequest>
</ProvisioningPlan>

This results in the following JSON payload being generated (I used Fiddler to view the SCIM request):

{
    "container":
    {
        "value": "SAFE_NAME"
    },
    "meta":
    {
        "resourceType": "ContainerPermission"
    },
    "rights": ["addAccounts"],
    "schemas": ["urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission"],
    "group":
    {
        "value": "EBB38BA3-ACE3-4744-BDAF-59190BEA4410"
    }
}
3

Hope below blog can assist you

https://community.sailpoint.com/t5/Technical-White-Papers/Privileged-Account-Management-in-IdentityIQ/ta-p/74443

4

Hello @jophis_alias,

I am not sure how SCIM server will interpret those requests. Just would like to share our implementation approach, instead of using PAM Connector to control the safe member provisioning, we directly using REST API call directly Add Safe member, we can simply send a http POST request with body as below:

{
	"memberName":"Access_Group_01",
	"searchIn": "abc.com",
	"membershipExpirationDate":1667472534,
	"permissions":
		{
		"useAccounts":false,
		"retrieveAccounts": false,
		"listAccounts": false,
		"addAccounts": false,
		"updateAccountContent": false,
		"updateAccountProperties": false,
		"initiateCPMAccountManagementOperations": false,
		"specifyNextAccountContent": false,
		"renameAccounts": false,
		"deleteAccounts": false,
		"unlockAccounts": false,
		"manageSafe": false,
		"manageSafeMembers": false,
		"backupSafe": false,
		"viewAuditLog": false,
		"viewSafeMembers": false,
		"accessWithoutConfirmation": false,
		"createFolders": false,
		"deleteFolders": false,
		"moveAccountsAndFolders": false,
		"requestsAuthorizationLevel1": false,
		"requestsAuthorizationLevel2": false
		},
	"MemberType": "Group"
}

After a successfully response, we may need to wait for SCIM server to sync the data from CyberArk and aggregate back to IIQ.

Best regards,
Mike

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.