After migrating Cyberark from Self-hosted to Privileged Cloud, Aggregation for TargetSource is not correlating in IIQ and no containers are visible in PAM UI

Which IIQ version are you inquiring about?

8.3p3

Please share any images or screenshots, if relevant.

image1916×495 11.3 KB

image999×389 11.4 KB

Share all details about your problem, including any error messages you may have received.

We were able to see containers in the Privileged Account Management (UI) when IIQ was pointing to Cyberark self-hosted env and after changing the connection details to Cyberark Privileged we are not able to see the details in PAM UI. Also, in IIQ after running the targetSource aggregation task, the details are not correlated as shown in the screenshot. We are using OOTB Sailpoint PAM Access Mapping Correlation Rule in the TargetSource.
Does anyone have any idea what could be the reason for this issue or faced this before?

@srikanth_akella8 When you open the PAM page are you seeing any error in logs?

Did the connection attributes change at all?

@srikanth_akella8 Could you please specify what all details you have changed and also check logs if any error is reported.

Hi All, I have updated connection details - Base URL, Authentication Type - OAuth2.0, in the application and same details in Unstructured Targets. I dont see any error in the logs when I open the PAM module.

Update -
What I could infer is when I run the Account Aggregation task with Include empty targets option checked for the target Collector I see empty safe details in the PAM module but don’t see safe and priv details being correlated and I suspect there is some issue here.

What does your logs says? and you might want to check with Sailpoint Support as well. In case they can help.

I dont see any error in the logs. I am able to see only empty safes in the PAM UI. No data is being correlated after running the Aggregation Task for the TargetSource.

@srikanth_akella8 I was reading some articles, could you please also check few things:

1. In Privileged Cloud, the attributes returned via the REST API often differ in case or name from the On-Premise Vault. If the PAM Access Mapping Correlation Rule expects userName but the Collector is now providing samAccountName or UPN, the rule returns null, leaving the Link uncorrelated.
2. Also if Safes are visible but empty, it means the Container Aggregation worked, but the Account Aggregation (which links accounts to those containers) failed to find a match.
3. Check the TargetSource is correctly associated with the main CyberArk PAM Application.
4. Less chances:: but it could be due to permissions issues as well. May be Service Account doesn’t have access to view Safes data.

In case this doesn’t help, you might want to coordinate with Sailpoint Support.