CyberArk integration with SailPoint IdentityNow issue

Hi,

We have integrated CyberArk with SailPoint using SCIM 2.0 API.

I am posting here as I didn’t see much documentation on troubleshooting in Compass.

During our Provisioning testing we overserved following issues:

Connector Type: SCIM 2.0
SSL: Enabled
Configurations: Access profiles are configured as Roles in system, RBAC request.
• New User Access:

  1. Access is requested through Role. Role access and Entitlement access displays as Passed in Account activity.
  2. Cyber Ark account get’s provisioned and added into group in Target system
  3. On User profiles Role is provisioned but on Account profile only account details are visible, entitlement details are not visible
  4. We have performed aggregation for synchronizing the data, but entitlement details are not getting populated
  5. All the activities are logged in to CyberArk SCIM logs
  6. In IDN events log the request status shows as PASSED
    • Update Access:
  7. New Access is requested through new Role. Role access and Entitlement access are logged as passed in account activity
  8. Entitlement details are not getting updated with new Entitlement
  9. We have performed aggregation for synchronizing the data, but entitlement details are not getting populated
  10. All the activities are logged in to CyberArk SCIM logs
  11. In IDN events log the request status shows as PASSED
    • Access Certification – Revoke process
  12. Triggered access certification on User Role
  13. User’s role was revoked and completed the sign-off
  14. Account activity Role removal, Entitlement removal events are logged as passed in account activity
  15. Revoke event is logged in as passed
  16. All the activities are logged in CyberArk SCIM logs
  17. Role is de-linked from user but entitlement is still exist on user

If anyone faced similar issue or aware of issue, please provide the details.

Thank you!
Sailaja

Hey @sailaja.prathi,

I hope you are well! I have pinged the connector team to see if they might be able to provide some additional reference materials for you when they return after the weekend. In the meantime, have you reviewed the following article, which you may find helpful?

https://community.sailpoint.com/t5/IdentityNow-Wiki/IdentityNow-CyberArk-Integration/ta-p/141239

@michael.ellis,

Thank you for your response. Hope you are well.
Yes, we followed the same.
https://community.sailpoint.com/t5/IdentityNow-Wiki/IdentityNow-CyberArk-Integration/ta-p/141239
Another reference guide was:
https://community.sailpoint.com/t5/IdentityNow-Connectors/SCIM-2-0-Source-Configuration-Reference-Guide/ta-p/72362

Regards,
Sailaja Prathi

Hey @sailaja.prathi , hope you are well,

Would need deeper investigation, however, I would initially double check the account schema.

Can we please clarify what is defined in your account schema ? Was the account ID attribute or name attribute changed for any reason(whilst the source had accounts aggregated)? if so you would need to perform a source reset via the IdentityNow REST API.

Can you also double check and list the account ID, name and entitlements/multi-valued defined attributes.

For Example you could have the Account Schema defined attributes, defined as follows:
Account ID :
userName

Name :
userName

Entitlements:
groups
entitlements
roles

Multi-Valued:
groups
entitlements
roles

Kind Regards, Omar Khote , CISSP

2 Likes

This looks way more deep than simple answer. Working on this through ES case with partner.

1 Like

Agree, would be wise this is worked via an ES case, thanks @chirag.patel .

1 Like