image1920×1080 49.3 KB

	Description	CyberArk Privilege Cloud RBAC Connector
	Legal Agreement	By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
	Repository Link	GitHub - sailpoint-oss/colab-saas-conn-cyber-ark-rbac
	New to SaaS connectors in the CoLab?	Read the getting started guide for SaaS Connectors in the CoLab.
	Supported by	Community Developed

Overview

This CyberArk Privilege Cloud connector lives on a Shared Services tenant. It supports features that aren’t available on the SailPoint provided connector. This guide will explain these additional features, as well as how to configure the connector.

Requirements

To configure the CyberArk Privilege Cloud RBAC connector, you need the following:

• SailPoint Identity Security Cloud Subscription
• CyberArk Privilege Cloud on Shared Services Instance
• OAuth Client with proper permissions (see following requirements)
• SailPoint CLI
• Node.js >= 16.2.0
• TypeScript >= 4.4.3

Guide

Supported operations

The CyberArk Privilege Cloud RBAC connector supports these connector commands:

• Test Connection
• Account Create
• Account Enable
• Account Disable
• Account List
• Account Read
• Account Update
• Entitlement List

Differences from SailPoint provided connector

The CyberArk Privilege Cloud RBAC connector provides you with these unique features:

• The ability to “create” (by invite) Active Directory (AD) users in your tenant. The SailPoint connector can only create local CyberArk Cloud Directory users.
• The ability to manage individual safe rights as entitlements, instead of only as groups.
• The ability to create “safe roles”, bundles of safe rights, which simplifies end user requests.
• Descriptions of all entitlements, including groups. The description field isn’t available in the SCIM APIs for groups, so the SailPoint provided connector doesn’t collect descriptions.

Connector-specific requirements

There are some additional requirements specific to the CyberArk Privilege Cloud RBAC connector:

• An active SCIM service (guide)
• These additional scopes to access UserMgmt and RoleMgmt API endpoints:

image792×433 16.8 KB

• An identity connector for your preferred AD domain

Configuration

To correctly configure the connector, you will also need the following:

• oauthAppId - This is the name of the OAuth application you created in your CyberArk identity tenant as part of the SCIM server setup.
• oauthScope - This is the list of available scopes you created in your SCIM OAuth Client. If you use the earlier screenshot, this value would be “scim usermgmt rolemgmt”.
• accountSource - Active Directory is currently the only supported option. In the future, I may include the ability to create local accounts as well.
• directoryServiceId - This is the ID of the directory service for your AD domain. It currently only supports a single AD Domain, but I may add support for multiple in the future. Read the following section to learn how to find your directory service ID.
• safeRights - These are all the available rights that can be assigned to a safe. The connector will create an entitlement for each right for every safe. For example, if you have 50 safes and 20 rights listed, then that will create 1000 entitlements with the type “safeRight”. I recommend using the following values:

[
 {
   "name": "useAccounts",
   "description": "Allows members to use the accounts in the Safe to connect using PSM/PSMP"
 },
 {
   "name": "retrieveAccounts",
   "description": "Allows members to show or copy an account's secret"
 },
 {
   "name": "listAccounts",
   "description": "Allows members to view the accounts in the Safe"
 },
 {
   "name": "addAccounts",
   "description": "Allows members to add accounts to the Safe"
 },
 {
   "name": "updateAccountContent",
   "description": "Allows members to set the password in the Vault only"
 },
 {
   "name": "updateAccountProperties",
   "description": "Allows members to edit account properties"
 },
 {
   "name": "initiateCPMAccountManagementOperations",
   "description": "Allows members to trigger the CPM to change, verify or reconcile an account's secret"
 },
 {
   "name": "specifyNextAccountContent",
   "description": "Allows members to set a specific secret for the next time the CPM changes the secret"
 },
 {
   "name": "renameAccounts",
   "description": "Allows members to rename accounts in the Safe"
 },
 {
   "name": "deleteAccounts",
   "description": "Allows members to delete accounts in the Safe"
 },
 {
   "name": "unlockAccounts",
   "description": "Allows members to unlock accounts in the Safe that are locked by other users"
 },
 {
   "name": "manageSafe",
   "description": "Allows members to edit the Safe properties"
 },
 {
   "name": "manageSafeMembers",
   "description": "Allows members to set permissions for Safe members"
 },
 {
   "name": "backupSafe",
   "description": "Allows members to back up the Safe"
 },
 {
   "name": "viewAuditLog",
   "description": "Allows members to view account activity in the Safe"
 },
 {
   "name": "viewSafeMembers",
   "description": "Allows members to view the permissions of Safe members"
 },
 {
   "name": "accessWithoutConfirmation",
   "description": "Allows members to access an account in the Safe without requesting confirmation"
 },
 {
   "name": "createFolders",
   "description": "Allows members to create folders in the Safe"
 },
 {
   "name": "deleteFolders",
   "description": "Allows members to delete folders in the Safe"
 },
 {
   "name": "moveAccountsAndFolders",
   "description": "Allows members to move accounts and folders in the Safe"
 },
 {
   "name": "requestsAuthorizationLevel1",
   "description": "Allows members to confirm a request to access an account in the Safe - receive requests immediately"
 },
 {
   "name": "requestsAuthorizationLevel2",
   "description": "Allows members to confirm a request to access an account in the Safe - receive requests after the required number of level 1 confirmations"
 }
]

• safeRoles - These are user-defined “roles” that bundle together one or more safeRights. These roles often makes it easier for users to understand what access they want to request for a given safe, and they give the admins more control over what access can actually be requested. Use the following format. These are the roles I created for my org:

[
    {
        "name": "Full",
		"description": "Allows full access to a safe",
        "rights": [
            "useAccounts",
            "retrieveAccounts",
            "listAccounts",
            "addAccounts",
            "updateAccountContent",
            "updateAccountProperties",
            "initiateCPMAccountManagementOperations",
            "specifyNextAccountContent",
            "renameAccounts",
            "deleteAccounts",
            "unlockAccounts",
            "manageSafe",
            "manageSafeMembers",
            "backupSafe",
            "viewAuditLog",
            "viewSafeMembers",
            "accessWithoutConfirmation",
            "createFolders",
            "deleteFolders",
            "moveAccountsAndFolders",
            "requestsAuthorizationLevel1"
        ]
    },
	{
        "name": "Owner",
		"description": "Allows most access granted under full access apart from account deletion and managing safe members",
        "rights": [
            "useAccounts",
            "retrieveAccounts",
            "listAccounts",
            "updateAccountContent",
            "updateAccountProperties",
            "initiateCPMAccountManagementOperations",
            "specifyNextAccountContent",
            "renameAccounts",
            "deleteAccounts",
            "unlockAccounts",
            "backupSafe",
            "viewAuditLog",
            "viewSafeMembers",
            "accessWithoutConfirmation",
            "createFolders",
            "deleteFolders",
            "moveAccountsAndFolders",
            "requestsAuthorizationLevel1"
        ]
    },
	{
        "name": "Auditor",
		"description": "Allows auditor level access that includes listing accounts, viewing safe members, and viewing the audit log",
        "rights": [
            "listAccounts",
			"viewSafeMembers",
            "viewAuditLog"
        ]
    },
    {
        "name": "Basic",
		"description": "Allows for basic account usage and retrieval. No account changes or new account creation allowed",
        "rights": [
            "useAccounts",
            "retrieveAccounts",
            "listAccounts",
            "initiateCPMAccountManagementOperations",
            "viewAuditLog"
        ]
    }
]

Find your Directory Service ID

To find your directory service ID for your AD domain, follow these steps:

1. In the Identity tenant, select ‘Users’ and select ‘Invite Users’ at the top right.
2. Open your developer console (F12) and start typing in a name to capture the traffic. Doing so returns IDs from all directories checked on the left side.
3. To collect only the directory service you want, deselect the others.

For example, you could run a search like this:

image1361×492 24.6 KB

The search would result in a payload like this:

image924×602 20.9 KB

The ID you’re looking for is the directoryServices property. If you deselect the other sources you want to exclude, there will only be the one you want. You can use this directory service ID to configure your connector.