Hello experts,
Is there a way to revoke certain safe permissions for SCIM-user service account from the full permissions list (programmatically) ?
The safe was created by SCIM-user and has 2 members: SCIM-user and another user account. Both users have full permission privilege.
When the user account is “disabled” because the user is no longer active, we want to retain the safe and also revoke all permissions for SCIM-user except for “Use password, List, Retrieve”.
Thanks in advance
Hey @lumuser,
Thanks for posting this question. Let us look into this and we will circle back shortly with some input!
Hi @lumuser
Programmatically, this would require making a PATCH or PUT request to the CyberArk SCIM server on the /ContainerPermission endpoint. I am not sure if the CyberArk implementation supports either of these operations on the endpoint in question, but I’ve sent a request to our partner contact at CyberArk to get a definitive answer.
You can also confirm yourself whether these operations are available by interfacing with the CyberArk SCIM server directly using Postman.
Do a GET on the /ContainerPermission endpoint, which will return an JSON array of ContainerPermission objects - each one with a specific ID field. Take that ID field from a single ContainerPermission object and append it to a request:
PUT /ContainerPermission/<id from the GET call>
For the body of this request, copy and paste the ContainerPermission object in its entirety, and modify the ‘rights’ JSON object to only include a csv of the permission you want (it will look something like below).
{
"container": {
"value": "demoSafe",
"$ref": "https://<url>/scim/v2/Containers/ContainerPermission",
"name": "demoSafe",
"display": "Demo Safe"
},
"user": {
"value": "adamC",
"$ref": "https://<url>/scim/v2/Users/adamC",
"display": "Adam C"
},
"rights": [
"useAccounts",
"retrieveAccounts",
"listAccounts"
],
"schemas": [
"urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission"
],
"id": "demoSafe:adamC",
"meta": {
"resourceType": "ContainerPermission",
"created": "<some timestamp>",
"lastModified": "<some timestamp>",
"location": "https://<url>/scim/v2/ContainerPermissions/demoSafe:adamC"
}
}
Send the request - if the server responds with a ‘501 not implemented’ response, try then the PATCH operation. If both responses are ‘501 not implemented’ then we are a bit stuck. The other option to look at would be to remove the user from all their containers, and then re-add them.
I’ll update here when I’ve heard back directly from CyberArk.
1 Like
That was quick - my CyberArk contact confirmed that the PUT operation on ContainerPermission is supported, and the above instructions should work. Please let me know if you can confirm?
1 Like