Hi everyone,
I’m working in SailPoint Identity Security Cloud (ISC) and trying to design two workflows related to our CyberArk Privilege Cloud connector. I’d really appreciate some guidance or examples from anyone who’s implemented similar logic.
Use Case 1 – Disable CyberArk account when last entitlement is removed
-
When the last CyberArk entitlement (or role linked to the CyberArk source) is removed from an active identity,
-
The identity no longer has any CyberArk access items,
-
Then the workflow should disable the CyberArk account.
Essentially, if the account still exists in CyberArk but the user no longer has any entitlements → set the account status to disabled.
Use Case 2 – Enable CyberArk account when first entitlement is added
-
When an active identity is granted their first CyberArk entitlement/role,
-
And the linked CyberArk account is currently disabled,
-
The workflow should enable the CyberArk account automatically.
So, if an identity regains access to CyberArk after being re-enabled in SailPoint, the account in CyberArk should be flipped from disabled → enabled.
If anyone has JSON snippets or examples of similar logic, I’d love to see them.
Thanks in advance for your help!
Karan