Integrating CyberArk On-Prem (Privileged Access Manager) with SailPoint IdentityNow (IDN) using REST APIs

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Experts,

We are working on integrating CyberArk On-Prem with SailPoint IdentityNow and have some questions regarding the CyberArk REST APIs and how to map entitlements and access profiles:

  1. Getting Users per Safe (Entitlement):
  • CyberArk provides an API to get all members of a specific safe (entitlement).
  • To determine user entitlements in IdentityNow, can we call this API for each safe and aggregate the users accordingly?
  • Is this approach feasible and scalable?
  1. Access Profiles and Safe-Level Permissions:
  • Access profiles represent safe-level access permissions.
  • When assigning an access profile to a user, can we programmatically add different permission levels (e.g., connect-only or full access) to the safe using the Add Safe Member API?
  • Is it possible to manipulate safe permissions this way via API calls?
  1. Example Scenario:
  • Suppose there is a safe named Win-Admins.
  • We can get the safe name via the Get All Safes API.
  • To find users assigned to that safe, we use the Get Safe Members API.
  • By combining with the Get Users API, we can map which users have which safe entitlements.
  • When a user requests access via an access profile, can we assign them either connect-only or full access by setting the appropriate permissions through the API?

Reference APIs:

2

Hey @Hasitha I hope the blow inputs help!

  1. Short answer is yes this approach should be ok. This is a very common way that IIQ aggregates accounts / entitlements using the WebServices connector. You will notice in that documentation that an aggregation can be “multi-stepped” and it is exactly for this use case. As for scaleable it should be fine within industry standard levels of scale. Of course if you have 10s of thousands of vaults with millions of users you will see performance degradation.
  2. I don’t think this is possible to assign one entitlement or another using single Access Profiles. The standard approach would just be to create multiple APs to represent access to the safe. I.e. AP1 is Win-Admins:connect-only and AP2 is Win-Admins:full-access. However, if you are determined to go down that route it may be possible if you look into dynamic Roles. Though I would say the suggestion above is how most do this.
3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.