Hi Experts,
We are working on integrating CyberArk On-Prem with SailPoint IdentityNow and have some questions regarding the CyberArk REST APIs and how to map entitlements and access profiles:
- Getting Users per Safe (Entitlement):
- CyberArk provides an API to get all members of a specific safe (entitlement).
- To determine user entitlements in IdentityNow, can we call this API for each safe and aggregate the users accordingly?
- Is this approach feasible and scalable?
- Access Profiles and Safe-Level Permissions:
- Access profiles represent safe-level access permissions.
- When assigning an access profile to a user, can we programmatically add different permission levels (e.g., connect-only or full access) to the safe using the Add Safe Member API?
- Is it possible to manipulate safe permissions this way via API calls?
- Example Scenario:
- Suppose there is a safe named
Win-Admins. - We can get the safe name via the Get All Safes API.
- To find users assigned to that safe, we use the Get Safe Members API.
- By combining with the Get Users API, we can map which users have which safe entitlements.
- When a user requests access via an access profile, can we assign them either connect-only or full access by setting the appropriate permissions through the API?
Reference APIs: