Hello,
Currently, I have SailPoint IIQ integrated with CyberArk PAM (SCIM Connector), and I have successfully performed aggregation. User data has already been retrieved.
Now, I would like to create user accounts and enable/disable CyberArk users through SailPoint. How can I do this?
Thank you.
Are you managing your CyberArk users locally. You can use the Post method available using the endpoint <Base_URL>/scim/v2/Users to create users and there is also a put method that allows updating users. More details available from CyberArk below.
@benutop55 Please refer the post below:
Hello, thank you for your response.
Do I need to create a rule in the Provisioning Policies, or how should I proceed?
@benutop55 Do you any OOTB provisioning policy or you have created a new provisioning policy ?
If existing CyberArk connector blocking for some reason, Go for Webservice type connector. you will get Create Operations. Or else Custom Business process you can create and attach to Joiner process if it is a part of the Birth right…
@benutop55 as you have configured it as SCIM connector (or for Webservices Connector), please test out the APIs via Postman. This’ll tell you how APi works and what is request and response format.
Now, as you already have sCIM, it should internally make POST call to /scim/Users api to create account in CyberArk. You will need a Provisoning Plan which you can generate programmatically or you can take available existing routes via Manage Accounts, Manage Users Access (while submitted entitlement or roles), etc. This’ll trigger a create provisioning to Cyberark. Give it a try and see if it works.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
I tried to create a user via SCIM using Postman, but I got the following error:
Postman:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"status": 400,
"detail": "user data is required"
}
SCIM Logs:
2026-05-05 13:55:42.375 [DBG] [33] [SCIMServer.Controllers.UsersController] Method: AddUser
2026-05-05 13:55:42.375 [DBG] [33] [SCIMServiceLibrary.UserService] Method: AddUserAsync
2026-05-05 13:55:42.375 [WRN] [33] [SCIMServer.Controllers.UsersController] user data is required
ModelLibrary.exception.InvalidInputException: user data is required
at SCIMServiceLibrary.UserService.AddUserAsync(String scimServerHost, CyberArkCredential cyberArkCred, SCIMUserResource user) in C:\aaaGitHub\CyberArkSCIMServer\dotnetSolution\SCIMServiceLibrary\UserService.cs:line 725
at SCIMServer.Controllers.UsersController.AddUser(SCIMUserResource body) in C:\aaaGitHub\CyberArkSCIMServer\dotnetSolution\SCIMServer\Controllers\UsersController.cs:line 243
2026-05-05 13:55:42.375 [DBG] [33] [CyberArkRESTPartialLibrary.CyberArkRESTPartialAPI] Method: Logoff2ndGenAsync
2026-05-05 13:55:42.376 [DBG] [33] [CyberArkRESTPartialLibrary.CyberArkRESTPartialAPI] URL: "https://ca14pvwa.sailpointnew.local/PasswordVault/API/auth/Logoff", Method: "Post"
2026-05-05 13:55:42.471 [INF] [33] [Serilog.AspNetCore.RequestLoggingMiddleware] HTTP POST /scim/v2/Users/ responded 400 in 95.8070 ms
Is there something wrong with my SCIM setup?
The most likely cause of the error as it is missing userType: Vault and the enterprise extension organization field. Please share your exact Postman request body, to suggest. can you share full request body and headers??
Your request body is wrapped inside a "userData": {} object:
The CyberArk SCIM server does NOT accept a userData wrapper. It expects the fields at the root level following the SCIM 2.0 standard schema. That’s exactly why line 725 throws user data is required — the deserializer finds no valid SCIMUserResource object at the root, so it treats the body as empty.
can you try putting like below and try in postman
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "scim.test01",
"name": {
"givenName": "SCIM",
"familyName": "Test"
},
"displayName": "SCIM Test",
"active": true,
"emails": [
{
"value": "scim@test.com",
"type": "work",
"primary": true
}
],
"userType": "EPVUser",
"password": "P@ssw0rd123!"
}
change your For changePassOnNextLogon and location.These are CyberArk-specific fields, not standard SCIM.
Try and see if it works for you
I’ve tried using the body you sent, and it works. Thank you!
Now I’m disabling/enabling users.
Disabling internal users via SailPoint works,
but disabling external (AD) users doesn’t work.
That’s great, Mark the post as solution.
Disabling external ad user doesn’t work seems to be a different issue, can you open a different thread for the same?? and please explain the use case as well
@benutop55 Please confirm if disabling external users is part of the same disable flow associated with CyberArk? Could you please share the flow?