Hello hello. I’m working on a custom integration between SailPoint ISC and CyberArk Privilege Cloud and I’m running into two major gotchas:
CyberArk has two separate components, SSO users and Accounts. SSO users are your typical directory users for signing in, and Accounts are credentials (passwords) stored within CyberArk. In my SailPoint setup those are separate sources, both assigned to a requestable SailPoint role. The problem is that Account access (source B - Web Services) requires SSO access (source A - SCIM) first, because you must have an account in CyberArk (from source A) before I can create your account and assign permissions to it (through source B).
SailPoint does not seem to have any concept of a role priority. I need to ensure provisioning for source A is always done before provisioning source B. How can I do that? I cannot make them requestable separately, nor can I assign through through birthright rules. They must be requestable together.
I’m using the Web services connector and I am checking “Create Account With “Ent” Request” to create an account and assign an entitlement at the same time, but SailPoint is still complaining that I don’t have an Add Entitlement endpoint. What am I missing here?
You 're using a web connector so you have to define all the HTTP operations required for aggregation, provisioning…
If I understand well I suggest that you use a workflow for the role attribution
basically you will request only the entitlement of the source A and use a Access Request Decision trigger with a delay within a workflow or a Provisioning completed trigger to assign the entitlement in source B
Hi Jim,
Did you add an operation of Add Entitlement as well ? You will need to add the operation as Sailpoint is looking for that as well when it tries to Provision the user even if you have Create User with Entitlement.Add the operation and see if it fixes your issue.
Regarding Role Parity it will be difficult to achieve this requirement as we also had same case and we tried to use Access Request Decision workflow and tried to provision the first access but the issue here is that in Access Request Decision the request is already approved and send to Provisioning engine.
I was able to solve the simultaneous role assignment issue by refactoring my setup so that the second role could be assigned by the first, and then I just made it dependent on the first role assignment. It’s a shame that SailPoint does not seem to have a way to prioritize roles in the event there is a dependency between two roles.
I also added a dummy placeholder for Add Entitlement, which solved the second problem.
