I have connected to CyberArk with the Privileged Account Management connector in 8.3p3 IdentityIQ. I have set up account aggregation, group aggregation, and unstructured target aggregation and have ran each in that order followed by the Effective Index Refresh. Containers can be found in the entitlement catalog, however, no containers appear in the Privileged Account Management UI. Containers created through IdentityIQ will appear in the UI until the next unstructured target aggregation though they are successfully created in CyberArk. Does anyone have an idea on why they would not appear in the PAM UI?
I will add, we are unable to aggregate users from on-prem CyberArk. CyberArk Self-Hosted PAM now uses CyberArk Identity (SaaS) as the middleware component for the IGA integration, regardless of the CyberArk PAM deployment type (Self-hosted or Privilege Cloud). Before, with the self-hosted version, there was an on-prem service stood up that handled SCIM calls to all endpoints, including the /users and /groups endpoints, without issue.
The SaaS service functioning as middleware for the integration seems to have created a disconnect with the /users and /groups endpoints with the Self-Hosted version, as it’s only able to fetch the users and groups in Identity. This a problem because the users and groups are not in Identity for the Self-Hosted PAM, and therefore, we’re no longer able to manage them.
It’s possible that the /Containerpermissions response format could have changed as well, due to the shift in users and groups being in Identity for Privilege Cloud, but we can successfully call the /Containerpermissions endpoint.
Hi @tjones
Is Index unstructured targets and Index Entitlement Targets checked in Effective Indexing task.
Are you including empty targets for unstructured target aggregation.
@Jarin_James Yes, we have both of those options checked on the Effective Access Indexing task. The unstructured target we are using should not be empty since there are a few containers, unless you’re referring to another checkbox with that option?
Hi @tjones
I have tested Delinea Secret Server integration using PAM module and not CyberArk. And I have seen the issue where the Containers are visible in Catalog but not in PAM UI. Running the task in sequential manner couple of times fixed my issue. As you mentioned if there is a disconnect then the steps to resolve might be different.
We got the containers appearing after finding the “include empty targets” option on the Target Aggregation task.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.