CyberArk
CyberArk connectivity is based on the System for Cross-domain Identity Management (SCIM) connector v2, which is built on top of the generic REST connector. This means that the CyberArk connector has the same functionalities as the generic REST connector: create, read, update, delete (CRUD) on users and groups using the core schema. See the REST section for full description of tabs, fields, and configuration options.
Supported objects and operations
The CyberArk collector enables the import of identity data. Only full import is supported.
| Resource | Possible operations |
|---|---|
| Users | Create, read, update, delete |
| Groups | Read, update, add or remove user assignments |
- Accounts: CyberArk users
- Resources: CyberArk Groups, CyberArk Safes (Containers in target system API), CyberArk Privileged Accounts (PrivilegedData in target system API), relationships between PrivilegedData and Containers
- Resource Assignments: CyberArk Groups assigned to Safes, CyberArk Users assigned to Safes, CyberArk Users assigned to Groups
- Resource Parent/Child: Relationships between Groups
Minimum required permissions
You need access to the SCIM v2 API, including relevant permissions.
Implementation notes
None.
Network requirements
The following ports need to be open in firewalls:
| Port number | Protocol |
|---|---|
| 443 | HTTPS |
In addition, the SCIM Server for CyberArk has the following requirements:
- Vault v9.x
- AIM Credential Provider v9.x
- PACLI v7.2
Prerequisites
Before onboarding a CyberArk system, familiarize with SCIM 2.0 and the SCIM core schema, including the protocol specification. Review the following sources:
- General information on SCIM 2.0
- Overview, definitions, concepts and requirements
- Information on the SCIM core schema
- Information on the SCIM protocol specification
To collect data from SCIM 2.0, you must construct a URL that contains the address of the SCIM server and the entity name that you want to collect. For example: https://mywebsite.com/scim/users.