This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CyberArk REST Integration: Issue with Importing Membership detail for Accounts & Entitlements

vmudagal1
New Contributor III
New Contributor III

‎08/25/2023 12:34 AM - last edited on ‎08/25/2023 01:00 AM by Community Manager

Hi,

Integration of CyberArk using REST connector

We have been able to import the accounts(users in CyberArk) and Entitlements related to Groups & Privileged Accounts to Saviynt.
Facing issue with getting the below data imported to saviynt:
1) Entitlement Type: Groups - Issue with importing the Membership(Accounts having access to these groups)
2) Entitlement Type: Privileged accounts - Issue with importing the membership (Accounts having access to prvileged accounts)
3) Entitlement Type: Safes - Importing the Safes(entitlements) and the membership for these safes.
4) Accounts(Users is CyberArk): Issue with importing the Entitlement Hierarchy/Associated Entitlements

Please find attached the logs. I did not find any specific details stating an error. Please provide guidance here.

{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty7",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 20,
"correlateInactiveAccounts": false,
"inactivateAccountsNotInFile": true,
"deleteAccEntForActiveAccounts": true
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://domain.com/PasswordVault/api/Users ",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"listField": "Users",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "username~#~char"
},
"makeProcessingStatus": true
},
"call2": {
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "https://domain.com/PasswordVault/api/Users/${accountName }",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"inputParams": {
"dependentCall": true
},
"listField": "",
"keyField": "accountID",
"nextApiKeyField": "accountID",
"colsToPropsMap": {
"name": "username~#~char",
"status": "enableUser~#~char",
"displayName": "username~#~char",
"accounttype": "userType~#~char",
"customproperty1": "source~#~char",
"customproperty2": "componentUser~#~char",
"customproperty3": "vaultAuthorization~#~char",
"customproperty5": "location~#~char",
"customproperty6": "suspended~#~char",
"customproperty7": "enableUser~#~char",
"customproperty8": "lastSuccessfulLoginDate~#~char",
"customproperty9": "unAuthorizedInterfaces~#~char",
"customproperty10": "authenticationMethod~#~char",
"customproperty11": "passwordNeverExpires~#~char",
"customproperty12": "distinguishedName~#~char",
"customproperty13": "description~#~char",
"customproperty14": "businessAddress~#~char",
"customproperty15": "internet~#~char",
"customproperty16": "phones~#~char",
"customproperty17": "personalDetails~#~char",
"accountID": "id~#~char"
}
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Groups": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Group Type",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/UserGroups ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "groupName~#~char",
"displayname": "groupName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty1": "groupType~#~char",
"customproperty2": "location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"Safes": {
"entTypeOrder": 1,
"entTypeLabels": {
"customproperty1": "Safe URL ID",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/Safes ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "Safes",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "SafeUrlId~#~char",
"entitlement_value": "SafeName~#~char",
"displayname": "SafeName~#~char",
"description": "Description~#~char",
"entitlement_glossary": "SafeName~#~char",
"customproperty1": "SafeUrlId~#~char",
"customproperty2": "Location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"PrivilegedAccounts": {
"entTypeOrder": 2,
"entTypeLabels": {
"customproperty1": "UserName",
"customproperty2": "Platform ID",
"customproperty3": "Safe Name",
"customproperty4": "Secret Type",
"customproperty5": "Application ID",
"customproperty6": "Active Directory ID",
"customproperty7": "automaticManagementEnabled",
"customproperty8": "Status",
"customproperty9": "lastModifiedTime",
"customproperty10": "createdTime"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/Accounts ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "name~#~char",
"displayname": "name~#~char",
"description": "name~#~char",
"entitlement_glossary": "name~#~char",
"customproperty1": "userName~#~char",
"customproperty2": "platformId~#~char",
"customproperty3": "safeName~#~char",
"customproperty4": "secretType~#~char",
"customproperty5": "platformAccountProperties.ApplicationID~#~char",
"customproperty6": "platformAccountProperties.ActiveDirectoryID~#~char",
"customproperty7": "secretManagement.automaticManagementEnabled~#~char",
"customproperty8": "secretManagement.status~#~char",
"customproperty9": "secretManagement.lastModifiedTime~#~char",
"customproperty10": "createdTime~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "acctAuth",
"entTypes": {
"Safes": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"showJobHistory": true,
"processingType": "httpEntToAcct",
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://domain.com/PasswordVault/api/Safes/${id}/Members ",
"httpContentType": "application/x-www-form-urlencoded",
"httpMethod": "GET"
},
"listField": "SafeMembers",
"entKeyField": "entitlementID",
"acctIdPath": "MemberName",
"acctKeyField": "name"
}
}
}
}
},
"entMappingParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Safes": {
"ent1KeyField": "entitlement_value",
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://domain.com/PasswordVault/api/Accounts ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"ent1IdPath": "safeName",
"ent2IdPath": "id",
"ent2KeyField": "entitlementID",
"targetEntType": "PrivilegedAccounts",
"mappingTypes": [
"ENT2"
]
}
}
}
}
}
}

[Post has been edited by moderator to mask URL]

Preview file
3726 KB
0 Kudos
14 REPLIES 14

SB
Saviynt Employee
Saviynt Employee

‎08/30/2023 10:30 AM

Since there are multiple issues, we can try to cover and fix them 1 by 1. We can start with the Groups (account to Entitlement mapping). I see the acctEntParams does not have the mapping defined for Groups. Can you update the JSON to add the mapping info of groups and then run the import.

You can refer to below REST guide on different processing types and then use the one relevant

https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Developers-Handbook.htm


Regards,
Sahil
0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to SB

‎08/31/2023 08:07 AM

Hi @SB

Thank you for your response. I found this details in the connector documentation recently. I see the Group membership import is not supported as per this document. Could you please help check the below issues. 

3) Entitlement Type: Safes - Importing the Safes(entitlements) and the membership for these safes.
4) Accounts(Users is CyberArk): Issue with importing the Entitlement Hierarchy/Associated Entitlements

https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Introduction.htm

Thank you, 

Vidya D Mudagal

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎08/31/2023 11:41 AM

For Entitlement Type Safe, can you try with the attached JSON and see if it works.


Regards,
Sahil
Preview file
5 KB
0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to SB

‎09/01/2023 12:38 AM

Hi Sahil, 

I will try the JSON and provide you with an update. Could you please provide some confirmation on the "Group membership" not being supported? Or the Documentation should be viable for the acceptance on this feature not being supported? 

Thanks, 

Vidya D Mudagal

0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to vmudagal1

‎09/01/2023 11:41 AM - last edited on ‎09/03/2023 11:55 PM by Community Manager

Hi @SB

I did try with the JSON you provided for the Safes and Safes Members but still dont see any imports being done when checkin the endpoint -> Entitlement Type Safes. 

I dont seem to find anything in the logs as well stating the import done count. The jobs being run is successful though will below status. 

I dont see any specific logs mentioning the count of the import currently. Could you please help check. 

vmudagal1_2-1693593273710.png

 

vmudagal1_1-1693593210616.png

 

vmudagal1_0-1693593145017.png

Thank you, 

Vidya D Mudagal

[This message has been edited by moderator to mask company name]

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎09/01/2023 01:56 PM

Can you update ConfigJSON param in the REST connection with value {"showLogs":true} and then run the job. This will print additional logs. Can you also share the log post the run.


Regards,
Sahil
0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to SB

‎09/01/2023 02:15 PM

Hi, 

The showlogs has been added to the connection for the configjson. Please find the logs attached. I did try to download as much logs possible. Hope this is helful

Thank you, 

Vidya D Mudagal

Logs for CyberArk AccessImport.zip
0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎09/01/2023 02:56 PM

i see a 401 error on the logs because of this, the job is not even getting the data. Can you run the call from postman and see if you are getting the response data.

Exception in pullObjectsByRest :401


Regards,
Sahil
0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to SB

‎09/01/2023 03:11 PM

Hi @SB

I have not had issues in getting a response in postman. Before implementing I did check the postman call first. No issues in the Postman. Please find the screenshot below for safes and safes member. 

I get a 200 OK response for both the API's safes and Safes members. 

vmudagal1_1-1693606136382.pngvmudagal1_2-1693606286280.png

Thank you, 

Vidya D Mudagal

 

0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to vmudagal1

‎09/03/2023 11:37 PM

Hi @SB

Any Suggestions you could provide on the above issue please ? I did validate the "ListField" and the URL to match as is in the the postman, but still seeing the 401 error. 

Thank you, 

Vidya D Mudagal

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to vmudagal1

‎09/05/2023 08:09 AM

If this is working from Postman, the issue could be with your Connection JSON. Can you validate your Connection JSON.

You can refer to the below Documentation to see ref configuration for Connection JSON.

Cyberark - https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Understanding-the-Integration-B...

REST - https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Examples-for-JSON-Construction.htm


Regards,
Sahil
0 Kudos

vmudagal1
New Contributor III
New Contributor III
In response to SB

‎09/15/2023 08:37 AM - edited ‎09/15/2023 08:47 AM

Hi @SB

I am able to import most of the data into Saviynt. But Facing issues with importing the belo:

Safes membership: API Used : This contains both users and groups(users in these groups)

https://localhost/passwordvault/api/safes/SAFEURLIID/members

Member Type: User - These CyberArk Direct Users part of a safe are Imported Successfull to Saviynt

Member Type: Group - These indirect users part of this group in CyberArk is not Imported. 

vmudagal1_0-1694791298481.png

Example: Safe 1: 

Member Type(User) : 3

Member Type(group): 3 [group1 has 2 users | group2 has 1 user | group3 has 3 users)

Ideally when checking "Safe 1" Entitlement in saviynt - I should be able to see 6(3 users & 3 GroupS) accounts in Accounts tab of an the Entitlement. But I am currently only able to see the 3 users. 

vmudagal1_2-1694792019105.png

Could you please provide more understanding on this statement in the documentation where it states "group memeber Import not supported'

Does is mean the above scenario which I mentioned about the safes? Please provide your valuable feedback. 

Saviynt Documentation Link: https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Introduction.htm

vmudagal1_1-1694791607836.png

Thank you, 

Vidya D Mudagal

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vmudagal1

‎09/17/2023 07:35 PM

It will only import account under Entitlements(Safes) not Groups under Safe


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.
0 Kudos

Sampritha_r
Saviynt Employee
Saviynt Employee

‎11/24/2023 04:40 AM

@vmudagal1 

This issue is further addressed in below forum link.

Access Token Refresh Failure Issue - CyberArk(Targ... - Saviynt Forums - 61818

0 Kudos
Copyright © 2023 Khoros, LLC