Saviynt Forums

vmudagal1 · ‎08/25/2023

Hi,

Integration of CyberArk using REST connector

We have been able to import the accounts(users in CyberArk) and Entitlements related to Groups & Privileged Accounts to Saviynt.
Facing issue with getting the below data imported to saviynt:
1) Entitlement Type: Groups - Issue with importing the Membership(Accounts having access to these groups)
2) Entitlement Type: Privileged accounts - Issue with importing the membership (Accounts having access to prvileged accounts)
3) Entitlement Type: Safes - Importing the Safes(entitlements) and the membership for these safes.
4) Accounts(Users is CyberArk): Issue with importing the Entitlement Hierarchy/Associated Entitlements

Please find attached the logs. I did not find any specific details stating an error. Please provide guidance here.

{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty7",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 20,
"correlateInactiveAccounts": false,
"inactivateAccountsNotInFile": true,
"deleteAccEntForActiveAccounts": true
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://domain.com/PasswordVault/api/Users ",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"listField": "Users",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "username~#~char"
},
"makeProcessingStatus": true
},
"call2": {
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "https://domain.com/PasswordVault/api/Users/${accountName }",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"inputParams": {
"dependentCall": true
},
"listField": "",
"keyField": "accountID",
"nextApiKeyField": "accountID",
"colsToPropsMap": {
"name": "username~#~char",
"status": "enableUser~#~char",
"displayName": "username~#~char",
"accounttype": "userType~#~char",
"customproperty1": "source~#~char",
"customproperty2": "componentUser~#~char",
"customproperty3": "vaultAuthorization~#~char",
"customproperty5": "location~#~char",
"customproperty6": "suspended~#~char",
"customproperty7": "enableUser~#~char",
"customproperty8": "lastSuccessfulLoginDate~#~char",
"customproperty9": "unAuthorizedInterfaces~#~char",
"customproperty10": "authenticationMethod~#~char",
"customproperty11": "passwordNeverExpires~#~char",
"customproperty12": "distinguishedName~#~char",
"customproperty13": "description~#~char",
"customproperty14": "businessAddress~#~char",
"customproperty15": "internet~#~char",
"customproperty16": "phones~#~char",
"customproperty17": "personalDetails~#~char",
"accountID": "id~#~char"
}
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Groups": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Group Type",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/UserGroups ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "groupName~#~char",
"displayname": "groupName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty1": "groupType~#~char",
"customproperty2": "location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"Safes": {
"entTypeOrder": 1,
"entTypeLabels": {
"customproperty1": "Safe URL ID",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/Safes ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "Safes",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "SafeUrlId~#~char",
"entitlement_value": "SafeName~#~char",
"displayname": "SafeName~#~char",
"description": "Description~#~char",
"entitlement_glossary": "SafeName~#~char",
"customproperty1": "SafeUrlId~#~char",
"customproperty2": "Location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"PrivilegedAccounts": {
"entTypeOrder": 2,
"entTypeLabels": {
"customproperty1": "UserName",
"customproperty2": "Platform ID",
"customproperty3": "Safe Name",
"customproperty4": "Secret Type",
"customproperty5": "Application ID",
"customproperty6": "Active Directory ID",
"customproperty7": "automaticManagementEnabled",
"customproperty8": "Status",
"customproperty9": "lastModifiedTime",
"customproperty10": "createdTime"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "https://domain.com/PasswordVault/api/Accounts ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "name~#~char",
"displayname": "name~#~char",
"description": "name~#~char",
"entitlement_glossary": "name~#~char",
"customproperty1": "userName~#~char",
"customproperty2": "platformId~#~char",
"customproperty3": "safeName~#~char",
"customproperty4": "secretType~#~char",
"customproperty5": "platformAccountProperties.ApplicationID~#~char",
"customproperty6": "platformAccountProperties.ActiveDirectoryID~#~char",
"customproperty7": "secretManagement.automaticManagementEnabled~#~char",
"customproperty8": "secretManagement.status~#~char",
"customproperty9": "secretManagement.lastModifiedTime~#~char",
"customproperty10": "createdTime~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "acctAuth",
"entTypes": {
"Safes": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"showJobHistory": true,
"processingType": "httpEntToAcct",
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://domain.com/PasswordVault/api/Safes/${id}/Members ",
"httpContentType": "application/x-www-form-urlencoded",
"httpMethod": "GET"
},
"listField": "SafeMembers",
"entKeyField": "entitlementID",
"acctIdPath": "MemberName",
"acctKeyField": "name"
}
}
}
}
},
"entMappingParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Safes": {
"ent1KeyField": "entitlement_value",
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "https://domain.com/PasswordVault/api/Accounts ",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"ent1IdPath": "safeName",
"ent2IdPath": "id",
"ent2KeyField": "entitlementID",
"targetEntType": "PrivilegedAccounts",
"mappingTypes": [
"ENT2"
]
}
}
}
}
}
}

[Post has been edited by moderator to mask URL]

SB · ‎08/30/2023

Since there are multiple issues, we can try to cover and fix them 1 by 1. We can start with the Groups (account to Entitlement mapping). I see the acctEntParams does not have the mapping defined for Groups. Can you update the JSON to add the mapping info of groups and then run the import.

You can refer to below REST guide on different processing types and then use the one relevant

https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Developers-Handbook.htm

Regards,
Sahil

vmudagal1 · ‎08/31/2023

Hi @SB,

Thank you for your response. I found this details in the connector documentation recently. I see the Group membership import is not supported as per this document. Could you please help check the below issues.

3) Entitlement Type: Safes - Importing the Safes(entitlements) and the membership for these safes.
4) Accounts(Users is CyberArk): Issue with importing the Entitlement Hierarchy/Associated Entitlements

https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Introduction.htm

Thank you,

Vidya D Mudagal

SB · ‎08/31/2023

For Entitlement Type Safe, can you try with the attached JSON and see if it works.

Regards,
Sahil

vmudagal1 · ‎09/01/2023

Hi Sahil,

I will try the JSON and provide you with an update. Could you please provide some confirmation on the "Group membership" not being supported? Or the Documentation should be viable for the acceptance on this feature not being supported?

Thanks,

Vidya D Mudagal

vmudagal1 · ‎09/01/2023

Hi @SB,

I did try with the JSON you provided for the Safes and Safes Members but still dont see any imports being done when checkin the endpoint -> Entitlement Type Safes.

I dont seem to find anything in the logs as well stating the import done count. The jobs being run is successful though will below status.

I dont see any specific logs mentioning the count of the import currently. Could you please help check.

Thank you,

Vidya D Mudagal

[This message has been edited by moderator to mask company name]

SB · ‎09/01/2023

Can you update ConfigJSON param in the REST connection with value {"showLogs":true} and then run the job. This will print additional logs. Can you also share the log post the run.

Regards,
Sahil

vmudagal1 · ‎09/01/2023

Hi,

The showlogs has been added to the connection for the configjson. Please find the logs attached. I did try to download as much logs possible. Hope this is helful

Thank you,

Vidya D Mudagal

SB · ‎09/01/2023

i see a 401 error on the logs because of this, the job is not even getting the data. Can you run the call from postman and see if you are getting the response data.

Exception in pullObjectsByRest :401

Regards,
Sahil

vmudagal1 · ‎09/01/2023

Hi @SB,

I have not had issues in getting a response in postman. Before implementing I did check the postman call first. No issues in the Postman. Please find the screenshot below for safes and safes member.

I get a 200 OK response for both the API's safes and Safes members.

Thank you,

Vidya D Mudagal

vmudagal1 · ‎09/03/2023

Hi @SB,

Any Suggestions you could provide on the above issue please ? I did validate the "ListField" and the URL to match as is in the the postman, but still seeing the 401 error.

Thank you,

Vidya D Mudagal

SB · ‎09/05/2023

If this is working from Postman, the issue could be with your Connection JSON. Can you validate your Connection JSON.

You can refer to the below Documentation to see ref configuration for Connection JSON.

Cyberark - https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Understanding-the-Integration-B...

REST - https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Examples-for-JSON-Construction.htm

Regards,
Sahil

vmudagal1 · ‎09/15/2023

Hi @SB,

I am able to import most of the data into Saviynt. But Facing issues with importing the belo:

Safes membership: API Used : This contains both users and groups(users in these groups)

https://localhost/passwordvault/api/safes/SAFEURLIID/members

Member Type: User - These CyberArk Direct Users part of a safe are Imported Successfull to Saviynt

Member Type: Group - These indirect users part of this group in CyberArk is not Imported.

Example: Safe 1:

Member Type(User) : 3

Member Type(group): 3 [group1 has 2 users | group2 has 1 user | group3 has 3 users)

Ideally when checking "Safe 1" Entitlement in saviynt - I should be able to see 6(3 users & 3 GroupS) accounts in Accounts tab of an the Entitlement. But I am currently only able to see the 3 users.

Could you please provide more understanding on this statement in the documentation where it states "group memeber Import not supported'

Does is mean the above scenario which I mentioned about the safes? Please provide your valuable feedback.

Saviynt Documentation Link: https://docs.saviyntcloud.com/bundle/CyberArk-REST-v23x/page/Content/Introduction.htm

Thank you,

Vidya D Mudagal

rushikeshvartak · ‎09/17/2023

It will only import account under Entitlements(Safes) not Groups under Safe

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Sampritha_r · ‎11/24/2023

@vmudagal1

This issue is further addressed in below forum link.

Access Token Refresh Failure Issue - CyberArk(Targ... - Saviynt Forums - 61818

Saviynt Forums

CyberArk REST Integration: Issue with Importing Membership detail for Accounts & Entitlements