Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

CyberArk Safe creation

jezzanuena
Regular Contributor II
Regular Contributor II

Hi! We have use case were we need to create a safe and add the user as a member of it. By default, the service account we used to create the safe is a member, now, our requirement is to remove the service account from the Safe after creation and provisioning. Is there a way to do this using AddAccessJSON? I tried adding another API call on top of provisioning API call to DELETE the service account as the member of the safe. But it looks like it is not being fetched. Any suggestions?

Spoiler
{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "call2",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "call3",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "DELETE",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200,
204
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
}
]
}
12 REPLIES 12

NM
Esteemed Contributor
Esteemed Contributor

Hi @jezzanuena , Above is create account json not add access json

and instead of deleting the service account try to remove it from that safe.

share logs when you try to process it.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

jezzanuena
Regular Contributor II
Regular Contributor II

Hi @NM , thank you for checking in on this. As per CyberArk documentation, removal of the service account from the Safe use DELETE method. Sorry about that. I added the same call in the AddAccessJSON so that, after provisioning the user in to the Safe, we will remove the Service account from it. However, it didn't work.

Can you share logs


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jezzanuena
Regular Contributor II
Regular Contributor II

Hi @rushikeshvartak , unfortunately, I can't find any logs about it. For other REST based application, we can see the logs from rest.RestProvisioningService or rest.RestUtilService, but for this app, none hence I can't identify on my end on what's happening. 

It will be great you can run provisioning job for specific task and share logs for 3 minutes 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak , thank you for your suggestion. Here is the logs:

jezzanuena_2-1725288892055.pngjezzanuena_1-1725288852144.png

I think DELETE method cannot be passed in AddAccessJSON. Or?

[This message has been edited by moderator to mask sensitive information]

No there is no limitation.  Please share logs in text file


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Sure @rushikeshvartak . Let me get it. For the mean time here is the JSON:

Spoiler
{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"call": [
{
"name": "UserGroups",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "UserGroups",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "Users",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${user.username}\",\"searchIn\": \"${requestAccessAttributes.get('domainname')=='NAMCK'?'QANA':'McKCanadaLDAP'}\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "Users",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${account.customproperty12}/Members/c13xfzk....",
"httpMethod": "DELETE",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200,
204
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
}
]
}

jezzanuena
Regular Contributor II
Regular Contributor II

Hi @rushikeshvartak, here is the log file. I can't see the DELETE being called here. Hope you can help.

 It seems you have issue with json (if not share json)

You need to keep Entitlement Type = call name in every call

rushikeshvartak_0-1725291615971.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thank you @rushikeshvartak Will check on that. So I have entitlement types: UserGroups and Users, in this JSON, I need to add 2 users from Users and one group from UsersGroups, should I name the call for Users differently?

  • irrespective of number calls name of the call in add/remove access should match with Entitlement type.
  • If Users is 2 times then  call name will be 2 times

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.