Saviynt Forums

jezzanuena · ‎09/01/2024

Hi! We have use case were we need to create a safe and add the user as a member of it. By default, the service account we used to create the safe is a member, now, our requirement is to remove the service account from the Safe after creation and provisioning. Is there a way to do this using AddAccessJSON? I tried adding another API call on top of provisioning API call to DELETE the service account as the member of the safe. But it looks like it is not being fetched. Any suggestions?

Spoiler

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "call2",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "call3",
"connection": "acctAuth",
"url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='N...",
"httpMethod": "DELETE",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200,
204
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
}
]
}

{"accountIdPath": "call1.message.id","dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX","call": [{"name": "call1","connection": "acctAuth","url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/","httpMethod": "POST","httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200]},"unsuccessResponses": {"statusCode": [401,400,403,404]}},{"name": "call2","connection": "acctAuth","url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/","httpMethod": "POST","httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200]},"unsuccessResponses": {"statusCode": [401,400,403,404]}},{"name": "call3","connection": "acctAuth","url": "https://uat-cyberark.123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/serviceaccountname/","httpMethod": "DELETE","httpParams": "{}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200,204]},"unsuccessResponses": {"statusCode": [401,400,403,404]}}]}

NM · ‎09/02/2024

Hi @jezzanuena , Above is create account json not add access json

and instead of deleting the service account try to remove it from that safe.

share logs when you try to process it.

jezzanuena · ‎09/02/2024

Hi @NM , thank you for checking in on this. As per CyberArk documentation, removal of the service account from the Safe use DELETE method. Sorry about that. I added the same call in the AddAccessJSON so that, after provisioning the user in to the Safe, we will remove the Service account from it. However, it didn't work.

rushikeshvartak · ‎09/02/2024

Can you share logs

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jezzanuena · ‎09/02/2024

Hi @rushikeshvartak , unfortunately, I can't find any logs about it. For other REST based application, we can see the logs from rest.RestProvisioningService or rest.RestUtilService, but for this app, none hence I can't identify on my end on what's happening.

rushikeshvartak · ‎09/02/2024

It will be great you can run provisioning job for specific task and share logs for 3 minutes

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jezzanuena · ‎09/02/2024

Hi @rushikeshvartak , thank you for your suggestion. Here is the logs:

I think DELETE method cannot be passed in AddAccessJSON. Or?

[This message has been edited by moderator to mask sensitive information]

rushikeshvartak · ‎09/02/2024

No there is no limitation. Please share logs in text file

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jezzanuena · ‎09/02/2024

Sure @rushikeshvartak . Let me get it. For the mean time here is the JSON:

Spoiler

{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"call": [
{
"name": "UserGroups",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "UserGroups",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "Users",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=...",
"httpMethod": "POST",
"httpParams": "{\"memberName\": \"${user.username}\",\"searchIn\": \"${requestAccessAttributes.get('domainname')=='NAMCK'?'QANA':'McKCanadaLDAP'}\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\"},\"MemberType\":\"User\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
},
{
"name": "Users",
"connection": "acctAuth",
"url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${account.customproperty12}/Members/c13xfzk....",
"httpMethod": "DELETE",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
201,
200,
204
]
},
"unsuccessResponses": {
"statusCode": [
401,
400,
403,
404
]
}
}
]
}

{"accountIdPath": "call1.message.id","dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX","call": [{"name": "UserGroups","connection": "acctAuth","url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/","httpMethod": "POST","httpParams": "{\"memberName\": \"${entitlementValue.entitlement_value}\",\"searchIn\": \"Vault\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"Group\"}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200]},"unsuccessResponses": {"statusCode": [401,400,403,404]}},{"name": "UserGroups","connection": "acctAuth","url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/","httpMethod": "POST","httpParams": "{\"memberName\": \"Administrator\",\"searchIn\": \"Vault\",\"permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"addAccounts\": \"true\",\"updateAccountContent\": \"true\",\"updateAccountProperties\": \"true\",\"initiateCPMAccountManagementOperations\": \"true\",\"specifyNextAccountContent\": \"true\",\"renameAccounts\": \"true\",\"deleteAccounts\": \"true\",\"unlockAccounts\": \"true\",\"manageSafe\": \"true\",\"manageSafeMembers\": \"true\",\"manageSafeMembers\": \"true\",\"backupSafe\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\",\"accessWithoutConfirmation\": \"true\",\"createFolders\": \"true\",\"deleteFolders\": \"true\",\"moveAccountsAndFolders\": \"true\",\"requestsAuthorizationLevel1\": \"true\",\"requestsAuthorizationLevel2\": \"false\"},\"MemberType\":\"User\"}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200]},"unsuccessResponses": {"statusCode": [401,400,403,404]}},{"name": "Users","connection": "acctAuth","url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${requestAccessAttributes.get('domainname')=='NAMCK'?('P-US-'+user.username):('P-CAN-'+user.username)}/Members/","httpMethod": "POST","httpParams": "{\"memberName\": \"${user.username}\",\"searchIn\": \"${requestAccessAttributes.get('domainname')=='NAMCK'?'QANA':'McKCanadaLDAP'}\",\"Permissions\":{\"useAccounts\": \"true\",\"retrieveAccounts\": \"true\",\"listAccounts\": \"true\",\"viewAuditLog\": \"true\",\"viewSafeMembers\": \"true\"},\"MemberType\":\"User\"}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200]},"unsuccessResponses": {"statusCode": [401,400,403,404]}},{"name": "Users","connection": "acctAuth","url": "https://uat-cyberark.abc123.com/PasswordVault/api/Safes/${account.customproperty12}/Members/c13xfzk.cybr.uat/","httpMethod": "DELETE","httpParams": "{}","httpHeaders": {"Authorization": "${access_token}","Accept": "application/json"},"httpContentType": "application/json","successResponses": {"statusCode": [201,200,204]},"unsuccessResponses": {"statusCode": [401,400,403,404]}}]}

jezzanuena · ‎09/02/2024

Hi @rushikeshvartak, here is the log file. I can't see the DELETE being called here. Hope you can help.

rushikeshvartak · ‎09/02/2024

It seems you have issue with json (if not share json)

You need to keep Entitlement Type = call name in every call

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jezzanuena · ‎09/02/2024

Thank you @rushikeshvartak Will check on that. So I have entitlement types: UserGroups and Users, in this JSON, I need to add 2 users from Users and one group from UsersGroups, should I name the call for Users differently?

rushikeshvartak · ‎09/02/2024

irrespective of number calls name of the call in add/remove access should match with Entitlement type.
If Users is 2 times then call name will be 2 times

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

CyberArk Safe creation