Axonius Documentation
Start typing to search…

CyberArk Privilege Cloud

CyberArk Privilege Cloud is a privileged access management (PAM) solution for securing, managing, and monitoring privileged accounts.

Asset Types Fetched

  • Users, Roles, Groups, Secrets, Application Resources

Before You Begin

Ports

  • TCP port 443

Authentication Method

  • CyberArk, Windows, LDAP, RADIUS, SAML, or ISPSS

APIs

Axonius uses the CyberArk REST APIs.

To use the SAML authentication method you need to enable the SAML IdP initiated SSO flow. Follow instructions in Configure the IdP to implement this. This returns the SAML Response.

To use the ISPSS authentication method you need to create an ISPSS service account. For more information, see API Authentication for CyberArk Identity Security Platform Shared Services.

Permissions

The user account used for the adapter connection, must:

  • Have Audit permissions.
  • Be a member of a Safe of in a CyberArk Vault.
  • Have List Accounts permissions in the Safe.

Assigning the permission to the Axonius user:

  1. Go to CyberArk -> Identity Administration -> Core Services -> Roles
  2. Create a new Role.
  3. Click on the newly created Role.
  4. Select "Administrative Rights".
  5. Click Add.
  6. Add the following permission: "Read Only System Administration"
  7. Click Save.
  8. Assign the new Role to the Axonius user.

Supported From Version

Supported from Axonius version 6.1

Connecting the Adapter in Axonius

To connect the adapter in Axonius, provide the following parameters:

Required Parameters

  1. Host Name or IP Address - The hostname or IP address of the CyberArk Privilege Cloud server.
  2. Authentication Method (default: CyberArk) - The authentication method used for the connection. The following authentication methods are supported: CyberArk, Windows, LDAP, RADIUS, SAML, and ISPSS. Refer to APIs for details about configuring SAML and ISPSS authentication.
📘

Note

  1. When using ISPSS authentication method, the CyberArk user account must have the following settings:

  • Is service user

  • Is OAuth confidential client

  1. The host name configured in Axonius should be in the format https://subdomain.privilegecloud.cyberark.cloud
  1. User Name and Password - The credentials for a user account that has the required permissions to fetch assets. For more information on creating accounts within CyberArk Privilege Cloud, see Add and Manage Users. For more information about logging in, see CyberArk, LDAP, RADIUS.
CyberArkPrivilegeCloud.png

Optional Parameters

  1. Use ISPSS APIs - Select this option to use ISPSS APIs.
  2. Use Subdomain for tenant URL - Select this option to use the subdomain in the tenant URL.
  3. Tenant ID - Specify the Tenant ID if you choose ISPSS authentication. The ISPSS method only works with the cloud version. If Use Subdomain for tenant URL is enabled, enter the subdomain in the Tenant ID field.
📘

Finding the Tenant ID

  1. From CyberArk Privilege Cloud, click the user icon in the top-right corner, then click Tenant details. 2. The value next to ID is the Tenant ID that you need to use. Copy this into the Tenant ID field in Axonius.

  1. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

  2. HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.

  3. HTTPS Proxy User Name - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

  4. HTTPS Proxy Password - The password to use when connecting to the server using the HTTPS Proxy.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

📘

Note

Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

  • Endpoints Config - Click on > to open the following settings for configurable endpoints:
    • Enrich Users with User Roles - Enable this option to enrich the Users endpoint with User Roles. This setting is relevant only when using the ISPSS authentication method.
    • Enrich Users with Safe Members - Enable this option to enrich the Users endpoint with Safe Members.
    • Fetch Users of sub type account from Accounts - Enable this option to fetch users of the subtype 'account' from the Accounts endpoint. When enabled, the following settings can be configured:
      • Enrich Accounts with Account Activities - Enable this option to enrich the Accounts endpoint with Account Activities.
      • Enrich Accounts with Account Extended Data - Enable this option to enrich the Accounts endpoint with Account Extended Data.
    • Fetch Users of sub type users_from_safe_members from Users From Safe Members - Enable this option to fetch users of the subtype 'users from safe members' from the Users From Safe Members endpoint. This setting is relevant only when using the ISPSS authentication method. When enabled, the following settings can be configured:
      • Enrich Users From Safe Members with Safe Members - Enable this option to enrich the Users From Safe Members endpoint with Safe Members.
      • Enrich Users From Safe Members with Role Members - Enable this option to enrich the Users From Safe Members endpoint with Role Members.
    • Fetch Users of sub type users_from_role_members from Users From Role Members - Enable this option to fetch users of the subtype 'users from role members' from the Users From Role Members endpoint. This setting is relevant only when using the ISPSS authentication method. When enabled, the following settings can be configured:
      • Enrich Users From Role Members with Safe Members - Enable this option to enrich the Users From Role Members endpoint with Safe Members.
      • Enrich Users From Role Members with Role Members - Enable this option to enrich the Users From Role Members endpoint with Role Members.
    • Fetch Groups from Groups - Enable this option to fetch groups from the Groups endpoint. When enabled, the following settings can be configured:
      • Enrich Groups with Safe Members - Enable this option to enrich the Groups endpoint with Safe Members.
    • Fetch Secrets from Safes - Enable this option to fetch secrets from the Safes endpoint. When enabled, the following settings can be configured:
      • Enrich Safes with Safe Members - Enable this option to add safe members data to Safes.
    • Fetch ApplicationResources of sub type safe from Safes - Enable this option to fetch application resources of the subtype 'safe' from the Safes endpoint. When enabled, the following settings can be configured:
      • Enrich Safes with Safe Members - Enable this option to add safe members data to Safes.
    • Fetch ApplicationResources of sub type account from Accounts - Enable this option to fetch application resources of the subtype 'account' from the Accounts endpoint.
    • Fetch SecurityRoles from Built-in Roles - Enable this option to fetch security roles from the Built-in Roles endpoint. This setting is relevant only when using the ISPSS authentication method. When enabled, the following settings can be configured:
      • Enrich Built-in Roles with Role Members - Enable this option to enrich the Built-in Roles endpoint with Role Members.
      • Enrich Built-in Roles with Safe Members - Enable this option to enrich the Built-in Roles endpoint with Safe Members.
  • Parser Config - Click on > to open the following settings for configurable endpoints:
    • Parse the Domain value as an associated device - Select this option to parse the domain value as an associated device.
📘

Note

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

Updated about 4 hours ago