CyberArk SCIM Connector Features
The CyberArk SCIM Connector within EmpowerID provides extensive capabilities for securely managing privileged accounts and security data. This doc describes the supported operations, inventory details, and security attributes.
Supported Operations
The CyberArk Connector supports standard CRUD operations for managing users and groups within CyberArk. Additionally, it provides capabilities for group membership management:
Users
- Create: Add new user accounts with assigned privileges.
- Update: Modify existing user information, such as roles and permissions.
- Delete: Remove user accounts from the CyberArk.
Groups
- Create: Create new groups.
- Update: Edit group configurations.
- Delete: Remove groups from the CyberArk.
- Manage Membership: Add or remove users from groups.
Inventory
Full Inventory: The CyberArk SCIM Connector only supports the standard Full Inventory for users and groups. This process completes the synchronization of all GCP users and groups each time the inventory job is executed.
API Endpoints
The following are the CyberArk endpoints that are called to manage users and groups by the connector.
CyberArk groups are renamed according to specific naming conventions based on their classification while they are being inventorying in EmpowerID:
- Managed Safe Groups: Groups prefixed with "M_". These are designated for structured, managed access.
- Unmanaged Safe Groups: Groups prefixed with "UM_". These groups support unstructured or ad hoc access.
- Generic Groups: Groups without the "M_" or "UM_" prefixes. These do not conform to Managed or Unmanaged classifications.
Attribute Mappings
The CyberArk Connector synchronizes CyberArk and EmpowerID by mapping relevant attributes from CyberArk to the object attributes in EmpowerID. Below are the detailed user and group attributes mappings between CyberArk and EmpowerID.
User Mapping
The table defines the key attributes for the CyberArk SCIM Connector and their corresponding mappings to EmpowerID Person Attributes.
| Display Name | Object Attribute (CyberArk) | Security Boundary Type (EmpowerID Person Attribute) | Description |
|---|---|---|---|
| active | active | Status | Indicates if the user account is active or inactive. |
| Country | addresses[?(@.type=='work')].country | Country | Represents the work address country of the user. |
| City | addresses[?(@.type=='work')].Locality | City | Represents the city in the user's work address. |
| ZipCode | addresses[?(@.type=='work')].postalCode | ZipCode | Represents the postal code in the user's work address. |
| State | addresses[?(@.type=='work')].region | State | Represents the state or region in the user's work address. |
| StreetAddress | addresses[?(@.type=='work')].streetAddress | StreetAddress | Represents the street address of the user's work location. |
| DisplayName | displayName | DisplayName | Full name of the user, used for display purposes. |
| emails[?(@.type=='work')].value | The user's work email address. | ||
| Alias | externalId | Alias | External identifier for the user, typically used as a unique reference. |
| LastName | name.familyName | LastName | The user's family or last name. |
| Name | name.formatted | Name | The full formatted name of the user. |
| FirstName | name.givenName | FirstName | The user's given or first name. |
| Password | password | Password | The password associated with the user's account. |
| Fax | phoneNumbers[?(@.type=='fax')].value | Fax | The user's fax number. |
| HomePhone | phoneNumbers[?(@.type=='home')].value | HomePhone | The user's home phone number. |
| MobileNumber | phoneNumbers[?(@.type=='mobile')].value | MobileNumber | The user's mobile phone number. |
| Telephone | phoneNumbers[?(@.type=='other')].value | Telephone | The user's other telephone number. |
| PhonesOther | phoneNumbers[?(@.type=='work')].value | PhonesOther | Other phone numbers associated with the user's work contact information. |
| PhotoUrl | photos[?(@.type=='work')].value | PhotoUrl | URL pointing to the user's profile photo. |
| PreferredLanguage | preferredLanguage | PreferredLanguage | The user's preferred language for communication. |
| AboutMe | profileUrl | AboutMe | The profile URL containing information about the user. |
| JobTitle | title | JobTitle | The user's job title. |
| Department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | Department | The department in which the user is employed. |
| EmployeeID | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.EmployeeNumber | EmployeeID | The user's employee ID, used for organizational purposes. |
| LogonName | userName | LogonName | The user's username for logging into systems. |
| EmployeeType | userType | EmployeeType | The user's type of employment (e.g., contractor, full-time). |
Group Mapping
The table below highlights the key attributes used for managing groups in the CyberArk SCIM Connector and their mappings to EmpowerID Group Attributes.
| Display Name | Object Attribute (CyberArk) | Security Boundary Type (EmpowerID Person Attribute) | Description |
|---|---|---|---|
| Description | Description | Description | Represents the description of the group. |
| DisplayName | displayName | DisplayName | Full name of the group, used for display purposes. |
| Alias | externalId | Alias | External identifier for the group, typically used as a unique reference. |
| GroupMembership | groupMember | GroupMembership | Represents the group membership attribute used to manage group relationships. |
| Members | members | Members | List of the members of the group, including users and other groups. |
Role Mapping
The table below defines the Security Boundary Attributes for managing roles within the CyberArk SCIM Connector.
| Display Name | Object Attribute (CyberArk) | Security Boundary Type (EmpowerID Person Attribute) | Description |
|---|---|---|---|
| Description | Description | Description | Provides additional context or details about the role's purpose. |
| Alias | externalId | Alias | A unique external identifier for the role, used as a reference in integrated systems. |
| FriendlyName | FriendlyName | FriendlyName | The user-friendly name of the role, simplifying its identification and usage. |
| ParentPath | ParentID | ParentPath | Represents the parent role or hierarchical relationship, defining the role's position in the structure. |
Location
The table below outlines the Security Boundary Attributes for managing locations within the CyberArk SCIM Connector.
| Display Name | Object Attribute (CyberArk) | Security Boundary Type (EmpowerID Person Attribute) | Description |
|---|---|---|---|
| Description | Description | Description | Provides additional details or context about the location's purpose and functionality. |
| Alias | externalId | Alias | A unique identifier for the location, used for reference across integrated systems. |
| FriendlyName | FriendlyName | FriendlyName | A user-friendly or display name for the location, simplifying its identification. |
| ParentPath | ParentID | ParentPath | Specifies the parent location or hierarchical relationship, defining the location's position in the structure. |