CyberArk
Description
The CyberArk connector uses the CyberArk Privileged Account Security REST API to discover privileged accounts managed in a CyberArk Password Vault. It enumerates accounts across one or more Safes and records Safe membership as entitlements in OrbisID.
System Type Classification
| Field | Value |
|---|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
CyberArk scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| CyberArk REST API (HTTPS) | 443 TCP | Default; configurable via pamPlatformUrl |
What OrbisID Discovers
| Data | Source |
|---|---|
| Privileged accounts | GET /PasswordVault/API/Accounts (paginated) |
| Account usernames | userName property |
| Target system addresses | address property |
| Safe memberships | safeName property — recorded as CYBERARK_SAFE entitlements |
| Platform IDs | platformId property — recorded as additional attributes |
Accounts are enumerated across all configured Safes. If no Safes are specified, all Safes accessible to the scanning user are scanned.
Connection Requirements
CyberArk User Account
OrbisID authenticates using a CyberArk native (CyberArk) user with read access to the target Safes.
Minimum permissions for the scanning user:
| Permission | Where to Set |
|---|---|
| List Accounts | Granted on each Safe to be scanned |
| View Safe Members | Granted on each Safe (optional, for membership details) |
Recommended: Create a dedicated CyberArk user named OrbisID-Scanner and assign Safe-level List Accounts permission only.
Credential Mapping
| OrbisID Field | CyberArk Value |
|---|---|
credential.username | CyberArk username |
credential.password | CyberArk password |
system.pamPlatformUrl | Base URL of the PVWA (e.g., https://pvwa.example.com) |
System Attributes
| Attribute | Required | Description |
|---|---|---|
cyberarkSafeNames | No | JSON array of Safe names to scan (e.g., ["Safe1","Safe2"]). If omitted, all accessible Safes are scanned. |
Network Requirements
| Requirement | Detail |
|---|---|
| HTTPS to PVWA | OrbisID server (or On-Premise Agent) must reach the PVWA on port 443 |
| PVWA REST API enabled | Ensure the PVWA REST API component is installed and enabled |
Configuration Steps
- Create a dedicated CyberArk user and grant List Accounts on the target Safes
- Create a Credential in OrbisID:
- Username: CyberArk username
- Password: CyberArk password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., CyberArk PVWA – Production) |
| PAM Platform URL | Base URL of the PVWA (e.g., https://pvwa.example.com) |
| OS Type | CyberArk |
| System Type | PAM Tool |
| Credential | The CyberArk scanning user credential |
- Optionally, add the
cyberarkSafeNamesattribute to limit which Safes are scanned - Click Test Connection to verify authentication
- Click Save
Use the cyberarkSafeNames attribute to restrict scanning to specific Safes. Scanning all Safes can be time-consuming in large vaults and may expose more data than necessary for PAM reconciliation.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
401 Unauthorized on test connection | Invalid CyberArk credentials | Verify the username and password; ensure the account is not locked |
403 Forbidden when listing accounts | Missing Safe permissions | Grant List Accounts to the scanning user on each target Safe |
| No accounts returned | Safes inaccessible or empty | Verify Safe names in cyberarkSafeNames; check the user has access |
| Connection refused | PVWA URL incorrect or port blocked | Verify pamPlatformUrl; check firewall rules on port 443 |
| SSL certificate error | PVWA uses self-signed certificate | Install the PVWA certificate on the OrbisID host, or use an On-Premise Agent with the certificate installed |