Cyberark-sailpoint Integration V1.0 6f4x46
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View Cyberark-sailpoint Integration V1.0 as PDF for free.
More details 6y5l6z
- Words: 5,888
- Pages: 33
CYBERARK – SAILPOINT INTEGRATION OVERVIEW & CONFIGURA TION GUIDE VERSION 1.0
TABLE OF CONTENTS
OVERVIEW & CONFIGURATION GUIDE................................................................................................1 TABLE OF CONTENTS ..........................................................................................................................2 CYBERARK-SAILPOINT INTEGRATION OVERVIEW.................................................................................4 KEY BENEFITS .....................................................................................................................................4 DESCRIPTION OF PRODUCT INTEGRATION ..........................................................................................5 SYSTEM REQUIREMENTS ....................................................................................................................7 CYBERARK COMPONENTS .......................................................................................................................... 7 SAILPOINT COMPONENTS .......................................................................................................................... 7 CYBERARK THIRD-PARTY DEPENDENCIES ................................................................................................... 7 SERVER FOR CYBERARK-SAILPOINT INTEGRATION..................................................................................... 7 CYBERARK-SAILPOINT INTEGRATION INSTALLATION & CONFIGURATION .............................................8 INTEGRATION PACKAGE CONTENTS........................................................................................................... 8 INSTALLATION STEPS .................................................................................................................................. 9 AIM CONFIGURATION ...................................................................................................................... 11 DEFINING THE APPLICATION ID (APPID) AND AUTHENTICATION DETAILS ............................................11 SETTING PERMISSIONS FOR CYBERARK-SAILPOINT APPLICATION ACCESS ...........................................15 APPENDIX A - CASP.INI : CyberArk-Sailpoint Configuration Options ................................................... 18 APPENDIX B - DATA MODEL – CYBERARK OBJECTS ............................................................................ 20 S .......................................................................................................................................................20 AUTHORIZATIONS (AUTH) ......................................................................................................20 GROUPS ....................................................................................................................................................21 SAFES ........................................................................................................................................................21 SAFE PERMISSIONS ...................................................................................................................................21 APPENDIX C - SAILPOINT STI TABLES .................................................................................................25 CYBERARK ........................................................................................................................................25 CYBERARKTYPE ................................................................................................................................26 CYBERARKGROUP .....................................................................................................................................27 CYBERARKGROUPMEMBER ......................................................................................................................27 CYBERARKAUTHORIZATION .....................................................................................................................27 CYBERARKAUTHORIZATION .............................................................................................................28 CYBERARKSAFE .........................................................................................................................................28 CYBERARKSAFEPERMISSION ....................................................................................................................28 CYBERARKSAFEROLE ................................................................................................................................29 CYBERARKSAFEENTITLEMENT ..................................................................................................................29
CYBERARKTARGET ....................................................................................................................30 APPENDIX D: CYBERARK-SAILPOINT PROVISIONING DETAILS............................................................. 31 APPENDIX D - SAILPOINT: CYBERARK APPLICATION OBJECTS ............................................................. 32 .................................................................................................................................................32 MERGING BY NAME .....................................................................................................................32 SAFE ..........................................................................................................................................................32 MERGING BY SAFENAME ......................................................................................................................32 AUTHORIZATION ......................................................................................................................................33 SAFEROLEENTITLEMENT ..........................................................................................................................33 COLUMN PROPERTIES ..........................................................................................................................33 GROUP ......................................................................................................................................................33 MERGING BY GROUPNAME ..................................................................................................................33
CYBERARK-SAILPOINT INTEGRATION OVERVIEW When it comes to managing s and their access entitlements, a majority of organizations have two separate solutions to manage the identity lifecycle and access policies for privileged and non-privileged s. Standalone solutions for both types of s lack the ability to enforce a unified access policy and consistent governance, provisioning and authorization process. This can result in access violations and regulatory action. To avoid this issue, organizations must have a single automated policy-based process for privileged and non-privileged s to effectively manage access requests, approvals, certifications, provisioning and remediation. The CyberArk Privileged Security Solution integrated with SailPoint IdentityIQ provides a unified view with centralized policy-based identity management for all identities, including privileged identities (individuals and applications) and access entitlements to ensure access policy and regulatory compliance.
KEY BENEFITS The integration of CyberArk Privileged Security Solution and SailPoint IdentityIQ enables organizations to gain a unified, policy-driven approach to identity and access governance across all s. Once deployed, the solution effectively arms organizations with the information they need to quickly identify and respond to security risks involving the organization’s most powerful identities – privileged s. t CyberArk and SailPoint Solution Benefits:
Provides enhanced visibility and control of privileged s and access data directly from IdentityIQ.
Unifies provisioning processes for privileged and non-privileged s. Ensures privileged s are granted appropriate access permissions based on similar privileged s’ attributes (e.g. roles, job functions), and in accordance with the organization’s access policy.
Reduces the attack surface and enhances regulatory compliance by limiting access privileges and deactivating stale/orphan privileged s.
Streamlines governance and compliance processes by generating reports and auditing all identities and access permissions directly from IdentityIQ.
DESCRIPTION OF PRODUCT INTEGRATION
The t CyberArk and SailPoint solution is bi-directional, whereby provisioning to CyberArk is performed directly from SailPoint based on active directory groups, policies and an approval process defined within SailPoint. In addition, CyberArk collects privileged data, information and access data and sends it to SailPoint. By centralizing and unifying identity and access governance of privileged and non- privileged s, organizations can:
Fully manage privileged (individuals/ applications) lifecycles: Create, review and approve privileged access permissions based on group affiliations, roles and other commonalities directly from IdentityIQ. All privileged access requests are verified using an automated approval workflow. Once approved, data is automatically synchronized with the CyberArk Privileged Security Solution and a privileged is added to the relevant privileged (s).
Update /group access privileges directly from IdentityIQ to avoid orphan privileged s, privileged entitlement creep, and excess privileged permissions. Updated access permissions are automatically provisioned within the CyberArk Solution.
Execute periodic reviews and re-certification of privileged access directly from IdentityIQ.
Enforce application access permissions defined within IdentityIQ using CyberArk Application Identity ManagerTM to ensure the application can only access authorized assets. About CyberArk
Generate alerts and reports on privileged identities and access activities directly from IdentityIQ to detect unauthorized access changes, or suspicious log-in activity to privileged s. Access reviews can be executed at the privileged , group or system level.
SYSTEM REQUIREMENTS CYBERARK COMPONENTS
The CyberArk-SailPoint integration works with the Digital Vault Server, version 7.2 or higher PACLI (Command Line Interface) v7.2 AIM 7.2 or Credential Provider 9.5 Export Vault Data Utility v7.2
SAILPOINT COMPONENTS
SailPoint STI Service Module Data Staging Tables
CYBERARK THIRD -PARTY DEPENDENCIES
MySQL Database to act as STI Staging Database
SERVER FOR CYBERARK-SAILPOINT INTEGRATION Operating System
Windows 2003R2 (32-bit) Windows 2008R2 (64-bit) Windows 7 (64-bit) Windows 2012 R2 (64-bit)
Minimum Requirements
Disk space: 100MB Free Disk Space Minimum Memory: 2GB Communication: T/IP connection to the CyberArk Vault Server .NET Framework 3.5
CYBERARK-SAILPOINT INTEGRATION INSTALLATION & CONFIGURATION The CyberArk-SailPoint Integration package is distributed by CyberArk (by ing CyberArk’s Business Development team at [email protected]) The integration package delivers executables, configuration files, SQL scripts (needed for the STI schema database), and SailPoint XML objects needed for the integration. The SailPoint XML objects needed can be found on Com under the Product Center->Structured Table Integration category. There you will find a zip file containing all the configuration files for the integration.
INTEGRATION PACKAGE CONTENTS The Package ZIP, has to be unzipped and it has the following contents in specific folders: \CYBERARKSAILPOINT
CASP.ini : Configuration file for the integration. Please refer to “APPENDIX A - CASP.ini : CyberArkSailPoint Configuration Options” for more details. Vault.ini : Configuration file to point to the Vault to be used for the integration. CASP-logging.json : Configuration file for logging/trace/debug information for the integration. caspaction.exe, caspinit.exe, caspterminate.exe : executables used by the integration. CyberArk-SailPoint.bat : Batch file to be used by the scheduled tasks
\CYBERARKSAILPOINT\CASP
CASP-App.sql : MySQL’s SQL Schema for the integration. CASP-App-Custom.sql : Pre-defined data for the integration, to be customized as needed.
\CYBERARKSAILPOINT\SCHEDULEDTASKS-DEFINITIONS
CyberArkSailPoint - Incremental Load (s and Entitlements).xml : Scheduled task definition for the process to periodically perform the Incremental Load of s and Entitlements. By default is set to execute every 15 minutes. CyberArkSailPoint - Process Provisioning Actions.xml : Scheduled task definition for the process to periodically process the provisioning actions sent by SailPoint.
\CYBERARKSAILPOINT\LOGS
In this folder, all the logs for the different tasks done by the integration processes:
CASOS*.log : Internal logs for the export vault data CASP-*.log : Info/Errors/Debug information for integration tasks, particularly the ones from the scheduled tasks.
INSTALLATION STEPS On the server for the CyberArk – SailPoint integration: 1. Install PACLI (refer to CyberArk’s “Command Line Interface Guide and Reference”); Set PACLI in your PATH environment variable.
2. Install ExportVaultData Utility (refer to CyberArk’s “ExportVaultData Utility Implementation Guide”) 3. Install AIM (Refer to CyberArk’s “Credential Provider and AS Implementation Guide”.) AIM (Application Identity Management) is required for the CyberArk integration package to retrieve the credential for the STI MySQL Database. 4. Define the Application “CyberArk-SailPoint” within CyberArk 5. Configure the application to have access to the STI Staging Database 6. Load the CyberArk-STI Configuration xml file into SailPoint IdentityIQ ( contained in the integration package ed from Com) 7. Configure CyberArk-SailPoint Integration: a. Extract CyberArk-SailPoint.zip b. Update Vault.ini to point to the Vault to be used for the integration c. Create CyberArk for extracting data from the CyberArk Vault, and also to process provisioning actions to CyberArk Vault using PACLI. This will need the following: i. All Vault Authorizations (in order to be able to grant permissions, this will need to have them): Add Safes, Audit s, Add/Update s, Reset s’ s, Activate s, Add Network Areas, Manage Directory Mapping, Manage Server File Categories, Backup All Safes, Restore All Safes ii. Member of Auditors Group (to have audit permissions on all the safes in the Vault) iii. All permissions on Safes that will be part of the Entitlement set of permissions that the provisioning actions will be granting or revoking. It could be member of a group that grants all the needed permissions on safes. d. Create credential file for the created in previous step. Refer to “Appendix A: Creating Credential Files” of the “Privileged Security Installation Guide” from CyberArk’s Documentation set.
e. Update CASP.ini to point to the right vault.ini and the credential file created, along with any adjustments needed. Please, check section ‘APPENDIX A - CASP.ini : CyberArk-SailPoint Configuration Options’
f.
Create CyberArk-SailPoint STI Database Schema by running CASP-App.SQL (under \CyberArkSailPoint\CASP folder) against the STI Staging Database g. Update CASP-APP-Custom.SQL (under \CyberArkSailPoint\CASP folder) to provide the
h.
i.
j.
following: i. Descriptions for CyberArk Vault Authorizations (the default values can be used as well, and probably will be enough) ii. Definition of CyberArk Types (based on your license, you could use the default but please validate against your CyberArk License, and make sure the types match your license) iii. Definition of CyberArk Safe Roles. Based on your vault environment, please group the different set of permissions to make up your organization roles, please take the example information delivered, and adjust it to your company’s needs. Execute CASP-APP-Custom.SQL against the STI Staging Database.
Define Scheduled Tasks based on the definitions provided under \CyberArkSailPoint\ScheduledTasks-Definitions i. Adjust the repeat time for each of the tasks and Update the CyberArk Safe Roles defined in CASP-APP-Custom.SQL i. Analyze the different CyberArk Safe Roles defined in CAS-APP-Custom.SQL, and update it according to the needs of the customer’s environment ii. Remove last_run, and last_run_mode parameters from CASP.ini (Check APPENDIX A - CASP.ini : CyberArk-SailPoint Configuration Options) to enable a full s and entitlements load to SailPoint IdentityIQ iii. Execute ‘CyberArkSailPoint - Incremental Load (s and Entitlements)’ scheduled task iv. Execute the following query against the STI Staging Database: SELECT allPermissions, COUNT(*), group_concat(DISTINCT ownerName ORDER BY ownerName) as Owners, group_concat(DISTINCT safeName ORDER BY safeName) as Safes FROM sti.cyberarksafeentitlement WHERE safeRole = 'UNDEFINEDROLE' GROUP BY allPermissions;
v. Update CASP-APP-Custom.SQL file based on the results obtained by the previous query to remove ‘UNDEFINEDROLE’ vi. Repeat steps i through iv until no ‘UNDEFINEDROLE’ results are present.
AIM CONFIGURATION
DEFINING THE APPLICATION ID (APPID) AND AUTHENTICATION DETAILS To define the Application, here are the instructions to define it manually via CyberArk’s PVWA ( Vault Web Access) Interface: 1.
Logged in as allowed to manage applications (it requires Manage s authorization), in the Applications tab, click Add Application; the Add Application page appears.
2. Specify the following information: In the Name edit box, specify the unique name (ID) of the application. APP ID = CyberArk-SailPoint
In the Description, specify a short description of the application that will help you identify it. In the Business owner section, specify information about the application’s Business owner. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the who is creating this application.
3.
Click Add; the application is added and is displayed in the Application Details page.
Allowing extended authentication restrictions. This enables you to specify an unlimited number of machines and Windows domain OS s for a single application. Please check this box.
4. Specify the application’s Authentication details. This information enables the Credential Provider to check certain application characteristics before retrieving the application .
In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
Select the authentication characteristic to specify.
5. Specify the OS : a. Select OS ; the Add Operating System Authentication window appears.
b. Specify the name of the OS who will run the application (or the OS that will be running the scheduled tasks), then click Add; the OS is listed in the Authentication tab.
6. Specify the application path: a. Select Path; the Add Path Authentication window appears.
b. Specify the path where the application will run. In the above screenshot, it is assumed you installed the integration under C:\CyberArkSailPoint, please update accordingly. c. To indicate that the specified path is a folder, select Path is folder. d. To allow internal scripts to retrieve the application for this application, select Allow internal scripts to request credentials on behalf of this application ID. e. Click Add; the Path is added as an authentication characteristic with the information that you specified. Note: If using Path, please add "c:\windows\system32\cmd.exe" to "TrustedCLIShells" parameter in the [Main] section of the main configuration file used by the Application Provider. 7. Specify a hash: a. Run the AIMGetAppInfo utility to calculate the application’s unique hash for the CyberArkSailPoint.Bat provided in the integration package. b. Copy the hash value that is returned by the utility. c. In the PVWA, select Hash; the Add Hash window appears.
d. In the Hash edit box, paste the application’s unique hash value, or specify multiple hash values with a semi-colon. You can add additional information in a comment after each hash value specified for an application by specifying ‘#’ after the hash value, followed by the comment. For example, 256241485053F1B4CF308FACA60B148F7F4EE002#app2 Note: The comment must not include a colon or a semicolon. e. Click Add; the Hash is added as an authentication characteristic with the information that you specified.
8. Specify the application’s Allowed Machines. This information enables the Credential Provider to make sure that only applications that run from specified machines can access their s. In the Allowed Machines tab, click Add; the Add allowed machine window is displayed.
Specify the IP/hostname/DNS of the server where the CyberArk-SailPoint Integration will be running, then click Add; the IP address is listed in the Allowed machines tab.
SETTING PERMISSIONS FOR CYBERARK-SAILPOINT APPLICATION ACCESS The CyberArk-SailPoint Integration Application needs to have access to the safe where the credential for the STI Staging Database.
1. Add the Credential Provider (used by the CyberArk-SailPoint Integration) and the CyberArk-SailPoint application s as of the safe where the credential for the STI Staging Database is stored. i.
Add the Provider (used by the CyberArk-SailPoint Integration) as a Safe Member with the following authorizations: List s Retrieve s View Safe
ii.
Add CyberArk-SailPoint (the APPID for the integration) as a Safe Member with the following authorizations:
iii.
Retrieve s
If your environment is configured for dual control: In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized s before s can be retrieved, give the Provider and the application the following permission: o Access Safe without Confirmation In Privileged Security solutions (v8.0 and higher), when working with dual control, the Provider can always access without confirmation, thus, it is not necessary to set this permission.
iv.
If the Safe is configured for object level access, make sure that both the Provider and the application have access to the (s) to retrieve.
For more information about configuring Safe , refer to the Privileged Security Implementation Guide.
APPENDIX A - CASP.INI : CyberArk-SailPoint Configuration Options Example of options for configuration: [GENERAL] vault = Vault.ini credfile = sailpoint.ini databaseaimquery = Query=Safe=SailPoint-Integration;Folder=Root;Object=CyberArk-Sailpoint [TOOLS] clicmd = C:\Program Files (x86)\CyberArk\ApplicationSdk\CLISDK64.exe exportvaultcmd = C:\ExportVaultData\ExportVaultData.exe [PROVISIONING] internalgroupstoignore = PVWAGWs,Notification Engines,DR s,PSMMaster,Backup s removesafeownerifnopermissionsafterupdate = Yes [ENTITLEMENT] codesforidentitiestriggeringentitlementrefresh = 2,28,29,30,32,33,174,182,273 codesforidentitiestorefresh = 2,28,29,30,32,33,80,174,176,180,182,184,211,256,273 codesforgroupstorefresh = 265,266,257,259,260,261,262,263,264,266,286 codesforsafestorefresh = 17,110,185,197 last_run = 2016/04/08 07:15:01 last_run_mode = INCREMENTAL
Option
Description
GENERAL Vault
Name (optionally with path) of the configuration file providing information for the vault to connect to.
credfile
Credential file name (optionally with path), this will be used for the integration to connect to the vault either by PACLI or the Export Vault Data Utility.
databaseaimquery
Query to be executed against CyberArk to retrieve the credential for the STI Staging Database.
TOOLS clicmd
AIM command line utility (optionally with path) to execute for retrieving credential for the STI staging database.
exportvaultcmd
Export Vault Data Utility command (optionally with path) to execute.
PROVISIONING internalgroupstoignore
List of group names (internal or local to CyberArk) to be ignored when processing provisioning actions.
Option removesafeownerifnopermissionsafterupdate
Description Either Yes or No to indicate whether after provisioning actions if no permissions are present for the updated if should be removed as a member of the particular safe.
ENTITLEMENT codesforidentitiestriggeringentitlementrefresh
List of Vault Audit Action Codes (separated by commas) that trigger entitlement refresh for identities. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforidentitiestorefresh
List of Vault Audit Action Codes (separated by commas) that trigger identities/ refresh. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforgroupstorefresh
List of Vault Audit Action Codes (separated by commas) that trigger groups refresh. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforsafestorefresh
List of Vault Audit Action Codes (separated by commas) that trigger entitlement refresh based on Safes actions. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
last_run
Last time entitlement process was run. Note: Deleting this line and the line for ‘last_run_mode’, will make the next entitlement load process to be FULL.
last_run_mode
Either INCREMENTAL or FULL to indicate the mode of the last executing for the load entitlements process.
APPENDIX B - DATA MODEL – CYBERARK OBJECTS S These are internal or external (residing in Active Directory) s that can to CyberArk. These could be human s or applications (which once defined become s.) The Privileged Security solution transparently s s and Groups of s whose details are stored externally in LDAP-compliant directories. In order to maintain the typically high level of security in the Vault, the security attributes of LDAP s and Groups are managed internally. LDAP Groups are created when Groups that are defined in one or more external directories are added as Safe Owners or as of a regular group in the CyberArk Vault. A Directory Map determines whether a or Group may be created in the Vault, and according to which criteria. Each Map contains a rules list which specifies the s and groups who can access the Vault, and a template which contains the security attributes and authorizations that will be applied when an LDAP is created. During installation, the Privileged Security solution creates built-in directory maps for the most common Privileged Security solution s. You can use these directory maps immediately, modify them with relevant mapping rules according to your enterprise standards, or create new directory maps. Security attributes and authorizations of an LDAP or Group cannot be modified in the same way as a or Group that has been created directly in the Vault. LDAP s and Groups are based on a template that is created as part of the Directory Map, and any changes must be made there. The LDAP ’s properties are updated by the Directory Map each time the logs on to the Vault. Personal details are retrieved from the external directory each time the authenticates to the Vault, and therefore cannot be modified in the Vault, but only in the LDAP directory.
AUTHORIZATIONS (AUTH) authorizations determine which tasks s can perform in the Vault. Each is only given the authorizations that they require and no others. This helps to achieve segregation of duties and provides a flexible methodology for controlling management tasks in the Vault. Below are the possible authorizations available:
Activate s: Authorization to activate or deactivate trusted network areas for s in the same level or lower on the Vault hierarchy. Safes : Authorization to add safes in the Vault. s : Authorization to add and update s, manage network areas, and manage Locations in the same level or lower on the Vault hierarchy. Rules : Authorization to add, update, and remove directory maps that manage s transparently in the Vault. Audit : Authorization to track activities in the Vault.
Backup : Authorization to run backup procedures. Categories : Authorization to add, update, and remove file categories in the Vault. Networks : Authorization to add, update, and remove network areas in the Vault that specify where the Vault can be accessed. Reset : Authorization to Reset ’s s and set the " Must Change at Next Logon” for s in the same level or lower on the Vault hierarchy. Restore : Authorization to run restore procedures.
GROUPS A Group is a collection of s who have the same authorizations. By defining a Group you can give all the s in the Group the same authorizations collectively. Likewise, when you update the authorizations of a Group, the authorizations of each member of the Group are affected. s who are of several Groups that own the same Safe, will either have the authorizations of the first group that was added as an Owner to a Safe, or a combination of the authorizations all the groups that they belong to, depending on how the Vault is configured. However, if the is an independent Owner of the same Safe, his own authorizations will override those of the Group.
SAFES The Vault gives you the flexibility to organize objects according to individual organizational requirements and store them in different Safes. For example, an organization might decide to organize its objects according to departments, and would then create a Safe for each department where all the objects for that department would be stored. By organizing s in different Safes, you can limit access to them. So, using the scenario above, only the of the Windows s would have access to the Windows s Safe, while only the of the Unix s would have access to the Unix s Safe. In addition, only authorized s have access to the object. As authorizations for each Safe member are given separately, some s will only have access to view a object, while others will have access to modify its properties.
SAFE PERMISSIONS s or groups who have access to Safes are called Safe . Each Safe member is given permissions in the Safe that enable them to perform tasks on s and files in the Safe. These permissions are given to each Safe member individually and give you flexibility to grant different permissions to different s or Groups. Each Safe member can be given a unique set of permissions that is explicitly for their tasks and is not relevant for any other Safe member.
Below is a list of permissions that can be given to Safe : Permission
Enables the Safe Member to…
List
View lists.
Retrieve
Retrieve and view s in the Safe. Basically given the safe member the ability to Show or Copy the /credential.
Use
Use s in the Safe. s who have this authorization can do the following:
Log onto a remote machine transparently through a PSM connection from the s List by clicking the Connect with icon. Log onto a remote machine transparently through a PSM connection from the Details page or the Versions tab by clicking the Connect button.
Note: To log onto remote machines transparently through a non-PSM connection, s require the ‘Retrieve’ permission as well. Create object
Add s in the Safe.
Store
Change values as well as the contents of files. s who have this authorization can do the following:
Change values manually in the Details page by clicking the Change button.
Undelete s in the Details page of the deleted by clicking the Undelete button. This is only relevant during the file retention period.
Manage copies that are linked to s and are stored in the same Safe by clicking Add or Edit in the usage tab.
files to the Vault by clicking the button in the Files Details page.
Update object properties
Update existing properties. This does not include adding new s or updating values.
Delete
Delete existing s in the Safe.
ister
Backup
Create a backup of a Safe and its contents, and store in another location.
Manage owners
Add and remove Safe , and update their authorizations in the Safe.
Update Safe properties Recover the Safe Delete the Safe
s who have this authorization can also do the following:
Permission
Enables the Safe Member to…
Modify permissions for s stored in Safes configured for Object Level Access Control in the Permissions tab of the Details page.
Access no confirmation
Access the Safe without confirmation from authorized s. This overrides the Safe properties that specify that Safe require confirmation to access the Safe.
Validate safe content
Override content validation and change the status of a file.
Initiate M change
Initiate management operations through the M, such as changing s, ing, and reconciling s. s who have this authorization can initiate M management operations in the s List and the Search results page, as well as the Details page by clicking Change, , or Reconcile on the toolbar. In the Change window, the ‘Manually selected ’ option will be enabled if the has the ‘Determine next value’ authorization.
Initiate M change with manual
Specify the that will be used when the M changes the value. s who have this authorization can do the following: Specify the next that will be used as a value in the Change and Immediate Change pages. If the does not have this authorization, the ‘Manually selected ’ option will be disabled and the M will set a new randomly generated . Note: This authorization can only be given to s to have the Initiate M management operations authorization.
Create folder
Create folders in the Safe.
Delete folder
Delete folders from the Safe.
Move from / Move into
Move s and folders in the Safe to different folders and subfolders.
View audit
View and activity in the Safe. s who have this authorization can do the following:
View permissions
View the Activities tab for a selected or file in the Details or File Details page. Generate the Safe Activities and Active/Non-active Safes reports in the PrivateArk istrative Client.
View Safe ’ permissions. s who have this authorization can also do the following:
View the Permissions tab for s stored in Safes configured for Object Level Access Control in the Details page.
Permission
Enables the Safe Member to… Generate the Owners List and Entitlement reports in the PrivateArk istrative Client.
Events list
List internal events generated by activities done in the safe
Add events
Generate events in the safe
Unlock object
Unlock s that are locked by other s. s who have this authorization can do the following:
Unlock s that are locked by other s in the Details page by clicking Release on the toolbar, This is only relevant when the Enforce checkin/check-out exclusive access policy rule is configured.
Unlock s that are locked by other s in the Advanced section of the Edit page by clicking Release. This is only relevant when the Enforce check- in/check-out exclusive access policy rule is configured.
Unlock files that are locked by other s in the File Details page by clicking Unlock on the toolbar.
Rename object
Rename existing s in the Safe in the Advanced section of the Edit page.
Supervise
Give “confirmation” to a Safe requesting permission to enter a Safe. s also require the ‘List s’ authorization to see the Request details of the requests waiting for their confirmation.
APPENDIX C - SAILPOINT STI TABLES
CYBERARK Column Name
Type
Description
Name
String
name / ID
firstname
String
First name
lastname
String
Last name
updatedBySource
String
Timestamp when created or updated
ldap
String
0 or 1, indicating whether is or not an external in Active Directory/LDAP
disabled
String
0 or 1, indicating whether is disabled or not
type
String
Type, either “” or “EXTERNAL ”
homestreet
String
Home address information: Street
homecity
String
Home address information: City
homestate
String
Home address information: State
homecountry
String
Home address information: Country
homezip
String
Home address information: ZIP or Postal Code
homephone
String
Home phone number
workstreet
String
Office address information: Street
workcity
String
Office address information: City
workstate
String
Office address information: State
workcountry
String
Office address information: Country
workzip
String
Office address information: ZIP or Postal Code
workphone
String
Office phone number
cellular
String
Cellular phone number
fax
String
Fax number
pager
String
Pager number
hemail
String
Home or personal email address
email
String
Main email address
oemail
String
Other email address
jobtitle
String
Job title
organization
String
Organization
department
String
Department
profession
String
Profession
notes
String
Comments/Notes
expirationdate
String
expiration date
auth
String
0 or 1, Indicates whether or not the logs onto the Vault with a
change
String
0 or 1, Indicates that the must change his the next time he logs onto the Vault
neverexpires
String
0 or 1, Indicates that the ’s will never be expired automatically
ldapfulldn
String
The full LDAP DN of the in the external directory to which the external belongs
ldapdirectory
String
The name of the LDAP external directory to which the external belongs
typeid
String
type ID
nonallowedclients
String
List of clients (CyberArk interfaces) that the is not authorized to access
Column Name
Type
Description
id
Int
Internal Type ID
TypeName
String
Type Name (Code)
TypeDescription
String
Type Description
CYBERARKTYPE
CYBERARKGROUP Column Name
Type
Description
groupName
String
Group name
description
String
Description
updatedBySource
String
Timestamp when created or updated
type
String
Group Type, either “GROUP” or “EXTERNAL GROUP”
ldapfulldn
String
The full LDAP DN of the group in the external directory to which the external group belongs
mapname
String
The name of the Directory Map applied to the external group
ldapdirectory
String
The name of the LDAP external directory to which the external group belongs
externalgroup
String
0 or 1,
Column Name
Type
Description
groupName
String
Group name
updatedBySource
String
Timestamp when created or updated
memberName
String
or Group name of the group member
Column Name
Type
Description
Auth
String
Authorization
description
String
Description
CYBERARKGROUPMEMBER
CYBERARKAUTHORIZATION
CYBERARKAUTHORIZATION Column Name
Type
Description
Name
String
Name
Auth
String
Authorization
Column Name
Type
Description
safeName
String
Safe Name
description
String
Description
requireReason
String
YES or NO, Whether or not a is required to supply a reason before files and content can be retrieved from this Safe (for v7.x Vaults)
enforceExclusives
String
YES or NO, Whether or not the Safe will enforce exclusive s mode (for v7.x Vaults)
OLAC
String
YES or NO, Indicates whether or not the Safe s Object Level Access Control (OLAC)
updatedBySource
String
Timestamp when created or updated
Column Name
Type
Description
Id
Integer
Internal Unique ID
ownerName
String
or Group having the permission on the particular safe
safeName
String
Safe Name
Permission
String
Permission on safe
updatedBySource
String
Timestamp when created or updated
CYBERARKSAFE
CYBERARKSAFEPERMISSION
CYBERARKSAFEROLE Column Name
Type
Description
Name
Integer
Role Name
instanceNameFormat
String
Format to assign entitlement name to each safe entitlement instance. Use %SAFE% to substitute for the particular safe name.
Description
String
Description
includesPermissionSet
String
List of safe permissions separated by comma that are required for the role
excludesPermissionSet
String
List of safe permissions separated by comma that must not be part of the role
Column Name
Type
Description
ownerName
String
or Group having the safe entitlement
safeName
String
Safe Name
safeRole
String
Safe Role
Description
String
Description
allPermissions
String
All permissions found in the entitlement
entitlementName
String
Entitlement Name (unique in combination with ownerName), and follows instanceNameFormat from CYBERARKSAFEROLE
cnt_allpermissions
Integer
Quantity of permissions
cnt_includedPermission
Integer
Quantity of permissions matching the includesPermissionSet list
cnt_excludedPermission
Integer
Quantity of permissions matching the excludesPermissionSet list
includesPermissionSet
String
List of safe permissions separated by comma that are required for the role
excludesPermissionSet
String
List of safe permissions separated by comma that must not be part of the role
CYBERARKSAFEENTITLEMENT
CYBERARKTARGET Column Name
Type
Description
safeName
String
Safe Name
internalID
String
Internal ID for target
folder
String
Folder
idProperties
String
Values for properties that could make up the unique ID
otherProperties
String
Other properties
updatedBySource
String
Timestamp when created or updated
APPENDIX D: CYBERARK-SAILPOINT PROVISIONING DETAILS The CyberArk-SailPoint integration allows for provisioning of the following objects:
Vault Authorizations Safe Role Entitlements Groups
Each of these objects are represented as request able entitlements within the SailPoint system. These objects can be treated like any other requestable entitlement with SailPoint allowing them to be a part of workflows, policies, certifications, etc. The following table describes how these object are mapped into SailPoint entitlements. CyberArk Attribute
SailPoint Entitlement
Description
Provisioning Details
Vault Authorization
Auth
authorizations determine which tasks s can perform in the Vault.
Provisioning actions will only take place for external s, actions for this attribute for internal s will be ignored
They can be:
Activate s Safes s Rules Audit Backup Categories Networks Reset Restore
Safe Role Entitlement
entitlementName
Safe Role Entitlement is the set of permissions on a CyberArk safe. The set (or Safe Role) is defined in the STI database (by using the CASP-APP-Custom.SQL file described previously in the installation section)
Provisioning actions accepted for all s and optional external provisioning available for Active Directory Groups.
Groups
groupName
Group is a collection of s within CyberArk. Groups can be either internal (local to CyberArk) or external (residing in Active Directory)
Provisioning actions available for both internal and external groups.
APPENDIX D - SAILPOINT: CYBERARK APPLICATION OBJECTS
CYBERARK LEFT OUTER cyberarkauthorization ON cyberark.Name = cyberarkauthorization.Name LEFT OUTER cyberarkgroupmember ON cyberark.Name = cyberarkgroupmember.memberName LEFT OUTER cyberarktype ON cyberark.typeid = cyberarktype.id LEFT OUTER cyberarksafeentitlement ON cyberark.Name = cyberarksafeentitlement.ownerName OR ownerName IN (SELECT groupName FROM cyberarkgroupmember WHERE memberName = cyberark.Name) )
MERGING BY NAME
entitlementName o Type: AUTHORIZATION o Properties: Entitlement, Multi-Valued groupName o Type: GROUP o Properties: Entitlement, Multi-Valued Auth o Type: AUTHORIZATION o Properties: Entitlement, Multi-Valued
SAFE CYBERARKSAFE
MERGING BY SAFENAME
s o Type: TARGET o Properties: Multi-Valued
AUTHORIZATION CYBERARKAUTHORIZATION
SAFEROLEENTITLEMENT CYBERARKSAFEENTITLEMENT LEFT sti.cyberarkgroup ON cyberarksafeentitlement.ownerName = cyberarkgroup.groupName LEFT sti.cyberark ON cyberarksafeentitlement.ownerName = cyberark.Name
COLUMN PROPERTIES
internalGroupSet o Type: String o Properties: Multi-Valued externalGroupSet o Type: String o Properties: Multi-Valued internalSet o Type: String o Properties: Multi-Valued externalSet o Type: String o Properties: Multi-Valued
GROUP CYBERARKGROUP LEFT OUTER cyberarkgroupmember on cyberarkgroup.groupName = cyberarkgroupmember.memberName
MERGING BY GROUPNAME
memberOf o Type: GROUP o Properties: Multi-Valued
TABLE OF CONTENTS
OVERVIEW & CONFIGURATION GUIDE................................................................................................1 TABLE OF CONTENTS ..........................................................................................................................2 CYBERARK-SAILPOINT INTEGRATION OVERVIEW.................................................................................4 KEY BENEFITS .....................................................................................................................................4 DESCRIPTION OF PRODUCT INTEGRATION ..........................................................................................5 SYSTEM REQUIREMENTS ....................................................................................................................7 CYBERARK COMPONENTS .......................................................................................................................... 7 SAILPOINT COMPONENTS .......................................................................................................................... 7 CYBERARK THIRD-PARTY DEPENDENCIES ................................................................................................... 7 SERVER FOR CYBERARK-SAILPOINT INTEGRATION..................................................................................... 7 CYBERARK-SAILPOINT INTEGRATION INSTALLATION & CONFIGURATION .............................................8 INTEGRATION PACKAGE CONTENTS........................................................................................................... 8 INSTALLATION STEPS .................................................................................................................................. 9 AIM CONFIGURATION ...................................................................................................................... 11 DEFINING THE APPLICATION ID (APPID) AND AUTHENTICATION DETAILS ............................................11 SETTING PERMISSIONS FOR CYBERARK-SAILPOINT APPLICATION ACCESS ...........................................15 APPENDIX A - CASP.INI : CyberArk-Sailpoint Configuration Options ................................................... 18 APPENDIX B - DATA MODEL – CYBERARK OBJECTS ............................................................................ 20 S .......................................................................................................................................................20 AUTHORIZATIONS (AUTH) ......................................................................................................20 GROUPS ....................................................................................................................................................21 SAFES ........................................................................................................................................................21 SAFE PERMISSIONS ...................................................................................................................................21 APPENDIX C - SAILPOINT STI TABLES .................................................................................................25 CYBERARK ........................................................................................................................................25 CYBERARKTYPE ................................................................................................................................26 CYBERARKGROUP .....................................................................................................................................27 CYBERARKGROUPMEMBER ......................................................................................................................27 CYBERARKAUTHORIZATION .....................................................................................................................27 CYBERARKAUTHORIZATION .............................................................................................................28 CYBERARKSAFE .........................................................................................................................................28 CYBERARKSAFEPERMISSION ....................................................................................................................28 CYBERARKSAFEROLE ................................................................................................................................29 CYBERARKSAFEENTITLEMENT ..................................................................................................................29
CYBERARKTARGET ....................................................................................................................30 APPENDIX D: CYBERARK-SAILPOINT PROVISIONING DETAILS............................................................. 31 APPENDIX D - SAILPOINT: CYBERARK APPLICATION OBJECTS ............................................................. 32 .................................................................................................................................................32 MERGING BY NAME .....................................................................................................................32 SAFE ..........................................................................................................................................................32 MERGING BY SAFENAME ......................................................................................................................32 AUTHORIZATION ......................................................................................................................................33 SAFEROLEENTITLEMENT ..........................................................................................................................33 COLUMN PROPERTIES ..........................................................................................................................33 GROUP ......................................................................................................................................................33 MERGING BY GROUPNAME ..................................................................................................................33
CYBERARK-SAILPOINT INTEGRATION OVERVIEW When it comes to managing s and their access entitlements, a majority of organizations have two separate solutions to manage the identity lifecycle and access policies for privileged and non-privileged s. Standalone solutions for both types of s lack the ability to enforce a unified access policy and consistent governance, provisioning and authorization process. This can result in access violations and regulatory action. To avoid this issue, organizations must have a single automated policy-based process for privileged and non-privileged s to effectively manage access requests, approvals, certifications, provisioning and remediation. The CyberArk Privileged Security Solution integrated with SailPoint IdentityIQ provides a unified view with centralized policy-based identity management for all identities, including privileged identities (individuals and applications) and access entitlements to ensure access policy and regulatory compliance.
KEY BENEFITS The integration of CyberArk Privileged Security Solution and SailPoint IdentityIQ enables organizations to gain a unified, policy-driven approach to identity and access governance across all s. Once deployed, the solution effectively arms organizations with the information they need to quickly identify and respond to security risks involving the organization’s most powerful identities – privileged s. t CyberArk and SailPoint Solution Benefits:
Provides enhanced visibility and control of privileged s and access data directly from IdentityIQ.
Unifies provisioning processes for privileged and non-privileged s. Ensures privileged s are granted appropriate access permissions based on similar privileged s’ attributes (e.g. roles, job functions), and in accordance with the organization’s access policy.
Reduces the attack surface and enhances regulatory compliance by limiting access privileges and deactivating stale/orphan privileged s.
Streamlines governance and compliance processes by generating reports and auditing all identities and access permissions directly from IdentityIQ.
DESCRIPTION OF PRODUCT INTEGRATION
The t CyberArk and SailPoint solution is bi-directional, whereby provisioning to CyberArk is performed directly from SailPoint based on active directory groups, policies and an approval process defined within SailPoint. In addition, CyberArk collects privileged data, information and access data and sends it to SailPoint. By centralizing and unifying identity and access governance of privileged and non- privileged s, organizations can:
Fully manage privileged (individuals/ applications) lifecycles: Create, review and approve privileged access permissions based on group affiliations, roles and other commonalities directly from IdentityIQ. All privileged access requests are verified using an automated approval workflow. Once approved, data is automatically synchronized with the CyberArk Privileged Security Solution and a privileged is added to the relevant privileged (s).
Update /group access privileges directly from IdentityIQ to avoid orphan privileged s, privileged entitlement creep, and excess privileged permissions. Updated access permissions are automatically provisioned within the CyberArk Solution.
Execute periodic reviews and re-certification of privileged access directly from IdentityIQ.
Enforce application access permissions defined within IdentityIQ using CyberArk Application Identity ManagerTM to ensure the application can only access authorized assets. About CyberArk
Generate alerts and reports on privileged identities and access activities directly from IdentityIQ to detect unauthorized access changes, or suspicious log-in activity to privileged s. Access reviews can be executed at the privileged , group or system level.
SYSTEM REQUIREMENTS CYBERARK COMPONENTS
The CyberArk-SailPoint integration works with the Digital Vault Server, version 7.2 or higher PACLI (Command Line Interface) v7.2 AIM 7.2 or Credential Provider 9.5 Export Vault Data Utility v7.2
SAILPOINT COMPONENTS
SailPoint STI Service Module Data Staging Tables
CYBERARK THIRD -PARTY DEPENDENCIES
MySQL Database to act as STI Staging Database
SERVER FOR CYBERARK-SAILPOINT INTEGRATION Operating System
Windows 2003R2 (32-bit) Windows 2008R2 (64-bit) Windows 7 (64-bit) Windows 2012 R2 (64-bit)
Minimum Requirements
Disk space: 100MB Free Disk Space Minimum Memory: 2GB Communication: T/IP connection to the CyberArk Vault Server .NET Framework 3.5
CYBERARK-SAILPOINT INTEGRATION INSTALLATION & CONFIGURATION The CyberArk-SailPoint Integration package is distributed by CyberArk (by ing CyberArk’s Business Development team at [email protected]) The integration package delivers executables, configuration files, SQL scripts (needed for the STI schema database), and SailPoint XML objects needed for the integration. The SailPoint XML objects needed can be found on Com under the Product Center->Structured Table Integration category. There you will find a zip file containing all the configuration files for the integration.
INTEGRATION PACKAGE CONTENTS The Package ZIP, has to be unzipped and it has the following contents in specific folders: \CYBERARKSAILPOINT
CASP.ini : Configuration file for the integration. Please refer to “APPENDIX A - CASP.ini : CyberArkSailPoint Configuration Options” for more details. Vault.ini : Configuration file to point to the Vault to be used for the integration. CASP-logging.json : Configuration file for logging/trace/debug information for the integration. caspaction.exe, caspinit.exe, caspterminate.exe : executables used by the integration. CyberArk-SailPoint.bat : Batch file to be used by the scheduled tasks
\CYBERARKSAILPOINT\CASP
CASP-App.sql : MySQL’s SQL Schema for the integration. CASP-App-Custom.sql : Pre-defined data for the integration, to be customized as needed.
\CYBERARKSAILPOINT\SCHEDULEDTASKS-DEFINITIONS
CyberArkSailPoint - Incremental Load (s and Entitlements).xml : Scheduled task definition for the process to periodically perform the Incremental Load of s and Entitlements. By default is set to execute every 15 minutes. CyberArkSailPoint - Process Provisioning Actions.xml : Scheduled task definition for the process to periodically process the provisioning actions sent by SailPoint.
\CYBERARKSAILPOINT\LOGS
In this folder, all the logs for the different tasks done by the integration processes:
CASOS*.log : Internal logs for the export vault data CASP-*.log : Info/Errors/Debug information for integration tasks, particularly the ones from the scheduled tasks.
INSTALLATION STEPS On the server for the CyberArk – SailPoint integration: 1. Install PACLI (refer to CyberArk’s “Command Line Interface Guide and Reference”); Set PACLI in your PATH environment variable.
2. Install ExportVaultData Utility (refer to CyberArk’s “ExportVaultData Utility Implementation Guide”) 3. Install AIM (Refer to CyberArk’s “Credential Provider and AS Implementation Guide”.) AIM (Application Identity Management) is required for the CyberArk integration package to retrieve the credential for the STI MySQL Database. 4. Define the Application “CyberArk-SailPoint” within CyberArk 5. Configure the application to have access to the STI Staging Database 6. Load the CyberArk-STI Configuration xml file into SailPoint IdentityIQ ( contained in the integration package ed from Com) 7. Configure CyberArk-SailPoint Integration: a. Extract CyberArk-SailPoint.zip b. Update Vault.ini to point to the Vault to be used for the integration c. Create CyberArk for extracting data from the CyberArk Vault, and also to process provisioning actions to CyberArk Vault using PACLI. This will need the following: i. All Vault Authorizations (in order to be able to grant permissions, this will need to have them): Add Safes, Audit s, Add/Update s, Reset s’ s, Activate s, Add Network Areas, Manage Directory Mapping, Manage Server File Categories, Backup All Safes, Restore All Safes ii. Member of Auditors Group (to have audit permissions on all the safes in the Vault) iii. All permissions on Safes that will be part of the Entitlement set of permissions that the provisioning actions will be granting or revoking. It could be member of a group that grants all the needed permissions on safes. d. Create credential file for the created in previous step. Refer to “Appendix A: Creating Credential Files” of the “Privileged Security Installation Guide” from CyberArk’s Documentation set.
e. Update CASP.ini to point to the right vault.ini and the credential file created, along with any adjustments needed. Please, check section ‘APPENDIX A - CASP.ini : CyberArk-SailPoint Configuration Options’
f.
Create CyberArk-SailPoint STI Database Schema by running CASP-App.SQL (under \CyberArkSailPoint\CASP folder) against the STI Staging Database g. Update CASP-APP-Custom.SQL (under \CyberArkSailPoint\CASP folder) to provide the
h.
i.
j.
following: i. Descriptions for CyberArk Vault Authorizations (the default values can be used as well, and probably will be enough) ii. Definition of CyberArk Types (based on your license, you could use the default but please validate against your CyberArk License, and make sure the types match your license) iii. Definition of CyberArk Safe Roles. Based on your vault environment, please group the different set of permissions to make up your organization roles, please take the example information delivered, and adjust it to your company’s needs. Execute CASP-APP-Custom.SQL against the STI Staging Database.
Define Scheduled Tasks based on the definitions provided under \CyberArkSailPoint\ScheduledTasks-Definitions i. Adjust the repeat time for each of the tasks and Update the CyberArk Safe Roles defined in CASP-APP-Custom.SQL i. Analyze the different CyberArk Safe Roles defined in CAS-APP-Custom.SQL, and update it according to the needs of the customer’s environment ii. Remove last_run, and last_run_mode parameters from CASP.ini (Check APPENDIX A - CASP.ini : CyberArk-SailPoint Configuration Options) to enable a full s and entitlements load to SailPoint IdentityIQ iii. Execute ‘CyberArkSailPoint - Incremental Load (s and Entitlements)’ scheduled task iv. Execute the following query against the STI Staging Database: SELECT allPermissions, COUNT(*), group_concat(DISTINCT ownerName ORDER BY ownerName) as Owners, group_concat(DISTINCT safeName ORDER BY safeName) as Safes FROM sti.cyberarksafeentitlement WHERE safeRole = 'UNDEFINEDROLE' GROUP BY allPermissions;
v. Update CASP-APP-Custom.SQL file based on the results obtained by the previous query to remove ‘UNDEFINEDROLE’ vi. Repeat steps i through iv until no ‘UNDEFINEDROLE’ results are present.
AIM CONFIGURATION
DEFINING THE APPLICATION ID (APPID) AND AUTHENTICATION DETAILS To define the Application, here are the instructions to define it manually via CyberArk’s PVWA ( Vault Web Access) Interface: 1.
Logged in as allowed to manage applications (it requires Manage s authorization), in the Applications tab, click Add Application; the Add Application page appears.
2. Specify the following information: In the Name edit box, specify the unique name (ID) of the application. APP ID = CyberArk-SailPoint
In the Description, specify a short description of the application that will help you identify it. In the Business owner section, specify information about the application’s Business owner. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the who is creating this application.
3.
Click Add; the application is added and is displayed in the Application Details page.
Allowing extended authentication restrictions. This enables you to specify an unlimited number of machines and Windows domain OS s for a single application. Please check this box.
4. Specify the application’s Authentication details. This information enables the Credential Provider to check certain application characteristics before retrieving the application .
In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
Select the authentication characteristic to specify.
5. Specify the OS : a. Select OS ; the Add Operating System Authentication window appears.
b. Specify the name of the OS who will run the application (or the OS that will be running the scheduled tasks), then click Add; the OS is listed in the Authentication tab.
6. Specify the application path: a. Select Path; the Add Path Authentication window appears.
b. Specify the path where the application will run. In the above screenshot, it is assumed you installed the integration under C:\CyberArkSailPoint, please update accordingly. c. To indicate that the specified path is a folder, select Path is folder. d. To allow internal scripts to retrieve the application for this application, select Allow internal scripts to request credentials on behalf of this application ID. e. Click Add; the Path is added as an authentication characteristic with the information that you specified. Note: If using Path, please add "c:\windows\system32\cmd.exe" to "TrustedCLIShells" parameter in the [Main] section of the main configuration file used by the Application Provider. 7. Specify a hash: a. Run the AIMGetAppInfo utility to calculate the application’s unique hash for the CyberArkSailPoint.Bat provided in the integration package. b. Copy the hash value that is returned by the utility. c. In the PVWA, select Hash; the Add Hash window appears.
d. In the Hash edit box, paste the application’s unique hash value, or specify multiple hash values with a semi-colon. You can add additional information in a comment after each hash value specified for an application by specifying ‘#’ after the hash value, followed by the comment. For example, 256241485053F1B4CF308FACA60B148F7F4EE002#app2 Note: The comment must not include a colon or a semicolon. e. Click Add; the Hash is added as an authentication characteristic with the information that you specified.
8. Specify the application’s Allowed Machines. This information enables the Credential Provider to make sure that only applications that run from specified machines can access their s. In the Allowed Machines tab, click Add; the Add allowed machine window is displayed.
Specify the IP/hostname/DNS of the server where the CyberArk-SailPoint Integration will be running, then click Add; the IP address is listed in the Allowed machines tab.
SETTING PERMISSIONS FOR CYBERARK-SAILPOINT APPLICATION ACCESS The CyberArk-SailPoint Integration Application needs to have access to the safe where the credential for the STI Staging Database.
1. Add the Credential Provider (used by the CyberArk-SailPoint Integration) and the CyberArk-SailPoint application s as of the safe where the credential for the STI Staging Database is stored. i.
Add the Provider (used by the CyberArk-SailPoint Integration) as a Safe Member with the following authorizations: List s Retrieve s View Safe
ii.
Add CyberArk-SailPoint (the APPID for the integration) as a Safe Member with the following authorizations:
iii.
Retrieve s
If your environment is configured for dual control: In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from authorized s before s can be retrieved, give the Provider and the application the following permission: o Access Safe without Confirmation In Privileged Security solutions (v8.0 and higher), when working with dual control, the Provider can always access without confirmation, thus, it is not necessary to set this permission.
iv.
If the Safe is configured for object level access, make sure that both the Provider and the application have access to the (s) to retrieve.
For more information about configuring Safe , refer to the Privileged Security Implementation Guide.
APPENDIX A - CASP.INI : CyberArk-SailPoint Configuration Options Example of options for configuration: [GENERAL] vault = Vault.ini credfile = sailpoint.ini databaseaimquery = Query=Safe=SailPoint-Integration;Folder=Root;Object=CyberArk-Sailpoint [TOOLS] clicmd = C:\Program Files (x86)\CyberArk\ApplicationSdk\CLISDK64.exe exportvaultcmd = C:\ExportVaultData\ExportVaultData.exe [PROVISIONING] internalgroupstoignore = PVWAGWs,Notification Engines,DR s,PSMMaster,Backup s removesafeownerifnopermissionsafterupdate = Yes [ENTITLEMENT] codesforidentitiestriggeringentitlementrefresh = 2,28,29,30,32,33,174,182,273 codesforidentitiestorefresh = 2,28,29,30,32,33,80,174,176,180,182,184,211,256,273 codesforgroupstorefresh = 265,266,257,259,260,261,262,263,264,266,286 codesforsafestorefresh = 17,110,185,197 last_run = 2016/04/08 07:15:01 last_run_mode = INCREMENTAL
Option
Description
GENERAL Vault
Name (optionally with path) of the configuration file providing information for the vault to connect to.
credfile
Credential file name (optionally with path), this will be used for the integration to connect to the vault either by PACLI or the Export Vault Data Utility.
databaseaimquery
Query to be executed against CyberArk to retrieve the credential for the STI Staging Database.
TOOLS clicmd
AIM command line utility (optionally with path) to execute for retrieving credential for the STI staging database.
exportvaultcmd
Export Vault Data Utility command (optionally with path) to execute.
PROVISIONING internalgroupstoignore
List of group names (internal or local to CyberArk) to be ignored when processing provisioning actions.
Option removesafeownerifnopermissionsafterupdate
Description Either Yes or No to indicate whether after provisioning actions if no permissions are present for the updated if should be removed as a member of the particular safe.
ENTITLEMENT codesforidentitiestriggeringentitlementrefresh
List of Vault Audit Action Codes (separated by commas) that trigger entitlement refresh for identities. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforidentitiestorefresh
List of Vault Audit Action Codes (separated by commas) that trigger identities/ refresh. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforgroupstorefresh
List of Vault Audit Action Codes (separated by commas) that trigger groups refresh. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
codesforsafestorefresh
List of Vault Audit Action Codes (separated by commas) that trigger entitlement refresh based on Safes actions. Please refer to section “Vault Audit Action Codes” of “Privileged Security Reference Guide” in the CyberArk Documentation set.
last_run
Last time entitlement process was run. Note: Deleting this line and the line for ‘last_run_mode’, will make the next entitlement load process to be FULL.
last_run_mode
Either INCREMENTAL or FULL to indicate the mode of the last executing for the load entitlements process.
APPENDIX B - DATA MODEL – CYBERARK OBJECTS S These are internal or external (residing in Active Directory) s that can to CyberArk. These could be human s or applications (which once defined become s.) The Privileged Security solution transparently s s and Groups of s whose details are stored externally in LDAP-compliant directories. In order to maintain the typically high level of security in the Vault, the security attributes of LDAP s and Groups are managed internally. LDAP Groups are created when Groups that are defined in one or more external directories are added as Safe Owners or as of a regular group in the CyberArk Vault. A Directory Map determines whether a or Group may be created in the Vault, and according to which criteria. Each Map contains a rules list which specifies the s and groups who can access the Vault, and a template which contains the security attributes and authorizations that will be applied when an LDAP is created. During installation, the Privileged Security solution creates built-in directory maps for the most common Privileged Security solution s. You can use these directory maps immediately, modify them with relevant mapping rules according to your enterprise standards, or create new directory maps. Security attributes and authorizations of an LDAP or Group cannot be modified in the same way as a or Group that has been created directly in the Vault. LDAP s and Groups are based on a template that is created as part of the Directory Map, and any changes must be made there. The LDAP ’s properties are updated by the Directory Map each time the logs on to the Vault. Personal details are retrieved from the external directory each time the authenticates to the Vault, and therefore cannot be modified in the Vault, but only in the LDAP directory.
AUTHORIZATIONS (AUTH) authorizations determine which tasks s can perform in the Vault. Each is only given the authorizations that they require and no others. This helps to achieve segregation of duties and provides a flexible methodology for controlling management tasks in the Vault. Below are the possible authorizations available:
Activate s: Authorization to activate or deactivate trusted network areas for s in the same level or lower on the Vault hierarchy. Safes : Authorization to add safes in the Vault. s : Authorization to add and update s, manage network areas, and manage Locations in the same level or lower on the Vault hierarchy. Rules : Authorization to add, update, and remove directory maps that manage s transparently in the Vault. Audit : Authorization to track activities in the Vault.
Backup : Authorization to run backup procedures. Categories : Authorization to add, update, and remove file categories in the Vault. Networks : Authorization to add, update, and remove network areas in the Vault that specify where the Vault can be accessed. Reset : Authorization to Reset ’s s and set the " Must Change at Next Logon” for s in the same level or lower on the Vault hierarchy. Restore : Authorization to run restore procedures.
GROUPS A Group is a collection of s who have the same authorizations. By defining a Group you can give all the s in the Group the same authorizations collectively. Likewise, when you update the authorizations of a Group, the authorizations of each member of the Group are affected. s who are of several Groups that own the same Safe, will either have the authorizations of the first group that was added as an Owner to a Safe, or a combination of the authorizations all the groups that they belong to, depending on how the Vault is configured. However, if the is an independent Owner of the same Safe, his own authorizations will override those of the Group.
SAFES The Vault gives you the flexibility to organize objects according to individual organizational requirements and store them in different Safes. For example, an organization might decide to organize its objects according to departments, and would then create a Safe for each department where all the objects for that department would be stored. By organizing s in different Safes, you can limit access to them. So, using the scenario above, only the of the Windows s would have access to the Windows s Safe, while only the of the Unix s would have access to the Unix s Safe. In addition, only authorized s have access to the object. As authorizations for each Safe member are given separately, some s will only have access to view a object, while others will have access to modify its properties.
SAFE PERMISSIONS s or groups who have access to Safes are called Safe . Each Safe member is given permissions in the Safe that enable them to perform tasks on s and files in the Safe. These permissions are given to each Safe member individually and give you flexibility to grant different permissions to different s or Groups. Each Safe member can be given a unique set of permissions that is explicitly for their tasks and is not relevant for any other Safe member.
Below is a list of permissions that can be given to Safe : Permission
Enables the Safe Member to…
List
View lists.
Retrieve
Retrieve and view s in the Safe. Basically given the safe member the ability to Show or Copy the /credential.
Use
Use s in the Safe. s who have this authorization can do the following:
Log onto a remote machine transparently through a PSM connection from the s List by clicking the Connect with icon. Log onto a remote machine transparently through a PSM connection from the Details page or the Versions tab by clicking the Connect button.
Note: To log onto remote machines transparently through a non-PSM connection, s require the ‘Retrieve’ permission as well. Create object
Add s in the Safe.
Store
Change values as well as the contents of files. s who have this authorization can do the following:
Change values manually in the Details page by clicking the Change button.
Undelete s in the Details page of the deleted by clicking the Undelete button. This is only relevant during the file retention period.
Manage copies that are linked to s and are stored in the same Safe by clicking Add or Edit in the usage tab.
files to the Vault by clicking the button in the Files Details page.
Update object properties
Update existing properties. This does not include adding new s or updating values.
Delete
Delete existing s in the Safe.
ister
Backup
Create a backup of a Safe and its contents, and store in another location.
Manage owners
Add and remove Safe , and update their authorizations in the Safe.
Update Safe properties Recover the Safe Delete the Safe
s who have this authorization can also do the following:
Permission
Enables the Safe Member to…
Modify permissions for s stored in Safes configured for Object Level Access Control in the Permissions tab of the Details page.
Access no confirmation
Access the Safe without confirmation from authorized s. This overrides the Safe properties that specify that Safe require confirmation to access the Safe.
Validate safe content
Override content validation and change the status of a file.
Initiate M change
Initiate management operations through the M, such as changing s, ing, and reconciling s. s who have this authorization can initiate M management operations in the s List and the Search results page, as well as the Details page by clicking Change, , or Reconcile on the toolbar. In the Change window, the ‘Manually selected ’ option will be enabled if the has the ‘Determine next value’ authorization.
Initiate M change with manual
Specify the that will be used when the M changes the value. s who have this authorization can do the following: Specify the next that will be used as a value in the Change and Immediate Change pages. If the does not have this authorization, the ‘Manually selected ’ option will be disabled and the M will set a new randomly generated . Note: This authorization can only be given to s to have the Initiate M management operations authorization.
Create folder
Create folders in the Safe.
Delete folder
Delete folders from the Safe.
Move from / Move into
Move s and folders in the Safe to different folders and subfolders.
View audit
View and activity in the Safe. s who have this authorization can do the following:
View permissions
View the Activities tab for a selected or file in the Details or File Details page. Generate the Safe Activities and Active/Non-active Safes reports in the PrivateArk istrative Client.
View Safe ’ permissions. s who have this authorization can also do the following:
View the Permissions tab for s stored in Safes configured for Object Level Access Control in the Details page.
Permission
Enables the Safe Member to… Generate the Owners List and Entitlement reports in the PrivateArk istrative Client.
Events list
List internal events generated by activities done in the safe
Add events
Generate events in the safe
Unlock object
Unlock s that are locked by other s. s who have this authorization can do the following:
Unlock s that are locked by other s in the Details page by clicking Release on the toolbar, This is only relevant when the Enforce checkin/check-out exclusive access policy rule is configured.
Unlock s that are locked by other s in the Advanced section of the Edit page by clicking Release. This is only relevant when the Enforce check- in/check-out exclusive access policy rule is configured.
Unlock files that are locked by other s in the File Details page by clicking Unlock on the toolbar.
Rename object
Rename existing s in the Safe in the Advanced section of the Edit page.
Supervise
Give “confirmation” to a Safe requesting permission to enter a Safe. s also require the ‘List s’ authorization to see the Request details of the requests waiting for their confirmation.
APPENDIX C - SAILPOINT STI TABLES
CYBERARK Column Name
Type
Description
Name
String
name / ID
firstname
String
First name
lastname
String
Last name
updatedBySource
String
Timestamp when created or updated
ldap
String
0 or 1, indicating whether is or not an external in Active Directory/LDAP
disabled
String
0 or 1, indicating whether is disabled or not
type
String
Type, either “” or “EXTERNAL ”
homestreet
String
Home address information: Street
homecity
String
Home address information: City
homestate
String
Home address information: State
homecountry
String
Home address information: Country
homezip
String
Home address information: ZIP or Postal Code
homephone
String
Home phone number
workstreet
String
Office address information: Street
workcity
String
Office address information: City
workstate
String
Office address information: State
workcountry
String
Office address information: Country
workzip
String
Office address information: ZIP or Postal Code
workphone
String
Office phone number
cellular
String
Cellular phone number
fax
String
Fax number
pager
String
Pager number
hemail
String
Home or personal email address
String
Main email address
oemail
String
Other email address
jobtitle
String
Job title
organization
String
Organization
department
String
Department
profession
String
Profession
notes
String
Comments/Notes
expirationdate
String
expiration date
auth
String
0 or 1, Indicates whether or not the logs onto the Vault with a
change
String
0 or 1, Indicates that the must change his the next time he logs onto the Vault
neverexpires
String
0 or 1, Indicates that the ’s will never be expired automatically
ldapfulldn
String
The full LDAP DN of the in the external directory to which the external belongs
ldapdirectory
String
The name of the LDAP external directory to which the external belongs
typeid
String
type ID
nonallowedclients
String
List of clients (CyberArk interfaces) that the is not authorized to access
Column Name
Type
Description
id
Int
Internal Type ID
TypeName
String
Type Name (Code)
TypeDescription
String
Type Description
CYBERARKTYPE
CYBERARKGROUP Column Name
Type
Description
groupName
String
Group name
description
String
Description
updatedBySource
String
Timestamp when created or updated
type
String
Group Type, either “GROUP” or “EXTERNAL GROUP”
ldapfulldn
String
The full LDAP DN of the group in the external directory to which the external group belongs
mapname
String
The name of the Directory Map applied to the external group
ldapdirectory
String
The name of the LDAP external directory to which the external group belongs
externalgroup
String
0 or 1,
Column Name
Type
Description
groupName
String
Group name
updatedBySource
String
Timestamp when created or updated
memberName
String
or Group name of the group member
Column Name
Type
Description
Auth
String
Authorization
description
String
Description
CYBERARKGROUPMEMBER
CYBERARKAUTHORIZATION
CYBERARKAUTHORIZATION Column Name
Type
Description
Name
String
Name
Auth
String
Authorization
Column Name
Type
Description
safeName
String
Safe Name
description
String
Description
requireReason
String
YES or NO, Whether or not a is required to supply a reason before files and content can be retrieved from this Safe (for v7.x Vaults)
enforceExclusives
String
YES or NO, Whether or not the Safe will enforce exclusive s mode (for v7.x Vaults)
OLAC
String
YES or NO, Indicates whether or not the Safe s Object Level Access Control (OLAC)
updatedBySource
String
Timestamp when created or updated
Column Name
Type
Description
Id
Integer
Internal Unique ID
ownerName
String
or Group having the permission on the particular safe
safeName
String
Safe Name
Permission
String
Permission on safe
updatedBySource
String
Timestamp when created or updated
CYBERARKSAFE
CYBERARKSAFEPERMISSION
CYBERARKSAFEROLE Column Name
Type
Description
Name
Integer
Role Name
instanceNameFormat
String
Format to assign entitlement name to each safe entitlement instance. Use %SAFE% to substitute for the particular safe name.
Description
String
Description
includesPermissionSet
String
List of safe permissions separated by comma that are required for the role
excludesPermissionSet
String
List of safe permissions separated by comma that must not be part of the role
Column Name
Type
Description
ownerName
String
or Group having the safe entitlement
safeName
String
Safe Name
safeRole
String
Safe Role
Description
String
Description
allPermissions
String
All permissions found in the entitlement
entitlementName
String
Entitlement Name (unique in combination with ownerName), and follows instanceNameFormat from CYBERARKSAFEROLE
cnt_allpermissions
Integer
Quantity of permissions
cnt_includedPermission
Integer
Quantity of permissions matching the includesPermissionSet list
cnt_excludedPermission
Integer
Quantity of permissions matching the excludesPermissionSet list
includesPermissionSet
String
List of safe permissions separated by comma that are required for the role
excludesPermissionSet
String
List of safe permissions separated by comma that must not be part of the role
CYBERARKSAFEENTITLEMENT
CYBERARKTARGET Column Name
Type
Description
safeName
String
Safe Name
internalID
String
Internal ID for target
folder
String
Folder
idProperties
String
Values for properties that could make up the unique ID
otherProperties
String
Other properties
updatedBySource
String
Timestamp when created or updated
APPENDIX D: CYBERARK-SAILPOINT PROVISIONING DETAILS The CyberArk-SailPoint integration allows for provisioning of the following objects:
Vault Authorizations Safe Role Entitlements Groups
Each of these objects are represented as request able entitlements within the SailPoint system. These objects can be treated like any other requestable entitlement with SailPoint allowing them to be a part of workflows, policies, certifications, etc. The following table describes how these object are mapped into SailPoint entitlements. CyberArk Attribute
SailPoint Entitlement
Description
Provisioning Details
Vault Authorization
Auth
authorizations determine which tasks s can perform in the Vault.
Provisioning actions will only take place for external s, actions for this attribute for internal s will be ignored
They can be:
Activate s Safes s Rules Audit Backup Categories Networks Reset Restore
Safe Role Entitlement
entitlementName
Safe Role Entitlement is the set of permissions on a CyberArk safe. The set (or Safe Role) is defined in the STI database (by using the CASP-APP-Custom.SQL file described previously in the installation section)
Provisioning actions accepted for all s and optional external provisioning available for Active Directory Groups.
Groups
groupName
Group is a collection of s within CyberArk. Groups can be either internal (local to CyberArk) or external (residing in Active Directory)
Provisioning actions available for both internal and external groups.
APPENDIX D - SAILPOINT: CYBERARK APPLICATION OBJECTS
CYBERARK LEFT OUTER cyberarkauthorization ON cyberark.Name = cyberarkauthorization.Name LEFT OUTER cyberarkgroupmember ON cyberark.Name = cyberarkgroupmember.memberName LEFT OUTER cyberarktype ON cyberark.typeid = cyberarktype.id LEFT OUTER cyberarksafeentitlement ON cyberark.Name = cyberarksafeentitlement.ownerName OR ownerName IN (SELECT groupName FROM cyberarkgroupmember WHERE memberName = cyberark.Name) )
MERGING BY NAME
entitlementName o Type: AUTHORIZATION o Properties: Entitlement, Multi-Valued groupName o Type: GROUP o Properties: Entitlement, Multi-Valued Auth o Type: AUTHORIZATION o Properties: Entitlement, Multi-Valued
SAFE CYBERARKSAFE
MERGING BY SAFENAME
s o Type: TARGET o Properties: Multi-Valued
AUTHORIZATION CYBERARKAUTHORIZATION
SAFEROLEENTITLEMENT CYBERARKSAFEENTITLEMENT LEFT sti.cyberarkgroup ON cyberarksafeentitlement.ownerName = cyberarkgroup.groupName LEFT sti.cyberark ON cyberarksafeentitlement.ownerName = cyberark.Name
COLUMN PROPERTIES
internalGroupSet o Type: String o Properties: Multi-Valued externalGroupSet o Type: String o Properties: Multi-Valued internalSet o Type: String o Properties: Multi-Valued externalSet o Type: String o Properties: Multi-Valued
GROUP CYBERARKGROUP LEFT OUTER cyberarkgroupmember on cyberarkgroup.groupName = cyberarkgroupmember.memberName
MERGING BY GROUPNAME
memberOf o Type: GROUP o Properties: Multi-Valued
Related Documents 3h463d
Psych-v10 5023d
March 2021 0
Psych-v10 5023d
March 2021 0
Ecw V10 Care Plan 6c1c5a
December 2019 55
Beatbuddy Manual V10 io42
November 2019 73
Aeroquad Manual V10 52233v
December 2021 0
Hexor Host V10 53401n
October 2022 0More Documents from "Aahil Shaikh" 334rd
Cyberark-sailpoint Integration V1.0 6f4x46
November 2020 0
Surah Yaseen With 7 Mubeen 1s6f2s
December 2019 2,705
Customer Master Entry Form - Leen Enterprise 1b6o3j
October 2019 69
Supervisory Skills Assessment f1a35
October 2019 81
Bicmos Technology.pdf 566j1k
December 2019 56