# CyberArk ## Overview The CyberArk integration enables Veza to discover and analyze identities, applications, and permissions across the CyberArk Security Platform. This integration provides visibility into user access patterns, application assignments, and role-based permissions managed through CyberArk components. ### Supported components **CyberArk Identity** - Cloud-based identity management platform * **Identity visibility** across all managed users, groups, and applications * **Role and permission mapping** to understand access grants and inheritance * **Automatic identity correlation** with Azure AD and Active Directory when used as directory services * **Cross-service identity correlation** to connect identities with other systems in your Access Graph * **Access reviews** for compliance and governance workflows **CyberArk Privilege Cloud** - Privileged access management platform * **Discovery and analysis** for privileged account containers * **Privileged account visibility** with granular permission mapping * **Cross-service effective permissions** connecting external IdP users and groups to Privilege Cloud resources * **Privilege analysis** across 20+ distinct safe permission types See [supported entities](#supported-entities) for detailed information about each component's capabilities. ## Integration configuration The CyberArk integration uses a unified OAuth2 configuration to connect to both CyberArk Identity and CyberArk Privilege Cloud components. Both components share the same authentication credentials but access different API endpoints within the CyberArk environment. ## CyberArk Identity configuration Before configuring the integration in Veza, you need to enable API access in your CyberArk Identity tenant with OAuth2 client credentials authentication. ### Prerequisites {% hint style="warning" %} Ensure you have the required administrative access before beginning the setup process. {% endhint %} * Permission to add CyberArk integrations in Veza * Administrator access to the CyberArk Identity tenant * Ability to create OAuth applications in CyberArk Identity * Permissions to create service accounts or assign API access rights ### Required API access {% hint style="info" %} All four scopes listed below are required for full integration functionality. Use specific scopes rather than wildcards for security best practice. {% endhint %} * `Redrock/query` - For querying entities using Redrock interface * `Roles` - For role definitions and assignments * `Core` - For core administrative functions * `UPRest` - For user and policy services **Required setup steps:** ### Creating a service user Create a dedicated service user for the Veza integration. The service user's login name will be used as the **Client ID** and the password as the **Client Secret** when configuring the integration in Veza. 1. In CyberArk Identity, navigate to **Core Services** > **Users** 2. Click **Add User** 3. Enter the following details: * **Login name**: A unique identifier (e.g., `veza-integration`) * **Email**: Service account email address * **Display name**: A descriptive name (e.g., "Veza Integration Service") 4. Generate a strong password and store it securely 5. Enable the following options: * **Is service account**: Yes * **Password never expires**: Yes * **Is OAuth confidential client**: Yes 6. Click **Create User** The new service user will appear under **All Service Users**. ### Creating a read-only role Create a dedicated role with the minimum required permissions for the Veza integration: 1. Navigate to **Core Services** > **Roles** 2. Click **Add Role** 3. Enter a role name (e.g., "Veza Read Role") 4. Assign the following **Administration Rights**: * Read Only Role Management * Read Only System Administration * Read Only User Management * Read permissions for Risk Management machine identities dashboards * Read permissions for Risk Management pCloud dashboard * Read-only for settings * Read-only for Threat Detection and Response monitoring * Read-only permission for Domain customization in Administration space 5. Click **Save** For more information on CyberArk Identity roles and administrative rights, see the [CyberArk Identity documentation](https://docs.cyberark.com/identity/). ### Assigning roles to the service user Assign the required roles to the service user: 1. Navigate to the service user's profile in **Core Services** > **Users** > **All Service Users** 2. Open the **Administrative Rights** section 3. Assign the following roles: * The custom read-only role created above (e.g., "Veza Read Role") * **Privilege Cloud Auditors** (required for extracting Privilege Cloud data) 4. Save the changes {% hint style="info" %} The **Privilege Cloud Auditors** role is a built-in CyberArk role that provides read access to safes and privileged accounts. This role is required for the integration to discover Privilege Cloud entities. {% endhint %} The following screenshot shows the expected capabilities granted by the Veza Reader and Privilege Cloud Auditors roles: ![Required administrative rights for the Veza service account.](/files/6Y1vUFtxeZOoF7uU8vYO) Use the service user login name as the Client ID when configuring the integration in Veza. Provide the service user password as the Client Secret. ### Creating an OAuth application 1. **Access Admin Portal** * Log into CyberArk Identity * Switch from "Identity User Portal" to "Identity Administration" 2. **Create OAuth2 Client Application** * Navigate to **Apps & Widgets** > **Web Apps** * Click **Add Web Apps** * Go to the **Custom** tab * Next to **OAuth2 Client** application, click **Add** * Click **Yes** to add the application, then **Close** to exit the Application Catalog 3. **Configure Settings Page** * **Application ID**: Enter a unique identifier (e.g., "veza\_oauth\_client") * **Application Name**: Enter a descriptive name (e.g., "Veza Integration Client") * **Application Description**: Enter a description for internal reference 4. **Configure General Usage Page** * **Client ID Type**: Select **Confidential** * This requires OAuth2 client to send both client ID and client secret * **Issuer**: Leave as default 5. **Configure Tokens Page** * **Token Type**: Select **JwtRS256** (recommended) * **Auth Methods**: Select **Client Creds** * **Token Lifespan**: Set to more than 10 minutes (5 hours recommended) * Note: Token lifespan must exceed 10 minutes for APIs to work properly 6. **Configure Scope Page** * Add the four required API scopes: `Redrock/query`, `Roles`, `Core`, and `UPRest` 7. **Configure Permissions Page** * Select the role(s) that users must have to authorize against this OAuth server * Ensure the roles have appropriate API access permissions * Verify **Run** permission is enabled for the assigned roles 8. **Save Configuration** * Click **Save** to complete the OAuth2 client setup * Note the **Application ID** - this will be your **OAuth App Name** for Veza configuration ### Finding your CyberArk URLs To configure the integration in Veza, you need your CyberArk Identity URL and Privilege Cloud URL. **Identity URL:** 1. In CyberArk Identity, navigate to **Apps & Widgets** > **Web Apps** 2. Select your OAuth application 3. Go to the **General Usage** tab 4. The **Issuer** field contains your Identity URL (e.g., `https://abc1234.id.cyberark.cloud`) **Privilege Cloud URL:** The Privilege Cloud URL is derived from your CyberArk tenant subdomain. If you access the CyberArk UI at `https://yourcompany.cyberark.cloud/`, your Privilege Cloud URL is: ```txt https://yourcompany.privilegecloud.cyberark.cloud ``` ### Configuring CyberArk in Veza Once you have created the service user, configured OAuth access, and identified your CyberArk URLs, enable the integration in Veza. The same configuration provides access to both CyberArk Identity and Privilege Cloud components. 1. In Veza, go to the **Integrations** page. 2. Click **Add Integration** and search for **CyberArk**. Click on it and click **Next** to add an integration. 3. Enter the required information. 4. Click **Create Integration** to save the configuration. {% hint style="success" %} Once configured, the integration will begin discovering users, groups, roles, and applications from CyberArk Identity, and safes and privileges from CyberArk Privilege Cloud. {% endhint %} | Field | Notes | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Insight Point | Choose whether to use the default data plane or a deployed Insight Point. | | Name | A friendly name to identify the unique integration (e.g., "CyberArk Identity - Production"). | | Identity URL | Your CyberArk Identity tenant URL in the format `https://.id.cyberark.cloud`. Found in the OAuth application's **Issuer** field under **General Usage**. | | Privilege Cloud URL | Your CyberArk Privilege Cloud tenant URL in the format `https://.privilegecloud.cyberark.cloud`. | | Client ID | The service user's **login name** created during the service user setup. | | Client Secret | The service user's **password** created during the service user setup. | | OAuth App Name | Application ID of the OAuth application created in CyberArk Identity - used in API endpoint URLs. | ## Supported entities This section details the entities and relationships supported by each CyberArk component. ### CyberArk Identity entities The CyberArk Identity integration collects data using a combination of REST APIs and Redrock queries (CyberArk Identity's SQL-like interface). The integration focuses on identity and access management entities within the CyberArk Identity platform: {% @mermaid/diagram content="graph TB subgraph "External Identity Providers" AAD\[Azure AD
Tenant] AD\[Active Directory
Domain] end ``` subgraph "CyberArk Identity Platform" CI[CyberArk Identity
Instance] CI --> U[Users] CI --> G[Groups] CI --> R[Roles] CI --> A[Applications] U -.->|HAS_ROLE| R G -.->|HAS_ROLE| R R -.->|HAS_ROLE| R U -.->|Direct Access| A end subgraph "CyberArk Privilege Cloud Platform" CP[CyberArk Privilege Cloud
Instance] CP --> S[Safes] S --> EP[Effective Permissions] end %% Identity Mapping Relationships AAD -.->|ASSUMES_USER| U AAD -.->|IS_GROUP| G AD -.->|ASSUMES_USER| U AD -.->|IS_GROUP| G U -.->|HAS_EFFECTIVE_PERMISSION| EP G -.->|HAS_EFFECTIVE_PERMISSION| EP" %} ``` **Supported Entity Types:** CyberArk Identity: * **Identity Instance** - The CyberArk Identity tenant * **Users** - Individual user accounts and service accounts * **Groups** - Groups with role assignments (discovered from role membership) * **Roles** - Administrative and custom roles with permissions (supports role hierarchy) * **Applications** - SSO-enabled applications and services CyberArk Privilege Cloud: * **Privilege Cloud Instance** - The CyberArk Privilege Cloud tenant * **Safes** - Privileged account containers with permission sets * **Effective Permissions** - Calculated access rights to safes for users and groups ### Users Individual user accounts managed in CyberArk Identity, including both native CyberArk Identity directory users and users from external identity providers. Users can have both direct role assignments and direct application access through effective permission calculations. When CyberArk Identity uses Azure AD or Active Directory as a directory service, users are automatically correlated with their external IdP identities. | Attribute | Notes | | ------------------------- | --------------------------------------------------------------------------------------------------------- | | `display_name` | User's display name from CyberArk Identity profile | | `email` | Email address used for identity correlation across systems (sourced from CyberArk `SearchEmail` field) | | `is_active` | Account status - true for active accounts, false for locked accounts (derived from CyberArk `UserStatus`) | | `last_login_at` | Timestamp of last successful authentication (converted from CyberArk `LastLogin` epoch time) | | `identity_type` | Identity classification - "Human" or "NonHuman" (derived from CyberArk `ServiceUser` boolean) | | `login_name` | User's login name - used for matching with Azure AD users via UPN | | `idp_unique_id` | External IdP unique identifier - used for matching with Active Directory users via Distinguished Name | | `risk_level` | CyberArk Identity-assigned risk level for the user | | `security_question_count` | Number of configured security questions | | `security_question_set` | Boolean indicating if security questions are configured | ### Groups Groups discovered from CyberArk Identity role membership data. Groups represent collections of users from external directory services (Azure AD or Active Directory) that have been assigned roles within CyberArk Identity. Groups can have role assignments and, through automatic identity mapping, can have effective permissions to CyberArk Privilege Cloud safes. When CyberArk Identity uses Azure AD or Active Directory as a directory service, groups are automatically correlated with their external IdP groups. | Attribute | Notes | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | `name` | Group name as defined in CyberArk Identity | | `idp_unique_id` | External IdP unique identifier - used for matching with Azure AD groups (by Object ID) or Active Directory groups (by Distinguished Name) | ### Roles Role-based access control definitions within CyberArk Identity, including both system roles and custom organizational roles. Roles define administrative permissions and capabilities within CyberArk Identity but do not directly grant application access. Instead, roles provide administrative rights for managing users, applications, and the platform itself. Roles support hierarchy - a role can contain other roles as members, enabling permission inheritance through nested role structures. | Attribute | Notes | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | `description` | Role purpose and scope description | | `is_hidden` | Boolean indicating if role is visible in standard interfaces | | `read_only` | Boolean indicating if role can be modified | | `role_type` | Type classification (System, Custom, Administrative) | | `permissions` | List of CyberArk administrative rights assigned to the role (e.g., "All Rights", "Read Only User Management", "Report Management") | ### Applications Applications and services managed through CyberArk Identity for single sign-on and access control. Users gain access to applications through direct assignments rather than through role inheritance. Application access is managed independently from administrative role permissions. | Attribute | Notes | | -------------------- | ---------------------------------------------------------------------------------- | | `display_name` | User-friendly application display name (sourced from CyberArk `DisplayName` field) | | `description` | Application description and purpose | | `catalog_visibility` | Visibility settings in application catalog | | `category` | Application category classification | | `on_prem` | Boolean indicating on-premises vs cloud deployment | | `service_name` | Technical service identifier | | `state` | Application deployment state (Active, Inactive, Disabled) | | `version` | Application version information | ### Identity instance The CyberArk Identity tenant itself, representing the central identity platform that manages all users, groups, roles, and applications. | Attribute | Notes | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | `name` | Tenant name derived from the tenant URL | | `id` | Unique tenant identifier generated by Veza | | `tenant_url` | CyberArk Identity tenant URL used for API connections | | `directory_services` | List of connected directory services (e.g., Azure AD, Active Directory) - determines automatic identity mapping configuration | ## CyberArk Privilege Cloud entities The CyberArk Privilege Cloud integration discovers privileged access management entities including safes, safe members, and effective permissions. It establishes identity connections with CyberArk Identity users to provide comprehensive privilege analysis. ### Safes Privileged account containers that group accounts with similar security requirements and access controls. Safes act as the primary resource boundaries within CyberArk Privilege Cloud. Safes contain privileged accounts (such as administrator credentials, service accounts, and database users) and define who can access these accounts and what operations they can perform. Both individual user permissions and group permissions to safes are discovered and mapped to effective permissions. | Attribute | Notes | | ------------------------------ | ------------------------------------------------------------------ | | `name` | Safe name as defined in CyberArk Privilege Cloud | | `display_name` | User-friendly display name for the safe | | `description` | Safe description and purpose | | `auto_purge_enabled` | Boolean indicating if automatic purging of old versions is enabled | | `is_expired_member` | Boolean indicating if safe membership has expired | | `managing_cpm` | Name of the Central Policy Manager (CPM) that manages this safe | | `number_of_versions_retention` | Number of account versions to retain | | `number_of_days_retention` | Number of days to retain account versions | | `olac_enabled` | Boolean indicating if Object Level Access Control is enabled | ### Effective permissions Calculated access rights that CyberArk Identity users and groups have to specific CyberArk Privilege Cloud safes. These permissions represent the actual privileges a principal can exercise on privileged accounts within safes. | Attribute | Notes | | ---------------- | ---------------------------------------------------------------------------- | | `resource_id` | Unique identifier of the safe this permission applies to | | `resource_type` | Always "CyberArkSafe" for Privilege Cloud effective permissions | | `principal_id` | CyberArk Identity user or group ID that has this permission | | `principal_type` | "CyberArkUser" for user permissions or "CyberArkGroup" for group permissions | | `datasource_id` | Privilege Cloud datasource identifier | | `permissions` | List of specific safe privileges granted to the principal | **Supported Safe Privileges:** CyberArk Privilege Cloud supports granular privilege control with over 20 distinct permission types: | Permission | Description | | -------------------------------------------- | -------------------------------------------------------- | | `Access Without Confirmation` | Access privileged accounts without additional approval | | `Add Accounts` | Create new privileged accounts within the safe | | `Backup Safe` | Create backups of the safe and its contents | | `Create Folders` | Create organizational folders within the safe | | `Delete Accounts` | Remove privileged accounts from the safe | | `Delete Folders` | Remove organizational folders from the safe | | `Initiate CPM Account Management Operations` | Trigger Central Policy Manager operations on accounts | | `List Accounts` | View the list of accounts within the safe | | `Manage Safe` | Full administrative control over the safe | | `Manage Safe Members` | Add, modify, or remove safe member permissions | | `Move Accounts and Folders` | Relocate accounts and folders within or between safes | | `Rename Accounts` | Change account names and identifiers | | `Requests Authorization Level 1` | First-level approval rights for access requests | | `Requests Authorization Level 2` | Second-level approval rights for access requests | | `Retrieve Accounts` | Access and view privileged account credentials | | `Specify Next Account Content` | Define content for account password changes | | `Unlock Accounts` | Unlock accounts that have been locked by the system | | `Update Account Content` | Modify privileged account passwords and secrets | | `Update Account Properties` | Change account metadata and properties | | `Use Accounts` | Utilize privileged accounts for authenticated operations | | `View Audit Log` | Access audit logs and activity history for the safe | | `View Safe Members` | See the list of users and groups with safe access | ### Privilege Cloud instance The CyberArk Privilege Cloud tenant itself, representing the central privileged access management platform. | Attribute | Notes | | -------------- | ------------------------------------------------------------ | | `name` | Tenant name derived from the Privilege Cloud URL | | `id` | Unique tenant identifier generated by Veza | | `instance_url` | CyberArk Privilege Cloud tenant URL used for API connections | ## Identity mapping Veza provides both automatic and custom identity correlation between CyberArk Identity and external Identity Providers. ### Automatic identity mapping When CyberArk Identity is configured to use Azure AD or Active Directory as a directory service, Veza automatically creates identity mappings to correlate identities: **Azure AD Integration:** When Azure AD is configured as a CyberArk Identity directory service, Veza automatically attempts to link identities using the following logic: * **Users**: Azure AD users are linked to CyberArk Identity users by matching the Azure AD User Principal Name (UPN) with the CyberArk user's `login_name` * **Groups**: Azure AD groups are linked to CyberArk Identity groups by matching the Azure AD Group Object ID with the CyberArk group's `idp_unique_id` **Active Directory Integration:** When Active Directory is configured as a CyberArk Identity directory service: * **Users**: Active Directory users are linked to CyberArk Identity users by matching the AD user's Distinguished Name with the CyberArk user's `idp_unique_id` * **Groups**: Active Directory groups are linked to CyberArk Identity groups by matching the AD group's Distinguished Name with the CyberArk group's `idp_unique_id` {% hint style="info" %} These identity mappings are created automatically when both integrations are configured in Veza. No additional configuration is required. {% endhint %} ### Custom identity mappings For other Identity Providers or custom matching requirements, you can configure [custom identity mappings](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md) within an Identity Provider configuration to correlate identities based on a mapping field such as unique id, email, or a more complex matching pattern. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/cyberark.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.