Skip to main content

CyberArk PAM

Visualize CyberArk PAM users, groups, safes, privileged accounts, platforms, and applications in JupiterOne. Map CyberArk users to employees, monitor safe access assignments, and track privileged account management through queries and alerts.

Installation

To install this integration, you will need to configure settings both within CyberArk PAM and on JupiterOne. Before enabling in JupiterOne, ensure that you complete the setup within your CyberArk PAM environment.

Configuration on CyberArk PAM

note

A CyberArk PAM user's Base URL, Username, and Password are required for the JupiterOne integration to interact with CyberArk PAM.

The integration authenticates using the CyberArk PAM REST API (v14.6+). An administrator of the CyberArk PAM vault will need to create or designate a user account for JupiterOne with the appropriate permissions.

To configure a CyberArk PAM user for use with JupiterOne:

  1. Log in to the CyberArk PrivateArk Client or PVWA (Password Vault Web Access).
  2. Create a new CyberArk user or designate an existing user for JupiterOne.
  3. Assign the user the following minimum vault-level authorizations:
    • List Accounts — required to enumerate users and groups.
    • Audit Users — required to retrieve user details.
  4. For each safe you want JupiterOne to ingest, add the JupiterOne user as a safe member with the following permission:
    • View Safe Members — required to list members of a safe.
  5. Note the Base URL of your CyberArk PVWA instance (e.g., https://cyberark.example.com).
info

The integration supports CyberArk, LDAP, RADIUS, and Windows authentication methods. The default authentication type is Cyberark. If your environment uses a different authentication method, you can specify it in the JupiterOne configuration.

note

The integration automatically appends /PasswordVault to the base URL if it is not already present. Do not include a trailing slash.

Permissions

The API user requires the following permissions to ingest all supported resources:

ResourceRequired Permission
UsersVault-level List Accounts and Audit Users
GroupsVault-level List Accounts
SafesVault-level List Accounts
Safe MembersSafe-level View Safe Members on each target safe
Privileged AccountsSafe-level List Accounts on each target safe
PlatformsVault-level List Accounts
ApplicationsVault-level List Accounts
note

If the API user lacks permissions for a specific resource, the integration will log a warning and continue ingesting other resources rather than failing entirely.

Configuration in JupiterOne

To install the CyberArk PAM integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select CyberArk PAM. Click New Instance to begin configuring the integration.

Creating a CyberArk PAM instance requires the following:

  • The Account Name used to identify the CyberArk PAM account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Enter the Base URL for your CyberArk PVWA instance (e.g., https://cyberark.example.com). Do not include /PasswordVault — it is appended automatically.

  • Enter the Username of the CyberArk user designated for JupiterOne.

  • Enter the Password for the CyberArk user designated for JupiterOne.

  • Optionally, enter the Authentication Type if your environment uses a method other than the default CyberArk authentication (e.g., LDAP, RADIUS, or Windows).

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.