Manage privilege accounts and related objects with SCIM endpoints

This section describes how the CyberArk Identity SCIM server provides API endpoints for SCIM-compliant clients (for example, an identity and access governance solution such as Sailpoint) to manage privileged accounts and their related objects in CyberArk Privilege Cloud.

What is the SCIM extension for PAM?

In addition to managing users and groups for privileged access, Privileged Access Management (PAM) solutions require the management of additional objects such as containers, container permissions, and privilege data that define the authorizations required for privileged users. The SCIM 2.0 extension for PAM includes extensions to these new resource types and schemas for standard PAM constructs. See the SCIM extension for PAM spec for more information about this extension.

  • See Privilege Cloud documentation for details on how to integrate Privilege Cloud with an Identity Governance and Administration (IGA) platform using the CyberArk Identity SCIM server.

  • See PAM documentation for details on how to integrate self-hosted Privilege Access Management (PAM) with an Identity Governance and Administration (IGA) platform using the CyberArk Identity SCIM server.

You must choose either Privilege Cloud or PAS. Integrating with both solutions at the same time is not currently supported.

SCIM endpoints

The CyberArk Identity SCIM server currently supports ContainersContainerPermissions, and PrivilegedData to manage privileged accounts and related objects.

Managing users or groups in Privilege Cloud or PAM requires the SCIM service user to be in a role with the Vault Management administrative right. See Configure the SCIM server for more information.

In this section:

See the Privilege Cloud or PAM documentation for details on supported request methods for each endpoint.