Identity Administration

This topic describes how to create the credential management plugin for managing access credentials to Identity Administration from the Privilege Cloud Portal.

Prerequisites

  • This plugin supports human users (non-Service users) that are created manually in the Identity Administration portal, also known as CyberArk Cloud users.

  • This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

  • In case MFA is required for the target or reconcile account, following are the minimum requirements for MFA configuration:

    OATH OTP must be enabled in Identity Administration

    See Enable the OTP policy

    See Import OATH tokens in bulk

    OATH OTP is configured for the target/reconcile account profile

    1. In Identity Administration, select Settings>Authentication.

    2. In Authentication Profiles, open the profile used for the relevant target/reconcile account.

    3. For both Challenge 1 and Challenge 2, ensure the following are selected: OATH OTP Client & Password.

    For details on configuring authentication profiles, see Configure MFA for Identity Administration.

Support

Platforms

The Identity Administration plugin supports the CyberArk Identity Security platform.

Actions

The following table lists the supported password management actions for this platform:

Action

Supported

Permissions

Verify

Yes

Sign in to the Identity Administration portal.

Change

Yes

  • Sign in to the Identity Administration portal.

  • Enable password reset permission.

Reconcile

Yes

  • Sign in to the Identity Administration portal.

  • User management permission.

Delete

No

N/A

Connection Components

The Privileged Session Management - Identity Administration connection component is used with accounts managed by this plugin. See Privileged Session Management (PSM) - Identity Administration connector.

Logon account

Action

Supported

Required

Platform

Permissions

Change

Yes

Yes

Only if MFA is enabled for the target account.

Any

N/A

Reconcile account

Action

Supported

Required

Platform

Permissions

Reconcile

Yes

Yes

CyberArk Identity Security Platform Shared Services

The user must have the following permissions:

  • Login to the Identity Administration portal. This means any CyberArk Cloud user (manually created non-Service user) that is assigned a Privilege Cloud role.

  • User management right. This means users assigned to the Privilege Cloud Administrator role.

Logon account for reconcile account

Action

Supported

Required

Platform

Permissions

Reconcile

Yes

Yes

Only if MFA is enabled for the reconcile account

Any

N/A

Platform settings

Define the following platform parameters on the account:

Parameter

Description

AllowedTenantDomains

Define the allowed domains as address parameter.

Value separator: |

Accepted values: Permitted CyberArk Platform domains

Default value: cyberark.cloud

Account settings

Define the following account parameters on the account:

Parameter

Description

Username

The user name used to sign in to the CyberArk Identity Security Platform Shared Services portal. Users log in with <Login Name>@<Suffix>. See Collect setup details and sign in to the ISPSS user portal

Required: Yes

Default value: None

Address

The CyberArk CyberArk Identity Security Platform Shared Services address.

Format: <subdomain>.cyberark.cloud

Accepted values: Any address using permitted suffixes from AllowedTenantDomains platform parameter.

Set up the Identity Administration platform in the Privilege Cloud Portal

  1. From the CyberArk Marketplace, download the Identity Administration platform. The file Plugin.CyberArkIdentitySecurity[latest version].zip is downloaded.

  2. In the Privilege Cloud Portal, import the Identity Administration platform. For more information, see Import a platform.

  3. In the Privilege Cloud Portal Platform Management page, check the Cyberark Identity Security platform is displayed.

The platform is imported and installed in the Applications platform. You can now set up target accounts and reconcile accounts.

Set up a target account with MFA

After the platform is imported into the Privilege Cloud Portal, you can set up target accounts with MFA.

Step 1: Add a Identity Administration target account in the Privilege Cloud Portal

  1. In the Privilege Cloud Portal Accounts View page, click Add account, and select the following:

    • System type: Application

    • Platform: CyberArk Identity Security

    • Safe: the relevant Safe.

  2. In the account's Define properties tab, set the following parameters:

    Parameter

    Definition

    Username

    The user's full name in Identity Administration.

    Address

    The platform address (without the https prefix): <subdomain>.cyberark.cloud

    Password

    According to your organization's password policy.
  3. Click Add.

Step 2: Create a logon account of any type in the Privilege Cloud Portal

  1. In the Privilege Cloud Portal Account page, click Add account, and select any system type, platform, and Safe.

  2. In the account's Define properties tab, set the Password as follows:

    • The MFA key in hex string format.

    • This is the same key provided in Identity Administration > Settings>Authentication > OATH Tokens. The key is in the imported CSV file, in the Secret Key (HEX) column. See Import OATH tokens in bulk.

  3. Click Add.

Step 3: Attach the logon account to the Identity Administration account

  1. In Accounts View, access the target account's Details tab.

  2. Attach the Identity Administration account as the logon account to the target account.

Set up a Reconcile account with MFA

After the platform is imported in to the Privilege Cloud Portal, you can set up reconcile accounts with MFA.

Step 1: Add a Identity Administration target account in the Privilege Cloud Portal

  1. In the Privilege Cloud Portal Accounts View page, click Add account, and select the following:

    • System type: Application

    • Platform: CyberArk Identity Security

    • Safe: the relevant Safe.

  2. In the account's Define properties tab, set the following parameters:

    Parameter

    Definition

    Username

    The user's full name in Identity Administration.

    Address

    The platform address (without the https prefix): <subdomain>.cyberark.cloud

    Password

    According to your organization's password policy.
  3. Click Add.

Step 2: Create a Reconcile account in the Privilege Cloud Portal

  1. In the Privilege Cloud Portal Accounts View page, click Add account, and select the following:

    • System type: Application

    • Platform: CyberArk Identity Security

    • Safe: the relevant Safe.

  2. In the account's Define properties tab, set the following parameters:

    Parameter

    Definition

    Username

    The full user name of the user in Identity Administration.

    Address

    The platform address (without the https prefix): cyberark.cloud.

    Password

    According to your organization's password policy.
  3. Click Add.

Step 3: Create a logon account of any type in the Privilege Cloud Portal and attach it to the Identity Administration account

  1. In the Privilege Cloud Portal Accounts View page, click Add account, and select any system type, platform, and Safe.

  2. In the account's Define properties tab, set the Password as follows:

    • The MFA key in hex string format.

    • This is the same key provided in Identity Administration > Settings>Authentication > OATH Tokens. The key is in the imported CSV file, in the Secret Key (HEX) column. See Import OATH tokens in bulk.

Step 4: Attach the accounts in the Privilege Cloud Portal

  1. In Accounts View, access the reconcile account's Details tab.

  2. Attach the Identity Administration account as the logon account to the target account.