Set up on-demand access

This topic describes how to configure the SCA approval mechanism so that end users can request temporary access to web apps.

Overview

End users can request temporary access to web apps that they don't have in their User Portal, or temporarily elevated permissions to web apps that they have access to but with limited permissions.

To enable this functionality, you must complete the following steps:

  1. Configure on-demand access in Identity Administration

  2. Configure the allowed identities, all users or only specific users

  3. Configure the approval method, manual or automatic

  4. Configure the approval channel, custom flow or Slack

  5. Verify the configuration

All audit trail data related to submitting and handling on-demand requests can be viewed in the Audit service. For details, see the Audit docs.

Before you begin

To support communication with the selected approval channel, you must have Identity Flows enabled in your CyberArk tenant.

Configure on-demand access in Identity Administration

In Identity Administration, enable SCA in the integration settings make sure that you have a custom OAuth2 server so that CyberArk can authenticate to the third-party approval channel.

Step 1: Enable SCA in Identity Administration

In the Identity Administration, go to Settings > Integration > Secure Cloud Access, and select the Users can request permission to add SCA-enabled applications checkbox.

Step 2: Create an OAuth2 server

If you don't already have an OAuth2 server set up for SCA, follow the instructions in ISPSS authentication prerequisites to create one. You need this OAuth2 server to configure the SCA Ondemand flow, which connects CyberArk to the approval channel.

In order for the service user to authenticate, the SCA API (SCAApiFullAccess) role must be assigned to the Identity Administration web app.

Step 3: Create a service user

If you don't already have a service user set up for SCA, follow the instructions in Create a service user to create one. You need this user to configure SCA authorization.

Configure the allowed identities

You can allow anyone in your directory to make an access request, or you can restrict this ability to specific identities only.

The default setting is All.

  1. In Settings > On-demand access, select the Allowed Identities tab.

  2. Select All to allow all the identities in your directory to initiate access requests, or select Specific to restrict the identities that are allowed.

  3. If you selected Specific, define the allowed identities as follows:

    1. Click Add identities.

    2. In the Add identities window, use the filters and search to find the identities you want to add.

    3. Select one or more identities from the list and click Add.

If you switch from Specific to All mode at any point, the list of specific identities is deleted permanently.

If you switch from All to Specific, you must configure a list of identities in order to enable on-demand access requests.

Configure the approval method

In this step, you define how access requests are handled by SCA. You can also configure exceptions to the approval method you specify. For example, if you opt for manual, then all access requests must be handled by the administrator. If an access request is made by an identity that matches an exception, it is routed for automatic approval and doesn't need any handling by the administrator.

The default setting is Manual.

Step 1: Define the approval method

  1. In Settings > On-demand access, select the Approval method tab.

  2. In the Approval method area, select Manual to route all access requests to the administrator for handling, or select Automatic to approve all access requests without needing manual intervention.

Step 2: Define exceptions to the approval method

You can create exceptions to address specific use cases that should be handled differently from the approval method you set. Any identity that meets the criteria for at least one of the exceptions that are defined is handled according to the other approval method.

When an exception has multiple conditions, the logic between the conditions is "AND".

When multiple exceptions are configured for an approval method, the logic between the exceptions is "OR".

As mentioned above, when the approval method is set to manual, all access requests are routed to the administrator for handling. The administrator must then approve or reject each request individually. SCA allows you to provide alternate handling for specific identities based on exceptions that you configure.

For example, you may want to reduce the workload for your administrator and allow automatic approval for access requests that are made by non-privileged identities that have minimal permissions, and are therefore low risk.

  1. In the Exceptions area, click Create exception.

  2. In the Create an exception page, provide a name for the exception.

    An access request must meet all of the conditions within a single exception. If you have more than one scenario where you don't want the defined approval method to apply, create separate exceptions for each use case.

  1. In the Conditions area, click Add condition and select from the following:

    Exception conditions

    Option

    Description

    Privileged permissions

    (AWS IAM workspaces only) Permissions that have been analyzed and designated by CEM as either admin or shadow admin.

    For details, see the CEM docs.

    Tag

    SCA scans relevant cloud workspaces to find a match for the key/value pairs that you define.

    Don't use tags that have been applied to roles or policies, because SCA doesn't scan these assets.

    You can apply one tag per exception.

    Identities

    Use the wizard to find and select specific identities that don't have to be handled by the administrator.

If an identity matches all of the conditions you defined in the exception, it gets approved automatically.

If you switch from Manual to Automatic mode at any point, any exceptions you configured will be permanently deleted.

When the approval method is set to automatic, all access requests are approved automatically. If there are identities that shouldn't gain automatic access to some or all workspaces, for example, because they present an unacceptably high level of risk, you can create exceptions so that these requests get routed for manual handling and the administrator can determine whether to approve or reject them.

  1. In the Exceptions area, click Create exception.

  2. In the Create an exception page, provide a name for the exception.

    An access request must meet all of the conditions within a single exception. If you have more than one scenario where you don't want the defined approval method to apply, create separate exceptions for each use case.

  1. In the Conditions area, click Add condition and select from the following:

    Exception conditions

    Option

    Description

    Non-privileged permissions

    (AWS IAM workspaces only) Permissions that have been analyzed by CEM and aren't admin or shadow admin.

    For details, see the CEM docs.

    Tag

    SCA scans relevant cloud workspaces to find a match for the key/value pairs that you define.

    Don't use tags that have been applied to roles or policies, because SCA doesn't scan these assets.

    You can apply one tag per exception.

    Identities

    Use the wizard to find and select specific identities that should be approved by the administrator.

If an identity matches all of the conditions you defined in the exception, it gets routed to the administrator for manual handling.

If you switch from Automatic to Manual mode at any point, any exceptions you configured will be permanently deleted.

Click the More actions menu in the upper right corner of an exception to edit or delete it.

Configure the approval channel

You must select and configure an approval channel so that on-demand requests can be handled. If you use an external approval channel, the configuration includes enabling authentication so CyberArk and the channel can connect and send information and messages back and forth.

SCA supports using either a custom CyberArk Identity flow or Slack.

SCA can't relay on-demand user requests until the approval channel is completely configured.

Select one of the available options in the Approval channel tab, and follow the relevant instructions below to configure the channel.

Select a custom flow that was created in CyberArk Identity Flows and configure it as your approval channel.

For details about creating custom flows, see the Identity Flows docs.

  1. In the Approval channel tab, click Custom flow.

  2. In the Select a custom flow window, select the flow you want to use from the Flows list.

    The Flows list displays all the flows that have been saved in Identity Flows. Review the list carefully to make sure you select the correct flow.

  3. Click Save. The flow you selected is displayed in the Approval channel tab (under the tab name and in the page).

  4. To change the custom flow, click Select a different flow and repeat steps 2 - 3.

Complete all the steps to configure Slack as the approval channel.

Set up Slack

Step 1: Create the Slack app

You have to create a new app in Slack to enable communication between CyberArk and Slack.

  1. Go to api.slack.com and in the Your Apps page, click Create New App.

  2. In the Create an app window, select From scratch, provide the App Name, and select the CyberArk SCA workspace. Click Create App.

Step 2: Apply the redirect URL

  1. In the Basic Information page, scroll down and click Permissions.

  2. In the OAuth & Permissions page, scroll down to the Redirect URLs area, and click Add New Redirect URL.

  3. Open Identity Flows and copy the application URL into the Redirect URLs field using the format https://<identity flows url>/gateway/callback. Click Add, then click Save URLs.

Step 3: Set the permission scope

  1. In the navigation pane, under Settings select Basic Information.

  2. In the Building Apps for Slack area, click to expand the Add features and functionality section. Scroll down and expand the Install your app area, and click permission scope in the note.

  3. In the OAuth & Permissions page, scroll down to the Scopes area and in the Bot Token Scopes section, click Add an OAuth Scope, then select chat:write from the list.

Step 4: Finish setting up the app

  1. Go back to the Settings > Basic Information page, and in the Install your app area, click Install to Workspace.

  2. In the confirmation page, click Allow.

You'll need the Slack app credentials when you configure the SCA ondemand Slack flow in Identity Flows. This information is available at the bottom of the Basic Information page.

Step 5: Create a Slack channel

You need a dedicated Slack channel that will receive and send messages via Identity Flows. Set one up as described in the Slack docs, and save the channel ID to apply when you configure the SCA ondemand Slack flow in Identity Flows.

Download the SCA pre-defined flows

From the SCA on demand settings page, download the Flows zip file and unzip it in a local directory. This zip file contains the following pre-defined flows in JSON format, which you have to import into Identity Flows and configure with your channel and SCA information:

  • SCA Ondemand - configure with your Slack app credentials to enable communication between CyberArk and Slack.

  • SCA Ondemand Slack - configure your OAuth2 server information to enable triggering SCA to create an ad-hoc policy when the access request is approved.

Don't change the names of the JSON files when you unzip them. If you change a file name, this will break the flow and the feature won't work as expected.

Import and configure the flows in Identity Flows

Step 1: Set up the channel connection

In Identity Flows, configure the connection between CyberArk and the approval channel.

  1. Click Import and upload the SCA Ondemand JSON file.

  2. Click Save.

  3. Click the Chat Post Message component in the flow.

  4. In Settings > Authorizations, click ADD NEW.

  5. In the Manage Authorizations window, configure the following to create an authorization for Slack:

    1. Fill in the following fields:

      Slack authorization details

      Item

      Description

      Name

      Provide a name for the server

      Type

      Select OAuth2

      Flow

      Select Authorization Code

      Content Type

      Select application/x-www-form-urlencoded

      Client ID

      Copy this information from the Slack app credentials

      Client Secret

      Copy this information from the Slack app credentials

      Authorization URL

      https://slack.com/oauth/authorize

      Token URL

      https://slack.com/api/oauth.access

      Redirect URL

      The redirect URL you used when configuring the Slack app (in the format  https://<identity flows url>/gateway/callback)

      Scopes

      Select Scopes, then select the following options:

      • channels:history

      • chat:write:bot

      • chat:write:user

    2. Click Authorize.

    3. If the authentication flow is successful, click Save & Use.

  6. In the Notifications component, in Settings > Authorizations, click ADD NEW.

  7. In the Manage Authorizations window, configure the following to create an authorization for the SCA APIs:

    1. Fill in the following fields:

      SCA API authorization details

      Item

      Description

      Name

      Provide a name for the server

      Type

      Select OAuth2

      Flow

      Select Client Credentials

      Content Type

      Select application/x-www-form-urlencoded

      Client ID

      Provide the username of your SCA service user

      Client Secret

      Provide the password of your SCA service user

      Token URL

      https://<Identity url>/oauth2/token/<authorization application name>

      Scopes

      Select Scopes, then select Full

    2. Click Authorize.

    3. If the authentication flow is successful, click Save & Use.

  8. In the Map tab, scroll down to channel and paste the channel ID that you got when you created the dedicated Slack channel.

  9. Click Save.

Step 2: Test the channel connection

When you finish configuring the flow, you can verify it in Identity Flows.

  1. Click the Slack Chat Post Message step in the flow, and in the menu bar, click Run.

  2. In the window that appears, type the parameter {"message": "<value>"} with any value, and click Submit.

  3. When the flow finishes running, click the notification icon next to your user name in the upper right corner of the window, and select the most recent results of running the flow.

  4. Expand the step, then expand the API content of the step to view the message and verify that the value was passed.

Step 3: Set up the SCA policy flow

In Identity Flows, configure the components that trigger SCA to create a temporary policy with the requested details.

  1. Click Import and upload the SCA Ondemand Slack JSON file.

  2. Click Save.

  3. Configure the leftpath flow (where approval_status = true, which occurs when the access request is approved) as follows:

    1. In the Chat Update component, in Settings > Authorizations, select the Slack authorization you configured in the SCA Ondemand flow, and in the Map tab, scroll down to channel and paste the channel ID that you got when you created the dedicated Slack channel.

    2. In the Create Policy component, in Settings > Authorizations, select the SCA API authorization you configured.

    3. In the Get Status component, in Settings > Authorizations, select the SCA API authorization you configured.

    4. In the Notifications component, in Settings > Authorizations, select the SCA API authorization you configured.

  4. Configure the rightpath flow (where approval_status = false, which occurs when the access request is rejected) as follows:

    1. In the Chat Update component, in Settings > Authorizations, select the authorization you configured in the SCA Ondemand flow, and in the Map tab, scroll down to channel and paste the channel ID that you got when you created the dedicated Slack channel.

    2. In the Notifications component, in Settings > Authorizations, select the SCA API authorization you configured.

Step 4: Test the channel connection

When you finish configuring the flow, verify it in Identity Flows as described above.

Verify the configuration

When you finish all of the configuration tasks, we strongly recommend testing the complete on-demand access flow outside of Identity Flows to verify that the following happens correctly:

  • The access request arrives via the configured approval channel

  • The user receives an approval email after you approve the request

  • The user receives a rejection email after you deny the request