# Cyberark
SureCloud connects to CyberArk Privileged Access Manager (PAM) to retrieve safe inventory, privileged account records, session monitoring configuration, and access policy data. This allows SureCloud to verify that privileged credentials are stored in CyberArk vaults, that access to sensitive accounts is controlled through defined policies, and that privileged session activity is being recorded.
## Authentication and setup
CyberArk PAM authenticates API requests using a CyberArk authentication token. SureCloud uses a dedicated CyberArk user account with read-only Vault permissions, authenticating via the CyberArk REST API using CyberArk or LDAP authentication.
{% stepper %}
{% step %}
**Create a dedicated CyberArk user**
In the CyberArk Privileged Access Manager console (PVWA), navigate to **Administration → Users** and create a new user (e.g. `SureCloudAPI`). Assign it the built-in **AuditUsers** role, which provides read-only access to vault and session data. Do not assign Vault Owner or Safe Manager roles.
{% endstep %}
{% step %}
**Grant safe membership where required**
For each safe SureCloud needs to enumerate, add the `SureCloudAPI` user as a member with **List accounts** and **View Safe Members** permissions only. Safes where the user is not a member will not appear in SureCloud's collection.
{% endstep %}
{% step %}
**Enter the credentials in SureCloud**
Navigate to **SureCloud → Integrations → CyberArk → Connect**. Enter your CyberArk PVWA URL (e.g. `https://cyberark.yourcompany.com/PasswordVault`), the username, and the password. Select the authentication method (CyberArk, LDAP, or RADIUS). Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% hint style="warning" %}
SureCloud stores the CyberArk user password encrypted at rest. Rotate it every 90 days in CyberArk and update it in **SureCloud → Integrations → CyberArk → Edit Connection**. Consider using a strong, randomly generated password managed within CyberArk itself.
{% endhint %}
## Endpoints
| API Call | Use Case |
| ----------------------------------- | ------------------------------------------------------------------------- |
| `POST /API/Auth/CyberArk/Logon` | Authenticate and obtain a session token |
| `GET /API/Safes` | Enumerate CyberArk safes and their configuration |
| `GET /API/Safes/{safeName}/Members` | Retrieve safe membership and permission assignments |
| `GET /API/Accounts` | Enumerate privileged accounts stored in accessible safes |
| `GET /API/Accounts/{accountId}` | Retrieve individual account detail including platform and safe assignment |
| `GET /API/LiveSessions` | Retrieve active privileged sessions for real-time monitoring evidence |
| `GET /API/Recordings` | Retrieve recorded session inventory for audit evidence |
## Pagination
`GET /API/Accounts` and `GET /API/Safes` use offset-based pagination. SureCloud sets `offset` and `limit` parameters and increments until the `Total` count in the response is reached.
```json
GET /API/Accounts?limit=100&offset=100
```
## Required permissions
SureCloud requires a CyberArk user with the **AuditUsers** built-in role plus **List accounts** and **View Safe Members** permissions on each monitored safe. This provides:
* Read access to safe inventory and membership
* Read access to account records
* Read access to session recordings and live sessions
No account checkout, password change, or safe administration permissions are required.
## Polling frequency
| Data Type | Interval |
| ----------------------------- | -------------- |
| Safe inventory and membership | Every 24 hours |
| Privileged account records | Every 24 hours |
| Session recordings | Every 6 hours |
## Troubleshooting
Authentication returns "ITATS542I" or logon failure
The username or password is incorrect, or the account has been locked after failed login attempts. Verify the credentials in CyberArk and unlock the account if necessary. If CyberArk's built-in Vault Logon policy restricts API logons, work with your CyberArk administrator to confirm the `SureCloudAPI` user is permitted to authenticate via the REST API.
Safes list returns empty or fewer safes than expected
CyberArk only returns safes where the authenticated user is a member. The `SureCloudAPI` user must be explicitly added as a member to each safe with at minimum **List accounts** permission. Add the user to missing safes via **PVWA → Safes → \[Safe Name] → Members**.
PVWA is unreachable from SureCloud
CyberArk PVWA is typically deployed on-premises. Confirm the PVWA URL is accessible from the SureCloud collector network over HTTPS on port 443. Contact SureCloud Support for firewall requirements.
Session recordings endpoint returns 403
Access to session recordings requires the **AuditUsers** role. If the `SureCloudAPI` user was assigned a custom role instead, confirm it includes the **Audit Users** privilege. Navigate to **PVWA → Administration → Users → SureCloudAPI → Authorisations** to verify.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/cyberark.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.