1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. CyberArk

CyberArk Identity Setup for Workbench

This article describes how to connect your CyberArk Identity installation to Expel Workbench.

Quick Links

  1. Create a New OAuth App in the Admin Portal

  2. Configure the New OAuth 2.0 Client

  3. Create Scopes

  4. Create a Confidential Client

  5. Configure User Permissions

  6. Configure the Technology in Workbench

Step 1: Create a New OAuth App in the Admin Portal

The first step is to create a new OAuth Client on the CyberArk Identity Admin Portal.

  1. Log in to your CyberArk Identity tenant.

  2. Navigate to your user name at the top-right corner and select Switch to Admin Portal from the list.

  3. Click Skip on the Quickstart screen if it appears.

  4. Click Apps in the Dashboard.

  5. Click Add Web Apps and select the Custom tab on the Add Web Apps popup.

  6. Locate OAuth2 Client in the list and click Add. This creates an OAuth2 Client for use with CyberArk Identity APIs.

  7. Click Yes on the Add Web App popup that appears.

  8. Click Close on the Add Web Apps popup. The app configuration screen appears.

Step 2: Configure the New OAuth 2.0 Client

  1. In the app configuration screen, the categories are listed on the left side of the screen. For each category, type the appropriate data in the fields as follows:

    • Description:

      • Application ID: type a unique name (no spaces) and copy it for later use.

      • Application Name: type a descriptive name for the application.

      • Application Description: type a description of the application (optional; not seen by users).

      • Category: the default grouping for the app on the Admin Portal.

    • General Usage:

      • Client ID Type: select Confidential.

      • Issuer: the URL of the server issuing access tokens. It may be left as the default.

      • Allowed Redirects: specifies the trusted redirects for the Authorization Code and Implicit flows.

    • Tokens:

      • Token Type: specifies the type of token to issue (JwtRS256 or opaque). Select JwtRS256
        JwtRS256 is a JSON Web Token (JWT) composed of Base64-encoded user and claim information. An opaque token contains no information about the user. To obtain user and claim information for an opaque token, an introspection URL must be used.

      • Auth Methods: specifies the authentication flow(s) for which the specified token type should be issued. Keep only Client Creds selected.
      • Token Lifetime: specifies the duration of the token's lifespan.
      • Issue refresh tokens: when enabled, allows clients to request a refresh token that can be exchanged for a new access token. Not applicable for the Resource Owner flow.

    • Scope:

      • User must confirm authorization request: when enabled, this setting requires that the client open a popup where the user must select and approve the scope(s) to allow the client.

      • Scope Definitions: allows one or more scopes to be specified for authorization by the client.

    • Permissions: specifies the role(s) to authorize the user with credentials. A user represents a confidential client. For a client to successfully authorize with those credentials, see Step 4 below for information on creating a user to represent a confidential client.

    • Changelog: lists changes made to the client.

  2. Click Save.

Step 3: Create Scopes

Use the following steps to define scopes for an OAuth2 Client:

  1. Navigate to Web Apps and select the application created in Step 2.

  2. Click Scope.

  3. Under Authorized Scope definitions, click Add. The Scope definitions popup appears.

  4. Type a Name for the new scope, and a Description (optional).

  5. Click Add and type this scope: Redrock/* and select Save.

  6. Click Save to update the scope.

Step 4: Create a Confidential Client

To authorize a confidential client (a client that provides a client ID and client secret), you must create a user entity representing the confidential client.

  1. Navigate to Core Services > Users to open the Create CyberArk Identity Directory User screen.

  2. Click Add User.

  3. Type the application's client ID into the Login Name field.

  4. Type a value into the Display Name field.

  5. Select Password Type.

    • If selecting Manual, type the application's client secret into the Password and Confirm Password fields.
    • If selecting Generated, save the generated password in a secure place for later use.

  6. Navigate to the Status section at the bottom and enable Is OAuth confidential client.

  7. Click Create User. A confidential client with the client ID and secret can now be authorized for your CyberArk Identity Tenant.

Step 5: Configure User Permissions

Ensuring the previously created service account and Web App can authenticate successfully requires additional configuration.

  1. Navigate to Core Services > Roles to open the Create CyberArk Identity Directory Roles screen.
  2. Select Add Role.
  3. Give the role a name to make it easy to identify it is for the Expel Integration. We recommend "Expel Role".
    • You may optionally provide a description as well.
    • For Role Type, select Static.
    • Select Save.
  4. In the newly created Role configuration screen, the categories are listed on the left side of the screen. For each category, type the appropriate data in the fields as follows:
    1. Members:
      1. Click Add. Find and select the user created in Step 4.
    2. Administrative Rights:
      1. Click Add. Search for Read Only and select Read Only System Administration.
    3. Assigned Applications:
      1. Click Add. Find and select the OAuth 2.0 Client application created in Step 2.
  5. Select Save.
  6. Navigate to Settings > Authentication > Authentication Profiles to open the Authentication Profiles screen.
  7. Select Add Profile.
  8. Create a Profile specific for the Expel Integration. We recommend the name "Expel Profile - Password Only".
    1. Under Something you know, select only Password.
    2. Select Ok.
  9. Navigate to Core Services > Policies.
  10. Click Add Policy Set.
  11. In Policy Settings, give the policy a name. We recommend "Expel Policy".
  12. Under Policy Assignment, select Specified Roles, then select the previously created Expel Role.
  13. On the left side of the Add Policy Set screen, select Authentication Policies and select Cyberark Identity. Under Authentication Policy for Cyberark Identity, select Yes in the dropdown menu.
  14. Under Default Profile, select the Expel Profile - Password Only profile.
  15. Select Save.

Step 6: Configure the Technology in Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your technology with Workbench.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log into https://workbench.expel.io.

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select CyberArk Identity, then fill in the fields like this:

    Cyberark_Device_setup.png

    • For Name, type CyberArk.

    • For Location, type either Cloud or On-prem.

    • For Application ID, type the Application ID.

    • For Username, type the Client ID.

    • For Password, type the Client Secret.

    • For Server, type the Server URL.

  5. Click Save.

Your device should be created successfully within a few seconds. A few reminders:

  • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
  • To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
  • Polling will happen first; data will be received after that. You must refresh the page to see updates.
  • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
  • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles