HomeProduct documentationGitHubCyberArk developer community

Manage Privilege Accounts and related objects with SCIM Endpoints

This topic describes how to manage PAM objects with SCIM endpoints.

Suggest Edits

The CyberArk Identity SCIM (System for Cross-Domain Identity Management) server provides API endpoints for SCIM-compliant clients (for example, an Identity and Access Governance solution such as Sailpoint) to manage privileged accounts and its related objects in CyberArk Privilege Cloud.

What is SCIM?

SCIM, or System for Cross-domain Identity Management, is an open standard that allows for managing user identity information. It provides a defined schema for representing common identity information about users and groups and a Representational State Transfer (REST) API to run CRUD operations on these resources. Refer to SCIM Specification (RFC7643) for more information about SCIM.

What is SCIM extension for PAM?

In addition to managing users and groups for privileged access, Privileged Access Management (PAM) solutions also require management of additional objects like Containers, Container Permissions and Privilege Data that define the authorizations required for privileged users. The SCIM 2.0 Extension for PAM includes extensions to these new resource types and schemas for standard PAM constructs. Refer to SCIM extension for PAM spec for more information about this extension.

  • Refer to Privilege Cloud documentation for details on how to integrate Privilege Cloud with an Identity Governance and Administration (IGA) platform using the CyberArk Identity SCIM server
  • Refer to to PAS documentation for details on how to integrate self-hosted Privilege Access Security (PAS) with an Identity Governance and Administration (IGA) platform using the CyberArk Identity SCIM server.

Note You must choose either Privilege Cloud or PAS; integrating with both solutions at the same time is not currently supported.

SCIM Endpoints

The CyberArk Identity SCIM server currently supports the following endpoints to manage privileged accounts and related objects.

Note Managing Users or Groups in Privilege Cloud or PAS requires the SCIM service user to be in a role with the Vault Management Administrative Right. Refer to SCIM Server configuration for more information.

Refer to Privilege Cloud or PAS documentation for details on supported request methods for each endpoint.

Updated over 1 year ago