### GET /PasswordVault/API/platforms/targets/ Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves available target platforms for account management, supporting filtering by system type and status. ```APIDOC ## GET /PasswordVault/API/platforms/targets/ ### Description Retrieves available target platforms for account management with optional filtering by system type and status. ### Method GET ### Endpoint https://{base_url}/PasswordVault/API/platforms/targets/ ### Parameters #### Query Parameters - **search** (string) - Optional - Search string for platform names. - **filter** (string) - Optional - OData filter string for advanced filtering. ### Response #### Success Response (200) - **Platforms** (array) - List of platform objects. #### Response Example { "Platforms": [ { "ID": 1, "PlatformID": "WinServerLocal", "Name": "Windows Server Local Accounts", "Active": true, "SystemType": "Windows" } ] } ``` -------------------------------- ### Get Target Platforms via Privilege Cloud API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves available target platforms for account management. Supports filtering by system type and status using query parameters. ```bash curl -X GET "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/platforms/targets/?search=Windows" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` -------------------------------- ### Connector Management APIs - Get All Connectors Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves all CyberArk connectors registered in the tenant with their status and component information. ```APIDOC ## GET /api/connectors ### Description Retrieves all CyberArk connectors registered in the tenant with their status and component information. ### Method GET ### Endpoint /api/connectors ### Parameters #### Query Parameters None #### Request Body None ### Request Example ```bash curl -X GET "https://mycompany.cyberark.cloud/api/connectors" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` ### Response #### Success Response (200) - **connectors** (array) - A list of connector objects. - **id** (string) - The unique identifier for the connector. - **name** (string) - The name of the connector. - **status** (string) - The current status of the connector (e.g., "Connected"). - **version** (string) - The version of the connector. - **lastSeen** (string) - The timestamp when the connector was last seen. - **components** (array of strings) - A list of components managed by the connector. #### Response Example ```json { "connectors": [ { "id": "connector-abc123", "name": "DC-Connector-01", "status": "Connected", "version": "14.0.0.12", "lastSeen": "2024-01-15T10:30:00Z", "components": ["CPM", "PSM"] } ] } ``` ``` -------------------------------- ### GET /AIMWebService/api/Accounts Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves credentials directly from the Central Credential Provider (CCP) for automated application access. ```APIDOC ## GET /AIMWebService/api/Accounts ### Description Retrieves credentials directly from CCP without requiring a session token, typically used by applications for automated credential retrieval. ### Method GET ### Endpoint https://ccp.company.com/AIMWebService/api/Accounts ### Parameters #### Query Parameters - **AppID** (string) - Required - The application identifier. - **Safe** (string) - Required - The safe name. - **Object** (string) - Required - The account object name. ### Response #### Success Response (200) - **Content** (string) - The retrieved password. - **UserName** (string) - The account username. #### Response Example { "Content": "ActualPassword123!", "UserName": "sa" } ``` -------------------------------- ### Get Accounts (Privilege Cloud and Self-Hosted PAM) Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of privileged accounts from the vault with optional filtering, searching, and pagination capabilities. Supports different endpoints for Privilege Cloud and Self-Hosted PAM, and allows sorting. ```bash # Privilege Cloud - Get all accounts with search and filter curl -X GET "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/Accounts?search=admin&searchType=contains&offset=0&limit=100&filter=safeName%20eq%20ProductionSafe" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." # Self-Hosted PAM - Get accounts with sorting curl -X GET "https://pvwa.company.com/PasswordVault/API/Accounts/?search=windows%20server&sort=UserName%20asc&limit=50" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer st5d7c1e8a-2b3f-4c5d-6e7f-8g9h0i1j2k3l" # Response: # { # "value": [ # { # "id": "21_3", # "name": "Operating System-WinServerLocal-prod-server01-Administrator", # "address": "prod-server01.company.com", # "userName": "Administrator", # "platformId": "WinServerLocal", # "safeName": "ProductionSafe", # "secretType": "password" # } # ], # "count": 1 # } ``` -------------------------------- ### GET /PasswordVault/API/LiveSessions Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves active privileged sessions with filtering by time range, user, safe, and other criteria. ```APIDOC ## GET /PasswordVault/API/LiveSessions ### Description Retrieves active privileged sessions with filtering by time range, user, safe, and other criteria. ### Method GET ### Endpoint https://{base_url}/PasswordVault/API/LiveSessions ### Parameters #### Query Parameters - **FromTime** (integer) - Required - Start timestamp. - **ToTime** (integer) - Required - End timestamp. - **Safe** (string) - Optional - Filter by safe name. - **Limit** (integer) - Optional - Max results to return. ``` -------------------------------- ### GET /v2-edge/users/ Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of remote access users with support for filtering by name and pagination. ```APIDOC ## GET /v2-edge/users/ ### Description Retrieves remote access users with optional filtering by name and pagination. ### Method GET ### Endpoint https://api.alero.io/v2-edge/users/ ### Query Parameters - **name** (string) - Optional - Filter users by name - **offset** (integer) - Optional - Pagination offset - **limit** (integer) - Optional - Number of results to return ### Response #### Success Response (200) - **users** (array) - List of user objects - **totalCount** (integer) - Total number of users matching the query ### Response Example { "users": [{"id": "user-abc123", "name": "John Contractor"}], "totalCount": 1 } ``` -------------------------------- ### Get All Safes from CyberArk Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of all safes the authenticated user has access to. Supports filtering with 'search', pagination with 'offset' and 'limit', sorting, and inclusion of account details or extended details. ```bash # Privilege Cloud - Get all safes with extended details curl -X GET "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/Safes/?search=Production&offset=0&limit=25&sort=safeName%20asc&includeAccounts=false&extendedDetails=true" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` ```bash # Self-Hosted PAM - Get safes including account counts curl -X GET "https://pvwa.company.com/PasswordVault/API/Safes/?includeAccounts=True&extendedDetails=False" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer st5d7c1e8a-2b3f-4c5d-6e7f-8g9h0i1j2k3l" ``` -------------------------------- ### GET /PasswordVault/API/Accounts Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of privileged accounts from the vault with optional filtering, searching, and pagination capabilities. ```APIDOC ## GET /PasswordVault/API/Accounts ### Description Retrieves a list of privileged accounts from the vault. Supports search, filter, sort, and pagination. ### Method GET ### Endpoint https://{base_url}/PasswordVault/API/Accounts ### Parameters #### Query Parameters - **search** (string) - Optional - Search term for account names - **limit** (integer) - Optional - Number of records to return - **offset** (integer) - Optional - Number of records to skip - **filter** (string) - Optional - OData filter expression ### Response #### Success Response (200) - **value** (array) - List of account objects - **count** (integer) - Total number of accounts returned #### Response Example { "value": [ { "id": "21_3", "name": "Operating System-WinServerLocal-prod-server01-Administrator", "userName": "Administrator", "safeName": "ProductionSafe" } ], "count": 1 } ``` -------------------------------- ### GET /api/safes Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of all safes the authenticated user has access to, with optional search, pagination, and account inclusion. ```APIDOC ## GET /api/safes ### Description Retrieves a list of all safes the authenticated user has access to, with optional search, pagination, and account inclusion. ### Method GET ### Endpoint /PasswordVault/API/Safes/ ### Parameters #### Query Parameters - **search** (string) - Optional - Filters safes by name. - **offset** (integer) - Optional - The starting index for pagination. - **limit** (integer) - Optional - The maximum number of safes to return. - **sort** (string) - Optional - Sorts the results (e.g., "safeName asc"). - **includeAccounts** (boolean) - Optional - Whether to include account counts in the response. - **extendedDetails** (boolean) - Optional - Whether to include extended details about the safes. ### Response #### Success Response (200) - **value** (array) - A list of safes. - **safeNumber** (integer) - The unique number of the safe. - **safeName** (string) - The name of the safe. - **description** (string) - Description of the safe. - **location** (string) - Location of the safe. - **managingCPM** (string) - The CPM managing the safe. - **numberOfDaysRetention** (integer) - Number of days for retention. - **numberOfVersionsRetention** (integer) - Number of versions for retention. - **autoPurgeEnabled** (boolean) - Whether auto-purge is enabled. - **count** (integer) - The total number of safes found. #### Response Example ```json { "value": [ { "safeNumber": 42, "safeName": "ProductionSafe", "description": "Production environment credentials", "location": "\\", "managingCPM": "PasswordManager", "numberOfDaysRetention": 180, "numberOfVersionsRetention": null, "autoPurgeEnabled": false } ], "count": 1 } ``` ``` -------------------------------- ### Get All Connectors via CyberArk REST API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of all registered CyberArk connectors in the tenant. Requires a valid Bearer token for authorization. ```bash curl -X GET "https://mycompany.cyberark.cloud/api/connectors" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` -------------------------------- ### Get Active Sessions via Privilege Cloud API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of active privileged sessions within a specified time range. Allows filtering by user, safe, and specific activities. ```bash curl -X GET "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/LiveSessions?FromTime=1738818000&ToTime=1738872900&Limit=100&offset=0&Search=admin" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` -------------------------------- ### Get Password via Central Credential Provider (CCP) API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves credentials directly from CCP for automated applications. Supports authentication via AppID, certificate-based authentication, and specific object queries. ```bash curl -X GET "https://ccp.company.com/AIMWebService/api/Accounts?AppID=MyApplication&Safe=ProductionSafe&Object=WinDomain-svc-webapp-prod" \ -H "Content-Type: application/json" ``` -------------------------------- ### Bruno Environment Configuration Templates Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Configuration templates for Bruno collections, defining environment variables and secrets for both ISPSS (Shared Services) and self-hosted PAM environments. ```text # Bruno Environment Configuration (ISPSS Environment.bru) vars { subdomain: your-company-subdomain identityTenantID: abc1234 identityAPIUsername: serviceaccount@cyberark.cloud.123 safeName: ProductionSafe platformID: WinDomain accountID: 21_3 CCPAddress: ccp.company.com appID: MyApplication } vars:secret [ identityAPIPassword, identityToken, PAMSessionToken, CCPRetrievedSecret, conjurToken ] ``` ```text # Bruno Environment Configuration (Self-Hosted Environment.bru) vars { PVWAAddress: pvwa.company.com CCPAddress: ccp.company.com PTAAddress: pta.company.com EPMAddress: https://epmserver.local PAMUsername: administrator safeName: ProductionSafe platformID: WinServerLocal appID: MyApplication } vars:secret [ PAMPassword, PAMSessionToken, CCPRetrievedSecret, PTASessionToken, EPMToken ] ``` -------------------------------- ### POST /CDirectoryService/CreateUser Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new user account within the CyberArk Identity directory service. ```APIDOC ## POST /CDirectoryService/CreateUser ### Description Creates a new user in CyberArk Identity with specified attributes and optional role assignments. ### Method POST ### Endpoint https://{tenant}.id.cyberark.cloud/CDirectoryService/CreateUser ### Request Body - **Name** (string) - Required - Unique username - **Mail** (string) - Required - User email address - **DisplayName** (string) - Optional - Full name of the user - **ServiceUser** (boolean) - Optional - Flag to mark as a service account ### Request Example { "Name": "john.doe", "Mail": "john.doe@company.com", "DisplayName": "John Doe" } ``` -------------------------------- ### Clone CyberArk Bruno Collections Repository Source: https://github.com/iam-jah/cyberark-rest-api-bruno/blob/main/README.md Use the Git command-line tool to clone the repository containing the Bruno collections and environment files to your local machine for use within the Bruno API client. ```bash git clone https://github.com/IAM-Jah/CyberArk-REST-API-Bruno/ ``` -------------------------------- ### Add Account (Self-Hosted PAM) Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new privileged account in the vault with specified properties including platform, safe, credentials, and access settings. This is a placeholder for the actual code snippet. ```bash ``` -------------------------------- ### Create Multi-Cloud Access Policy via CyberArk JIT API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new access policy for AWS, Azure, and GCP resources. It defines user access rules, connection parameters, and time-based restrictions for specific roles. ```bash curl -X POST "https://mycompany-jit.cyberark.cloud/api/access-policies" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "policyName": "Production App Access", "status": "Enabled", "description": "JIT access for production servers", "providersData": { "AWS": { "regions": ["us-east-1", "us-west-2"], "tags": [{"Key": "env", "Value": ["prod"]}], "vpcIds": [], "accountIds": ["123456789012"] }, "Azure": { "regions": ["eastus", "westus2"], "tags": [{"Key": "env", "Value": ["prod"]}], "subscriptions": ["sub-abc123"] }, "GCP": { "regions": ["us-central1"], "labels": [{"Key": "env", "Value": ["prod"]}], "projects": ["my-gcp-project"] } }, "startDate": "2024-01-01", "endDate": "2024-12-31", "userAccessRules": [ { "ruleName": "dev-team-access", "userData": { "roles": ["DevOps_Team"], "groups": ["CloudAdmins"], "users": [] }, "connectionInformation": { "connectAs": { "AWS": {"ssh": "ec2-user"}, "Azure": {"ssh": "azureuser"}, "GCP": {"ssh": "admin"} }, "grantAccess": 4, "idleTime": 15, "daysOfWeek": ["Mon", "Tue", "Wed", "Thu", "Fri"], "fullDays": false, "hoursFrom": "08:00", "hoursTo": "18:00", "timeZone": "America/New_York" } } ] }' ``` -------------------------------- ### POST /api/access-policies Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new multi-cloud access policy defining JIT access rules for AWS, Azure, and GCP environments. ```APIDOC ## POST /api/access-policies ### Description Creates a new multi-cloud access policy to manage JIT access for cloud resources. ### Method POST ### Endpoint https://mycompany-jit.cyberark.cloud/api/access-policies ### Request Body - **policyName** (string) - Required - Name of the policy - **status** (string) - Required - Policy status (e.g., Enabled) - **providersData** (object) - Required - Cloud-specific configuration for AWS, Azure, and GCP - **userAccessRules** (array) - Required - Rules defining user roles and connection information ### Request Example { "policyName": "Production App Access", "status": "Enabled", "providersData": { "AWS": { "regions": ["us-east-1"] } }, "userAccessRules": [] } ``` -------------------------------- ### Add Windows Domain Account to CyberArk Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Adds a new Windows domain account to CyberArk Privilege Cloud. Requires account details, platform information, safe name, and secret management settings. The 'platformAccountProperties' field is used to specify the logon domain. ```bash curl -X POST "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/Accounts/" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "name": "WinDomain-svc-webapp-prod", "address": "dc01.company.com", "userName": "svc-webapp", "platformId": "WinDomain", "safeName": "ProductionSafe", "secretType": "password", "secret": "InitialPassword123!", "platformAccountProperties": { "LogonDomain": "COMPANY" }, "secretManagement": { "automaticManagementEnabled": true }, "remoteMachinesAccess": { "remoteMachines": "webapp01.company.com;webapp02.company.com", "accessRestrictedToRemoteMachines": true } }' ``` -------------------------------- ### Retrieve Remote Access Users Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Fetches a list of users from the Remote Access (Alero) service. Supports filtering by name and pagination parameters. ```bash # Get all remote access users curl -X GET "https://api.alero.io/v2-edge/users/" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." # Search users by name with pagination curl -X GET "https://api.alero.io/v2-edge/users/?name=john&offset=0&limit=50" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." ``` -------------------------------- ### POST /api/safes Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new safe with specified retention policies, CPM management, and location settings. ```APIDOC ## POST /api/safes ### Description Creates a new safe with specified retention policies, CPM management, and location settings. ### Method POST ### Endpoint /PasswordVault/API/Safes/ ### Parameters #### Request Body - **safeName** (string) - Required - The name of the new safe. - **description** (string) - Optional - Description for the safe. - **managingCPM** (string) - Optional - The CPM that will manage the safe. - **numberOfDaysRetention** (integer) - Optional - Number of days to retain versions. - **numberOfVersionsRetention** (integer) - Optional - Number of versions to retain. - **autoPurgeEnabled** (boolean) - Optional - Whether to enable automatic purging. - **location** (string) - Optional - The location of the safe. ### Request Example ```json { "safeName": "DevTeamCredentials", "description": "Development team shared credentials", "managingCPM": "PasswordManager", "numberOfDaysRetention": 180, "numberOfVersionsRetention": null, "autoPurgeEnabled": false, "location": "" } ``` ### Response #### Success Response (200) - **safeNumber** (integer) - The unique number of the created safe. - **safeName** (string) - The name of the created safe. - **description** (string) - Description of the safe. - **managingCPM** (string) - The CPM managing the safe. - **numberOfDaysRetention** (integer) - Number of days for retention. #### Response Example ```json { "safeNumber": 43, "safeName": "DevTeamCredentials", "description": "Development team shared credentials", "managingCPM": "PasswordManager", "numberOfDaysRetention": 180 } ``` ``` -------------------------------- ### Add Safe Member via Privilege Cloud API Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Adds a user or group to a specific safe with defined permissions. Requires a valid Bearer token and a JSON payload specifying the member name, type, and permission set. ```bash curl -X POST "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/Safes/DevTeamCredentials/Members/" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "memberName": "DevTeamLead", "searchIn": "Vault", "membershipExpirationDate": null, "permissions": { "useAccounts": true, "retrieveAccounts": true, "listAccounts": true, "addAccounts": true, "updateAccountContent": true, "updateAccountProperties": true, "initiateCPMAccountManagementOperations": true, "specifyNextAccountContent": true, "renameAccounts": true, "deleteAccounts": true, "unlockAccounts": true, "manageSafe": true, "manageSafeMembers": true, "backupSafe": false, "viewAuditLog": true, "viewSafeMembers": true, "accessWithoutConfirmation": true, "createFolders": true, "deleteFolders": true, "moveAccountsAndFolders": true, "requestsAuthorizationLevel1": false, "requestsAuthorizationLevel2": false }, "MemberType": "User" }' ``` -------------------------------- ### List Secrets in Secrets Hub Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves a list of secrets from Secrets Hub with options for pagination and filtering by secret store. Requires specific headers for beta API access. ```bash # List all secrets with extended projection curl -X GET "https://mycompany.secretshub.cyberark.cloud/api/secrets?projection=EXTEND&limit=100" \ -H "Content-Type: application/json" \ -H "Accept: application/x.secretshub.beta+json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." # Filter by specific secret stores curl -X GET "https://mycompany.secretshub.cyberark.cloud/api/secrets?projection=EXTEND" \ -H "Content-Type: application/json" \ -H "Accept: application/x.secretshub.beta+json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "scope": { "secretStoresIds": ["store-c3051c3a-5584-43e3-905d-420b37d5633c"] } }' ``` -------------------------------- ### Self-Hosted PAM Authentication (CyberArk, LDAP, RADIUS, Windows) Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Authenticates to self-hosted CyberArk PVWA using various methods like CyberArk, LDAP, RADIUS, or Windows. Returns a session token for subsequent API calls. Requires username, password, and optionally concurrent session setting. ```bash # Self-Hosted PAM Authentication (CyberArk, LDAP, RADIUS, or Windows) curl -X POST "https://pvwa.company.com/PasswordVault/API/auth/CyberArk/Logon" \ -H "Content-Type: application/json" \ -d '{ "username": "Administrator", "password": "MyPassword123!", "concurrentSession": "true" }' # Response: "st5d7c1e8a-2b3f-4c5d-6e7f-8g9h0i1j2k3l" # Using LDAP authentication curl -X POST "https://pvwa.company.com/PasswordVault/API/auth/LDAP/Logon" \ -H "Content-Type: application/json" \ -d '{ "username": "domain\adminuser", "password": "MyLDAPPassword!", "concurrentSession": "true" }' ``` -------------------------------- ### POST /api/accounts Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Adds a new account to the vault. Supports different platform types like Windows Domain and SSH keys. ```APIDOC ## POST /api/accounts ### Description Adds a new account to the vault. Supports different platform types like Windows Domain and SSH keys. ### Method POST ### Endpoint /PasswordVault/API/Accounts/ ### Parameters #### Request Body - **name** (string) - Required - The name of the account. - **address** (string) - Required - The address of the machine where the account is used. - **userName** (string) - Required - The username for the account. - **platformId** (string) - Required - The ID of the platform associated with the account (e.g., "WinDomain", "UnixSSH"). - **safeName** (string) - Required - The name of the safe where the account will be stored. - **secretType** (string) - Required - The type of secret (e.g., "password", "key"). - **secret** (string) - Required - The actual secret value (password or private key). - **platformAccountProperties** (object) - Optional - Platform-specific properties (e.g., `LogonDomain` for Windows). - **LogonDomain** (string) - Optional - The domain for Windows accounts. - **secretManagement** (object) - Optional - Settings for secret management. - **automaticManagementEnabled** (boolean) - Optional - Whether automatic management is enabled. - **remoteMachinesAccess** (object) - Optional - Settings for remote machine access. - **remoteMachines** (string) - Optional - A semicolon-separated list of remote machines. - **accessRestrictedToRemoteMachines** (boolean) - Optional - Whether access is restricted to specific remote machines. ### Request Example ```json { "name": "WinDomain-svc-webapp-prod", "address": "dc01.company.com", "userName": "svc-webapp", "platformId": "WinDomain", "safeName": "ProductionSafe", "secretType": "password", "secret": "InitialPassword123!", "platformAccountProperties": { "LogonDomain": "COMPANY" }, "secretManagement": { "automaticManagementEnabled": true }, "remoteMachinesAccess": { "remoteMachines": "webapp01.company.com;webapp02.company.com", "accessRestrictedToRemoteMachines": true } } ``` ### Response #### Success Response (200) - **safeNumber** (integer) - The unique number of the created safe. - **safeName** (string) - The name of the created safe. #### Response Example ```json { "safeNumber": 43, "safeName": "DevTeamCredentials", "description": "Development team shared credentials", "managingCPM": "PasswordManager", "numberOfDaysRetention": 180 } ``` ``` -------------------------------- ### Create CyberArk Identity User Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new user or service account within the CyberArk Identity directory. Requires administrative authorization and specific user attribute payloads. ```bash # Create a new Identity user curl -X POST "https://abc1234.id.cyberark.cloud/CDirectoryService/CreateUser" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "Name": "john.doe", "Mail": "john.doe@company.com", "DisplayName": "John Doe", "Description": "DevOps Engineer", "MobileNumber": "+1-555-123-4567", "InEverybodyRole": true, "SendEmailInvite": true, "ForcePasswordChangeNext": true }' # Create service account user curl -X POST "https://abc1234.id.cyberark.cloud/CDirectoryService/CreateUser" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "Name": "svc-automation", "Mail": "svc-automation@company.com", "ServiceUser": true, "PasswordNeverExpire": true, "InSysAdminRole": false }' ``` -------------------------------- ### Secure Infrastructure Access (SIA) APIs - Add Authorization Policy Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates an authorization policy for just-in-time access to cloud infrastructure across AWS, Azure, GCP, and on-premises environments. ```APIDOC ## POST /api/policies ### Description Creates an authorization policy for just-in-time access to cloud infrastructure across AWS, Azure, GCP, and on-premises environments. ### Method POST ### Endpoint /api/policies ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body - **policy** (object) - Required - The authorization policy definition. - **name** (string) - Required - The name of the policy. - **description** (string) - Optional - A description for the policy. - **targets** (array of objects) - Required - Defines the cloud or on-premises environments the policy applies to. - **type** (string) - Required - The type of target (e.g., "AWS", "Azure", "GCP", "OnPremises"). - **region** (string) - Optional - The region for cloud targets. - **account_id** (string) - Optional - The account ID for AWS targets. - **subscription_id** (string) - Optional - The subscription ID for Azure targets. - **project_id** (string) - Optional - The project ID for GCP targets. - **permissions** (array of objects) - Required - Defines the permissions granted by the policy. - **action** (string) - Required - The action to be permitted (e.g., "ec2:StartInstances"). - **resource** (string) - Optional - The specific resource the action applies to. - **principals** (array of objects) - Required - Defines who is granted the permissions. - **type** (string) - Required - The type of principal (e.g., "User", "Group", "ServiceAccount"). - **identity** (string) - Required - The identifier of the principal. - **schedule** (object) - Optional - Defines the time window for the policy. - **start_time** (string) - Required - The start time for the policy (ISO 8601 format). - **end_time** (string) - Required - The end time for the policy (ISO 8601 format). ### Request Example ```json { "policy": { "name": "JIT-Access-to-Prod-DB", "description": "Grant temporary access to production database servers", "targets": [ { "type": "AWS", "region": "us-east-1", "account_id": "123456789012" } ], "permissions": [ { "action": "rds:Connect", "resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db" } ], "principals": [ { "type": "User", "identity": "user@example.com" } ], "schedule": { "start_time": "2024-01-20T09:00:00Z", "end_time": "2024-01-20T17:00:00Z" } } } ``` ### Response #### Success Response (201) - **policy_id** (string) - The unique identifier for the created policy. - **message** (string) - A confirmation message. #### Response Example ```json { "policy_id": "policy-xyz789", "message": "Authorization policy created successfully." } ``` ``` -------------------------------- ### POST /PasswordVault/API/auth/{method}/Logon Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Authenticates to self-hosted CyberArk PVWA using various authentication methods including CyberArk, LDAP, RADIUS, or Windows authentication. ```APIDOC ## POST /PasswordVault/API/auth/{method}/Logon ### Description Authenticates to self-hosted CyberArk PVWA using various authentication methods. Returns a session token for subsequent API calls. ### Method POST ### Endpoint https://pvwa.company.com/PasswordVault/API/auth/{method}/Logon ### Parameters #### Path Parameters - **method** (string) - Required - Authentication method (e.g., CyberArk, LDAP, RADIUS, Windows) ### Request Body - **username** (string) - Required - Username for authentication - **password** (string) - Required - Password for authentication - **concurrentSession** (boolean) - Optional - Allow concurrent sessions ### Request Example { "username": "Administrator", "password": "MyPassword123!", "concurrentSession": "true" } ### Response #### Success Response (200) - **token** (string) - The session token string ``` -------------------------------- ### POST /PasswordVault/API/Safes/{safeName}/Members Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Adds a user or group to a specific safe with defined permissions for account management and administration. ```APIDOC ## POST /PasswordVault/API/Safes/{safeName}/Members ### Description Adds a user or group to a safe with specified permissions for account access, management, and administration. ### Method POST ### Endpoint https://{base_url}/PasswordVault/API/Safes/{safeName}/Members/ ### Parameters #### Path Parameters - **safeName** (string) - Required - The name of the target safe. #### Request Body - **memberName** (string) - Required - Name of the user or group. - **searchIn** (string) - Required - Directory source (e.g., "Vault"). - **permissions** (object) - Required - Set of boolean flags defining access levels. - **MemberType** (string) - Required - "User" or "Group". ### Request Example { "memberName": "DevTeamLead", "searchIn": "Vault", "permissions": { "useAccounts": true, "listAccounts": true }, "MemberType": "User" } ### Response #### Success Response (200) - **status** (string) - Confirmation of member addition. ``` -------------------------------- ### Add Safe to CyberArk Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Creates a new safe in CyberArk. Requires a safe name and can optionally include description, CPM management settings, retention policies, and auto-purge settings. ```bash # Privilege Cloud - Create a new safe curl -X POST "https://mycompany.privilegecloud.cyberark.cloud/PasswordVault/API/Safes/" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -d '{ "safeName": "DevTeamCredentials", "description": "Development team shared credentials", "managingCPM": "PasswordManager", "numberOfDaysRetention": 180, "numberOfVersionsRetention": null, "autoPurgeEnabled": false, "location": "" }' ``` -------------------------------- ### OIDC Authentication (Privilege Cloud Shared Services) Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Authenticates to CyberArk Identity using OAuth 2.0 client credentials flow to obtain an access token for Privilege Cloud Shared Services APIs. The token is automatically stored as an environment variable for subsequent requests. Requires client ID and client secret. ```bash # OIDC Client Credentials Authentication curl -X POST "https://abc1234.id.cyberark.cloud/oauth2/platformtoken" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=myserviceaccount@cyberark.cloud.123" \ -d "client_secret=MySecretPassword123!" # Response: # { # "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", # "token_type": "Bearer", # "expires_in": 3600 # } ``` -------------------------------- ### Logoff from Self-Hosted PAM Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Terminates the current PAM session and invalidates the session token. Requires the session token obtained during authentication. ```bash # Logoff from Self-Hosted PAM curl -X POST "https://pvwa.company.com/PasswordVault/API/auth/Logoff" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer st5d7c1e8a-2b3f-4c5d-6e7f-8g9h0i1j2k3l" ``` -------------------------------- ### Add SSH Key Account to CyberArk Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Adds a new SSH key account to CyberArk Self-Hosted PAM. Requires account details, platform information, safe name, and secret management settings. The 'secretType' is set to 'key' and the private key is provided in the 'secret' field. ```bash curl -X POST "https://pvwa.company.com/PasswordVault/API/Accounts" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer st5d7c1e8a-2b3f-4c5d-6e7f-8g9h0i1j2k3l" \ -d '{ "name": "UnixSSH-root-linuxserver01", "address": "linuxserver01.company.com", "userName": "root", "platformId": "UnixSSH", "safeName": "LinuxSafe", "secretType": "key", "secret": "-----BEGIN RSA PRIVATE KEY-----\nMIIE...", "secretManagement": { "automaticManagementEnabled": true } }' ``` -------------------------------- ### POST /api/accounts/{id}/password/retrieve Source: https://context7.com/iam-jah/cyberark-rest-api-bruno/llms.txt Retrieves the actual password or secret value for a specific account. Supports ticketing system integration and access reasons. ```APIDOC ## POST /api/accounts/{id}/password/retrieve ### Description Retrieves the actual password or secret value for a specific account. Supports ticketing system integration and access reasons. ### Method POST ### Endpoint /PasswordVault/API/Accounts/{id}/Password/Retrieve/ ### Parameters #### Path Parameters - **id** (string) - Required - The ID of the account. #### Request Body - **reason** (string) - Required - The reason for retrieving the password. - **TicketingSystem** (string) - Optional - The name of the ticketing system. - **TicketId** (string) - Optional - The ID of the ticket. - **ActionType** (string) - Optional - The type of action (e.g., "copy", "show"). - **Machine** (string) - Optional - The specific machine for which the password is requested. - **Version** (integer) - Optional - The version of the password to retrieve. ### Request Example ```json { "reason": "Scheduled maintenance - ticket INC001234", "TicketingSystem": "ServiceNow", "TicketId": "INC001234", "ActionType": "copy", "Machine": "webapp01.company.com" } ``` ### Response #### Success Response (200) - **string** - The actual password or secret value. #### Response Example "ActualPassword123!" ```