The CyberArk integration enables personnel to be synchronized into Drata and to provision accounts for each individual. This is one of the first connection/integration that should be completed as it will allow for the compliance monitoring of your company's personnel.
Key Capabilities
Sync personnel from CyberArk into Drata
Provision Drata accounts for synchronized personnel
Use CyberArk as an Identity Provider (IdP) for personnel authentication
Use CyberArk as an Enterprise SSO provider
Optionally scope personnel synchronization to a specific CyberArk role
If your Drata tenant has previously connected to CyberArk through Enterprise SSO, this connection can be maintained.
Prerequisites & Data Access
Email domain requirements: The email domain of the account connecting the IdP must match the email domains of the personnel you want to sync. Personnel with different or multiple domains are not synced. To sync additional domains, contact Drata Technical Support.
Role requirements: To connect, you must be assigned one of the following Drata roles: Admin, Workspace Managers, DevOps Engineer.
If you have the Access Reviewer role, you can only view the Connections page.
For individuals who has SSO configured:
If your Drata tenant has previously connected to CyberArk using our Enterprise Single Sign-On (SSO) connection, you can maintain that connection.
For individuals who are using Privileged Access Manager:
Drata can monitor who has enabled Multi-Factor Authentication MFA and also automate Test 86 (MFA on Identity Provider test).
Permissions & Data Table
Permission/Scope | Why It’s Needed | Data Accessed (Read Only) |
Read all users | Required for importing personnel and monitoring account status | User account list, group membership |
CyberArk Role (optional scope limit) | Allows restricting sync to a designated CyberArk role | Members of the selected role |
Step-by-Step Setup
Before You Begin
There may be a delay between the initial connection and the first account import. For large organizations syncing hundreds of accounts, this may take up to one hour.
If you need to sync multiple email domains, contact Drata Technical Support.
There are three parts to the CyberArk integration:
Connect CyberArk as an Identity Provider: Sync personnel into Drata by opening the Drata connection drawer and entering the necessary connection details
Connect Enterprise SSO Provider: Allow personnel to use single sign-on (SSO) to access Drata.
Limit the Scope for Drata (Optional): Limit the synchronization to a specific subset of personnel.
Step 1: Connect CyberArk as an Identity Provider
Select Connections from the left-side navigation menu.
Select the Available connections tab and then search for CyberArk. Then, select the connect button.
Follow the instructions in the connection drawer carefully.
Enable the permission level Read all users in the modal. Paste the required values in each field as indicated.
Step 2: Connect CyberArk as an Enterprise SSO Provider
If you did not connect the Enterprise Single Sign-on connection, after connecting CyberArk, the following banner is displayed:
Go to Connections.
Filter for Enterprise Single Sign-On.
Search and connect Single Sign-On connection.
If (Enterprise) Single Sign-On connection is not connected, only administrators will be able to log in to Drata with magic link functionality.
Step 3: Limit the Scope for Drata (Optional)
Note: Drata does not support nested groups. We will sync members in the top level of the specified group, but not individual members in second-level or further groups.
After establishing the connection, you can optionally limit the synchronization to a specific group of individuals by following these steps:
Select your CyberArk connection and then the edit icon near the Setup details section.
Designate a CyberArk Role to sync with. Make sure this group includes the Drata administrator as well. You may want to navigate to the CyberArk role page, which will have a URL of the form:
{domain}.id.cyberark.cloud/admin#/RoleList/RoleDetails
Important Behavior
If an extra character or typo is entered in the CyberArk group field:
The sync will not match the intended group.
Drata will default to syncing all users.
If the administrator corrects the typo:
The next sync will update the personnel list based on the correct group.
Users outside the designated group will be marked as Former Employee, indicating they are now out of scope.