CyberArk Credential Rotation Adapter — Adapter Technical Specification
CyberArk Credential Rotation Adapter — Adapter Technical Specification
Status: reserved · Class: modernization · Mission: integration · Phase: phase-planning
Canon source: canon/modernization-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
The CyberArk Adapter is an integration-class modernization adapter for credential rotation and privileged access management. It consumes CyberArk vault account data via the REST API and produces canonical claims for service accounts, certificates, and privileged credentials.
Key capabilities: vault account enumeration by safe, credential rotation reporting (change-making surface), and KSI-anchored evidence generation for IA-5 compliance. Requires on-prem-self-hosted runner with network access to the vault.
Implementation: uiao/src/uiao/adapters/cyberark_adapter.py. Conformance: 30/30 PASS.
Scope
Target surfaces / subsystems: privileged-accounts, service-credentials, certificate-rotation, vault-policies
Reads: CyberArk vault account data (JSON with AccountID, SafeName, PlatformID, UserName, LastModifiedTime). Emits: ClaimSet with one claim per vault account, DriftReport for rotation actions, EvidenceObject with account count. Does NOT: rotate credentials without explicit invocation, access credential values/secrets, or operate outside the configured safe scope.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: IA-5, IA-5(1), AC-2, AC-6
| Control | Role | Adapter capability |
|---|---|---|
| IA-5 Authenticator Management | Primary | Credential lifecycle tracking with rotation timestamps and safe assignments. |
| IA-5(1) Password-Based Authentication | Supporting | Password rotation scheduling and compliance evidence. |
| AC-2 Account Management | Supporting | Service account enumeration and lifecycle tracking. |
| AC-6 Least Privilege | Supporting | Safe-scoped access ensures credential isolation per least-privilege. |
Operational profile
| Field | Value |
|---|---|
| Runtime | python-3.12 |
| Runtime pin | TBD |
| Runner class | on-prem-self-hosted |
| Tenancy | per-customer |
| Evidence class | baseline |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
Tier 4 adapter. Requires on-prem-self-hosted runner with network access to CyberArk vault API. Cited in ODA-15 resolution as a future integration-class adapter example.
References
- UIAO-CANON-003
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.