Skip to content

UAP SCA policy SDK workflow

Here is an example workflow for adding a UAP SCA policy assets via the SDK:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package main

import (
    "fmt"
    "github.com/cyberark/ark-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/ark-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/ark-sdk-golang/pkg/models/common"
    commonuapmodels "github.com/cyberark/ark-sdk-golang/pkg/services/uap/common/models"
    uapscamodels "github.com/cyberark/ark-sdk-golang/pkg/services/uap/sca/models"
    "github.com/cyberark/ark-sdk-golang/pkg/services/uap"
    "os"
)

func main() {
    // Perform authentication using ArkISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewArkISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.ArkAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityArkAuthMethodSettings{},
        },
        &authmodels.ArkSecret{
            Secret: os.Getenv("ARK_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    uapAPI, err := uap.NewArkUAPAPI(ispAuth.(*auth.ArkISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := uapAPI.Sca().AddPolicy(
        &uapscamodels.ArkUAPSCACloudConsoleAccessPolicy{
            ArkUAPCommonAccessPolicy: commonuapmodels.ArkUAPCommonAccessPolicy{
                Metadata: commonuapmodels.ArkUAPMetadata{
                    Name:        "Example SCA Access Policy",
                    Description: "This is an example of a SCA access policy.",
                    Status: commonuapmodels.ArkUAPPolicyStatus{
                        Status: commonuapmodels.StatusTypeValidating,
                    },
                    PolicyEntitlement: commonuapmodels.ArkUAPPolicyEntitlement{
                        TargetCategory: commonmodels.CategoryTypeCloudConsole,
                        LocationType:   commonmodels.WorkspaceTypeAWS,
                        PolicyType:     commonuapmodels.PolicyTypeRecurring,
                    },
                    PolicyTags: []string{},
                },
                Principals: []commonuapmodels.ArkUAPPrincipal{
                    {
                        Type:                commonuapmodels.PrincipalTypeUser,
                        ID:                  "user-id",
                        Name:                "user@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
            Conditions: uapscamodels.ArkUAPSCAConditions{
                ArkUAPConditions: commonuapmodels.ArkUAPConditions{
                    AccessWindow: commonuapmodels.ArkUAPTimeCondition{
                        DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                        FromHour:      "09:00:00",
                        ToHour:        "17:00:00",
                    },
                    MaxSessionDuration: 4,
                },
            },
            Targets: uapscamodels.ArkUAPSCACloudConsoleTarget{
                AwsAccountTargets: []uapscamodels.ArkUAPSCAAWSAccountTarget{
                    {
                        uapscamodels.ArkUAPSCATarget{
                            RoleID:        "arn:aws:iam::123456789012:role/ExampleRole",
                            RoleName:      "ExampleRole",
                            WorkspaceID:   "123456789012",
                            WorkspaceName: "ExampleWorkspace",
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In the script above, the following actions are defined:

  • The admin user is logged in to perform actions on the tenant
  • we then configure UAP SCA policy