CyberArk Import

Migrating CyberArk Accounts to Keeper

Keeper Commander will log on to CyberArk Privilege Cloud Web Portal or the self-hosted Password Vault Web Access (PVWA), retrieve accounts and their passwords, and automatically create corresponding Server records in Keeper.

keeper import --format=cyberark server.domain

If the server is a CyberArk Privilege Cloud Web Portal, i.e., it ends in ".cyberark.cloud," then it will prompt for the CyberArk Identity Tenant ID and CyberArk Service User credentials:

CyberArk Identity Tenant ID: abc12345
CyberArk service user name: myserviceuser
Cyberark service user password:

ℹ️ The Identity Tenant ID is the first part of the login URL, e.g., https://abc12345.id.cyberark.cloud/...

If the server is any other hostname or IP address, then it will prompt for the authentication method, username, and password for PVWA:

CyberArk logon type (Cyberark, LDAP, RADIUS or Windows): LDAP
CyberArk username: myusername
CyberArk password: 

ℹ️ Use LDAP (not Windows) to log in with an Active Directory account

CyberArk Accounts based on Platforms in the Windows and *NIX groups will be imported as Server records. Accounts based on the Business Website platform, i.e., CyberArk Workforce Password Management Accounts, will import as Login records.

Importing Accounts

The process will list the Accounts to be imported, including the ID, Name, and Safe. It will also show a progress meter with a timer and ETA. If password retrieval fails for an Account, a Retry, Skip, or Skip All dialog is presented. The process can retry the request, skip the Account, or skip all Accounts that trigger the same HTTP status.

A dialog resulting from a 400 (Bad Request) HTTP response from the password API endpoint.

Skipped Accounts

The skipped Accounts will be listed after processing is complete. The list includes the ID, Name, Safe, and the Error code and message.

Using a search string to limit the imported Accounts

The process will import all Accounts by default; however, appending a question mark (?) followed by the search string will limit processing to Accounts that match the search.

keeper import --format=cyberark 10.11.12.13?WinDomain

Using a custom query string

Alternatively, if the search string contains '=', the process will pass it to the CyberArk Get Accounts endpoint as a query string. E.g.,

keeper import --format=cyberark example.cyberark.cloud?limit=10&offset=20

passes the limit and offset parameters to the Accounts endpoint, causing it to page the accounts 10 at a time, starting at the 20th account.

PowerShell Method

The end-user guide includes a process to import data into Keeper from Cyberark using a PowerShell script. Note, however, that it accesses the Vault server directly, so it only works on self-hosted servers.

Last updated

Was this helpful?