Overview
This integration links CyberArk’s Workforce Password Manager with Grip to centralize the discovery and management of unmanaged SaaS applications.
Apps identified by Grip as unmanaged are onboarded into WPM, where their credentials are stored securely and can be rotated.
By integrating discovery, provisioning, and rotation into a single system, organizations obtain comprehensive visibility and governance over all application credentials.
This unified approach eliminates shadow‑IT risks and simplifies ongoing credential management at scale.
Grip continuously identifies new “shadow” SaaS applications and automatically provisions them into WPM. You can also manage account credentials by choosing the “Rotate Password" option.
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
CyberArk Setup
The setup involves creating CyberArk service identities with the needed permissions, connecting those accounts to Grip via API credentials, configuring attribute mappings, and automated sync.
CyberArk Integration requires a service account for authentication to various services.
The following guide will take you step by step through the integration process.
1- Create Service Account
This step will create a new entity in your IdP that serves solely as the means of authentication for Grip to integrate with the CyberArk API.
Go to the Identity Administration console (1)
Under Core Services → Users (2)
Choose Add User (3)
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
Enter the values for the Grip service account.(4)
Note that it is recommended to use the generated password (5)Service accounts are a type of user that cannot be accessed through interactive interfaces and function like regular users, but their primary purpose is to serve as a means of authentication for API calls.
To ensure you create the new user as a service account user, be sure to select the following checkboxes: (6)
Password never expires.
Is service user.
Is OAuth confidential client.
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
2 - Granting Permissions
Configure which CyberArk services this user has access to.
Under “Core Services → Roles” (1)
Click “Add Role” and name it- “grip-service” (2)
Click “Save.”
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
In the Role page, go to “Add Members” and add the Grip member to the role (3).
Click on “Add.”
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
Under “Administrative Rights”, search and add the following (for more details - see permissions section):
Application Management
User Management
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
Once completed, click “Save.”
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
Application Management Permissions
Grip integration involves retrieving data from CyberArk WPM to provide an accurate snapshot of the organization's status. This process includes fetching the applications listed in WPM, which requires read permissions for those applications.
Grip integration involves provisioning applications in general and specific accounts in particular.
To achieve this, applications must be maintained by the Grip service account (created or modified), which requires write permissions for applications.
Reference
API token authentication for CyberArk Identity Security Platform Shared Services | Before you begin
3 - Integration with Grip Security
Add the created Grip service account to Grip Security.
In Grip platform, go to “Integrations” → Identity & Access Management >> CyberArk.”
Click on “Connect.”
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
In the “Connect with CyberArk” window, enter the following details:
Identity Tenant ID (1) - your CyberArk tenant ID.
Your <identity-tenant-id> can be retrieved by clicking on your User avatar and navigating to the About section.
The ID is located under the Identity section.
Client ID (2) - The username of the created service account.
Client Secret (3) - The password of the created service account.
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
View Options.
View Applications - Grip
A table links each Grip application to its corresponding CyberArk application, displaying key details from both platforms, including application risk level, total service accounts, password rotation status, last synchronization time, and more (1).
Additionally, each application entry includes a list of actionable operations (E.g., creating an application in CyberArk, provisioning users’ accounts, and triggering rotation/disabling credentials) (2).
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
View Identities - Grip
A table listing each Grip user along with their corresponding CyberArk user, including key attributes from both systems, Grip identity risk score, number of Grip accounts, number of CyberArk accounts, last login timestamp, and more.
Additionally, a set of recommended next-step actions (provision account, reset password, etc.) is available and can be performed directly from the user’s record.
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
CyberArk User View
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
CyberArk Admin View
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)
Actions explanation
Grip operates a browser automation that accesses the SaaS portal to change passwords and manage mailboxes for reset links, OTPs, and additional tasks flows.
Once the new password is generated and changed, it is automatically updated in the WPM account. For more details, please contact the Grip team.
.png?sv=2022-11-02&spr=https&st=2025-08-02T13%3A09%3A19Z&se=2025-08-02T13%3A22%3A19Z&sr=c&sp=r&sig=UAACO7ivUM%2BsDsboYnGKSg93%2BQ9GLwFaWVGUZqTx%2BdI%3D)