So, once a LOB has been created and added as a safe member the CyberArk Synchronizer syncs all of the accounts in the safe with the associated DAP environment.
What if one wants to remove the LOB access to that safe?
Just tried removing the LOB from the Safe membership. So far not noticing an un-sync. Tried restarting the Synchronizer service. No impact so far.
No, it’s a great question. Currently deletion of accounts, LOBs and Safes is not synchronized to the DAP cluster. The most effective way to do that is to load an empty LOB policy with the --replace flag. That’s a bit of advanced policy hackery but I can show you how it’s done w/ just a few lines of yaml.
Well, as it happens what I had in mind deletes the LOB policy, Safe policies and group definitions, but doesn’t actually delete the variables, which is the whole point. You would need to create a delete policy with a delete record for the LOB policy, and delete records for each variable corresponding to safe account entries.
Which then left me with just an empty Vault policy:
$ conjur list | grep LabVault
"dev:policy:LabVault"
"dev:group:LabVault/Labs-admins"
We should really support recursive deletes, where deleting a policy deletes everything defined under the policy. There may be a good reason we don’t do this, but I can’t think of one. There may be an issue filed for this but if not, I’ll open one. It’d also be nice if the record: could take an array of variable names.
hey Barry, just realized you probably don’t want to delete the whole LOB policy, just the safe for which the LOB was removed. Here’s the correct delete policy for that.