Palo Alto Networks

Cloud Identity Engine API

A REST API for the Cloud Identity Engine (CIE) Directory Sync Service that aggregates, normalizes, and provides access to enterprise identity data from multiple directory sources through a unified API. Supports synchronization of user, group, and organizational unit data from Active Directory, Azure Active Directory, Okta, Google Workspace, and PingFederate. Provides enriched user context including device, location, and logon event data for identity-aware security policies.

Documentation GitHub OpenAPI

Documentation

https://pan.dev/scm/api/config/ciedss/ciedss/

https://pan.dev/scm/docs/getstarted/

Specifications

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cloud-identity-engine-api-openapi-original.yml

Examples

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-attr_based_filter-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-check_group_membership-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-check_user_in_particular_group-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-domain_param-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-fetch_all_users_attrs-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-group_filter-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_all_groups_in_domain-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_all_users_in_domain-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_groups_user_belongs_to-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_specific_groups-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_specific_users-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-list_users_in_particular_group-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/cloud-identity-engine-api-pagination_params-example.json

Schemas & Data

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-attr_based_filter-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-check_group_membership-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-check_user_in_particular_group-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-domain_param-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-fetch_all_users_attrs-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-group_filter-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_all_groups_in_domain-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_all_users_in_domain-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_groups_user_belongs_to-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_specific_groups-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_specific_users-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-list_users_in_particular_group-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cloud-identity-engine-api-pagination_params-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-attr_based_filter-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-check_group_membership-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-check_user_in_particular_group-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-domain_param-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-fetch_all_users_attrs-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-group_filter-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_all_groups_in_domain-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_all_users_in_domain-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_groups_user_belongs_to-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_specific_groups-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_specific_users-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-list_users_in_particular_group-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cloud-identity-engine-api-pagination_params-structure.json

Other Resources

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-cloud-identity-engine-api-context.jsonld

OpenAPI Specification

openapi: 3.0.2
info:
  title: CIE Directory Sync Service APIs Mounted on Strata Cloud Manger
  version: 1.0.1
  description: "Use the CIE Directory Sync API to retrieve real-time user, group, and domain information from your connected directories. \nThis guide provides the details needed to integrate identity-aware
    context into your applications and security services. This Open API spec file was created on October 21, 2025. © 2025 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
    Networks. A list of our trademarks can be found at [https://www.paloaltonetworks.com/company/trademarks.html](https://www.paloaltonetworks.com/company/trademarks.html). All other marks mentioned herein
    may be trademarks of their respective companies."
  server: https://api.sase.paloaltonetworks.com
components:
  schemas:
    pagination_params:
      type: object
      description: Optional pagination parameters.
      properties:
        pageNum:
          type: integer
          description: Page number to retrieve (starting from page 1).
          example: 1
        pageSz:
          type: integer
          description: Number of records per page (max is 1000 per page).
          example: 500
    domain_param:
      type: object
      description: Domain name for a specific directory.
      required:
      - domain
      properties:
        domain:
          type: string
          description: Domain name of the target directory.
          example: paloaltonetworks.com
    attr_based_filter:
      type: object
      description: Attribute-based filter.
      required:
      - attrName
      - attrValue
      - match
      properties:
        attrName:
          description: Attribute name
          type: string
          enum:
          - User Principal Name
          - Common-Name
          - Name
          - Distinguished Name
          - SAM Account Name
          - Unique Identifier
          example: Distinguished Name
        attrValue:
          description: Attribute value
          type: string
          example: CN=Jack,UID=Park,DC=example,DC=com
        match:
          description: Value you want to match.
          type: string
          enum:
          - equal
          - textSearch
          example: equal
    group_filter:
      type: object
      description: Group-based filter.
      required:
      - type
      - name
      - level
      properties:
        type:
          type: string
          enum:
          - group
          example: group
        name:
          $ref: '#/components/schemas/attr_based_filter'
        level:
          type: string
          enum:
          - immediate
          - recursive
          example: immediate
    list_all_users_in_domain:
      description: Retrieve all users in a domain.
      allOf:
      - $ref: '#/components/schemas/domain_param'
      - $ref: '#/components/schemas/pagination_params'
      properties:
        attrs:
          type: array
          description: User attributes included as part of the response.
          items:
            type: string
          example:
          - Common-Name
          - Mail
          - Unique Identifier
          - Manager
          - User Principal Name
          - Name
          - Distinguished Name
          - SAM Account Name
        useNormalizedAttrs:
          type: string
          enum:
          - 'True'
          - 'False'
          example: 'True'
      example:
        domain: paloaltonetworks.com
        attrs:
        - Common-Name
        - Unique Identifier
        - Name
        - Distinguished Name
        - SAM Account Name
        - Department
        - Last Login
        - LastLogonTime
        - Location
        - Mail
        - Manager
        - Title
        - User Principal Name
        - UserAccountControl
        - WhenChanged
        useNormalizedAttrs: 'True'
    fetch_all_users_attrs:
      description: Retrieve all attributes for a specific user.
      allOf:
      - $ref: '#/components/schemas/domain_param'
      - $ref: '#/components/schemas/pagination_params'
      properties:
        attrs:
          type: array
          description: User attributes included as part of the response.
          items:
            type: string
          example:
          - Common-Name
          - Mail
          - Unique Identifier
          - Manager
          - User Principal Name
          - Name
          - Distinguished Name
          - SAM Account Name
        useNormalizedAttrs:
          description: Use the normalized attribute.
          type: string
          enum:
          - 'True'
          - 'False'
          example: 'True'
      example:
        domain: paloaltonetworks.com
        attrs:
        - Common-Name
        - Mail
        - Unique Identifier
        - Manager
        - User Principal Name
        - Name
        - Distinguished Name
        - SAM Account Name
        useNormalizedAttrs: 'True'
    list_specific_users:
      description: Retrieve specific users matching a name-based filter in a domain. Supports filtering of users based on specific attributes and values (similar to the WHERE clause in SQL).
      allOf:
      - $ref: '#/components/schemas/fetch_all_users_attrs'
      required:
      - name
      properties:
        name:
          $ref: '#/components/schemas/attr_based_filter'
      example:
        domain: paloaltonetworks.com
        name:
          attrName: Distinguished Name
          enum:
          - User Principal Name
          - Common-Name
          - Name
          - Distinguished Name
          - SAM Account Name
          - Unique Identifier
          attrValue: CN=Jack,UID=Park,DC=example,DC=com
          match: equal
        attrs:
        - Common-Name
        - Mail
        - Unique Identifier
        - Manager
        - User Principal Name
        - Name
        - Distinguished Name
        - SAM Account Name
        useNormalizedAttrs: 'True'
    list_users_in_particular_group:
      description: Retrieve specific attributes for users belonging to a particular group, filtered using the group-based filter.
      allOf:
      - $ref: '#/components/schemas/domain_param'
      - $ref: '#/components/schemas/pagination_params'
      required:
      - filter
      properties:
        filter:
          $ref: '#/components/schemas/group_filter'
        attrs:
          type: array
          description: user attributes part of the response
          items:
            type: string
          example:
          - Common-Name
          - Mail
          - Unique Identifier
          - Manager
          - User Principal Name
          - Name
          - Distinguished Name
          - SAM Account Name
      example:
        domain: paloaltonetworks.com
        filter:
          type: group
          name:
            attrName: Common-Name
            attrValue: Administrators
            match: equal
          level: recursive
        attrs:
        - Common-Name
        - Mail
        - Unique Identifier
        - Manager
        - User Principal Name
        - Name
        - Distinguished Name
        - SAM Account Name
    check_group_membership:
      description: Check if a specific user belongs to a particular group, filtered using attribute-based filter (to filter the user) and group-based filter (to filter the group)
      allOf:
      - $ref: '#/components/schemas/list_users_in_particular_group'
      required:
      - name
      properties:
        name:
          $ref: '#/components/schemas/attr_based_filter'
      example:
        domain: paloaltonetworks.com
        filter:
          type: group
          name:
            attrName: Common-Name
            attrValue: Admins
            match: equal
          level: recursive
        name:
          attrName: User Principal Name
          attrValue: [email protected]
          match: equal
    list_all_groups_in_domain:
      description: Retrieve all groups in a particular domain.
      allOf:
      - $ref: '#/components/schemas/domain_param'
      - $ref: '#/components/schemas/pagination_params'
      required:
      - attrs
      properties:
        attrs:
          type: array
          items:
            type: string
          description: Group attributes included as part of the response.
          example:
          - Common-Name
          - Unique Identifier
          - Name
          - Distinguished Name
          - SAM Account Name
        useNormalizedAttrs:
          type: string
          enum:
          - 'True'
          - 'False'
          example: 'False'
      example:
        domain: paloaltonetworks.com
        pageNum: 1,
        pageSz: 80
    list_specific_groups:
      description: Retrieve specific groups matching a name-based filter. Supports filtering of groups based on specific attributes and values (similar to the WHERE clause in SQL).
      allOf:
      - $ref: '#/components/schemas/list_all_groups_in_domain'
      required:
      - name
      properties:
        name:
          $ref: '#/components/schemas/attr_based_filter'
        attrs:
          type: array
          items:
            type: string
          description: group attributes part of the response
          example:
          - Common-Name
          - Unique Identifier
          - Name
          - Distinguished Name
          - SAM Account Name
      example:
        domain: paloaltonetworks.com
        name:
          attrName: Common-Name
          enum:
          - User Principal Name
          - Common-Name
          - Name
          - Distinguished Name
          - SAM Account Name
          - Unique Identifier
          attrValue: admins
          match: equal
        attrs:
        - Common-Name
        - Unique Identifier
        - Name
        - Distinguished Name
        - SAM Account Name
        useNormalizedAttrs: 'False'
    list_groups_user_belongs_to:
      description: Retrieve all groups containing specific users based on user-filter.
      allOf:
      - $ref: '#/components/schemas/domain_param'
      - $ref: '#/components/schemas/pagination_params'
      required:
      - filter
      properties:
        filter:
          type: object
          required:
          - type
          - name
          properties:
            type:
              type: string
              enum:
              - user
              example: user
            name:
              $ref: '#/components/schemas/attr_based_filter'
            attrs:
              type: array
              description: group attributes part of the response
              items:
                type: string
              example: &id001
              - Common-Name
              - Unique Identifier
              - Name
              - Distinguished Name
              - SAM Account Name
          example:
            type: user
            name:
              attrName: Distinguished Name
              attrValue: CN=Jack,UID=Park,DC=example,DC=com
              match: equal
            attrs: *id001
      example:
        domain: paloaltonetworks.com
        filter:
          type: user
          name:
            attrName: Distinguished Name
            attrValue: CN=Jack,UID=Park,DC=example,DC=com
            enum:
            - User Principal Name
            - Common-Name
            - Name
            - Distinguished Name
            - SAM Account Name
            - Unique Identifier
            match: equal
        attrs:
        - Common-Name
        - Unique Identifier
        - Name
        - Distinguished Name
        - SAM Account Name
        - Department
        - Last Login
        - LastLogonTime
        - Location
        - Mail
        - Manager
        - Title
        - User Principal Name
        - UserAccountControl
        - WhenChanged
    check_user_in_particular_group:
      description: Check if a specific group has a particular user in it, filtered using attribute-based filter (to filter the group) and group-based filter (to filter the user)
      allOf:
      - $ref: '#/components/schemas/list_all_groups_in_domain'
      required:
      - name
      - filter
      properties:
        name:
          $ref: '#/components/schemas/attr_based_filter'
        filter:
          type: object
          required:
          - type
          - name
          properties:
            type:
              type: string
              enum:
              - user
              example: user
            name:
              $ref: '#/components/schemas/attr_based_filter'
            attrs:
              type: array
              description: group attributes part of the response
              items:
                type: string
              example: &id002
              - Common-Name
              - Unique Identifier
              - Name
              - Distinguished Name
              - SAM Account Name
          example:
            type: user
            name:
              attrName: Distinguished Name
              attrValue: CN=Jack,UID=Park,DC=example,DC=com
              match: equal
            attrs: *id002
      example:
        domain: paloaltonetworks.com
        filter:
          type: group
          name:
            attrName: Common-Name
            attrValue: Admins
            match: equal
          level: recursive
        name:
          attrName: User Principal Name
          attrValue: [email protected]
          match: equal
  responses:
    400_bad_request:
      description: Invalid request parameters
      content:
        application/json:
          schema:
            type: object
            properties:
              statusCode:
                type: integer
                example: 400
              error:
                type: string
                example: Bad Request
              message:
                type: string
                example: Required field is missing or invalid.
    500_internal_error:
      description: Internal service error
      content:
        application/json:
          schema:
            type: object
            properties:
              success:
                type: boolean
                example: false
              result:
                type: object
                properties:
                  error:
                    type: object
                    properties:
                      error-message:
                        type: string
                        example: Internal Server Error
ExternalTags: {}
paths:
  https://api.sase.paloaltonetworks.com/cie/directory-sync/v1/domains:
    get:
      summary: Palo Alto Networks Domain Details
      description: "Retrieves a list of all domains configured for a specific CIE tenant within the Directory Sync Service (DSS). \nThis operation returns details for each of the tenant's configured domains,
        including its current status, the timestamp of the last successful synchronization, and object counts (such as users and groups)."
      responses:
        '200':
          description: List of all domain metadata
          content:
            application/json:
              example:
                success: true
                result:
                - count:
                    computer: 1
                    container: 117
                    group: 50
                    ou: 1
                    user: 16
                  domain: cyberarktest.com
                  log: []
                  netbios: cyberarktest
                  status:
                    description: cache_applied
                    lastSuccessUpdatedOn: 1737572486
                    statusUpdatedOn: 1737572486
                  sync_duration: 14607313
                  type: Active Directory
        '500':
          description: If CIE Directory Sync Service is down then we see the Internal Service Error
          $ref: '#/components/responses/500_internal_error'
      parameters: []
      tags:
      - Directory Sync Service
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  https://api.sase.paloaltonetworks.com/cie/directory-sync/v1/cache-users:
    post:
      summary: Palo Alto Networks User Information
      description: "Provides user related information for a domain present in Specific CIE tenant.\nThis endpoint supports several use cases by using different request payloads. \nIt also supports pagination
        to manage large result sets.\n          \n          Use this endpoint to:\n            - **list_all_users_in_domain**: List all users within a specific domain.\n            - **list_specific_users**:
        Find specific users by filtering on attributes like name or email.\n            - **list_users_in_particular_group**: Get all users who are members of a specific group.\n            - **check_group_membership**:
        Check if a user is a member of a particular group."
      responses:
        '200':
          description: Returns an array of user objects matching the query.
          content:
            application/json:
              example:
                success: true
                result:
                  count: 1
                  data:
                    domains:
                    - domainName: example.onmicrosoft.com
                      lastSyncTmp: 1760646692
                      netbios: example
                      objects:
                      - Common-Name: Jack Park
                        Country: GERMANY
                        Department: Sales
                        Distinguished Name: CN=Jack,UID=Park,DC=example,DC=com
                        Location: Munich
                        Mail: [email protected]
                        Name: JACK, PARK
                        SAM Account Name: jack.park
                        Unique Identifier: 00009498-94e8-4873-b957-015e9e2587eb
                        User Principal Name: [email protected]
                        WhenChanged: 20230815042928.345954Z
                  pageNum: 1
                  pageSz: 1
                  remains: 50
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                  result:
                    type: object
                    properties:
                      count:
                        type: integer
                      pageNum:
                        type: integer
                      pageSz:
                        type: integer
                      remains:
                        type: integer
                      data:
                        type: array
                        items:
                          type: object
        '400':
          $ref: '#/components/responses/400_bad_request'
        '500':
          $ref: '#/components/responses/500_internal_error'
      parameters: []
      tags:
      - Directory Sync Service
      requestBody:
        required: true
        content:
          application/json:
            schema:
              oneOf:
              - $ref: '#/components/schemas/list_all_users_in_domain'
              - $ref: '#/components/schemas/list_specific_users'
              - $ref: '#/components/schemas/list_users_in_particular_group'
              - $ref: '#/components/schemas/check_group_membership'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  https://api.sase.paloaltonetworks.com/cie/directory-sync/v1/cache-groups:
    post:
      summary: Palo Alto Networks Group Information
      description: "Provides group related information for a domain present in a specific CIE tenant. \nThis endpoint supports several use cases by using different request payloads. \nIt also supports pagination
        to manage large result sets.\n\nUse this endpoint to:\n- **list_all_groups_in_domain**: List all groups within a specific domain.\n- **list_specific_groups**: Find specific groups by filtering on
        attributes like name.\n- **list_groups_user_belongs_to**: Get all groups that a specific user belongs to.\n- **check_user_in_particular_group**: Check if a group contains a particular user."
      responses:
        '200':
          description: Returns an array of group objects matching the query.
          content:
            application/json:
              example:
                success: true
                result:
                  count: 1
                  data:
                    domains:
                    - domainName: example.onmicrosoft.com
                      lastSyncTmp: 1760648138
                      netbios: example
                      objects:
                      - cn: ADMIN
                        created: 20230117094434.800831Z
                        dn: CN=ADMIN,DC=example,DC=onmicrosoft,DC=com
                        domain: example.onmicrosoft.com
                        groupType: security
                        member: []
                        meta_created: 2023-01-17 09:44:34.800831+00:00
                        meta_lastModified: 2025-08-26 13:26:11.093255+00:00
                        meta_resourceType: Group
                        name: ADMIN
                        objectClass:
                        - group
                        objectGUID: 0087272b-0ea5-4884-8dac-17b1673c1496
                        sAMAccountName: ADMIN
                        topoIndex: 0
                        whenChanged: 20250826132611.093255Z
                  pageNum: 1
                  pageSz: 1
                  remains: 50
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                  result:
                    type: object
                    properties:
                      count:
                        type: integer
                      data:
                        type: array
                        items:
                          type: object
        '400':
          $ref: '#/components/responses/400_bad_request'
        '500':
          $ref: '#/components/responses/500_internal_error'
      parameters: []
      tags:
      - Directory Sync Service
      requestBody:
        required: true
        content:
          application/json:
            schema:
              oneOf:
              - $ref: '#/components/schemas/list_all_groups_in_domain'
              - $ref: '#/components/schemas/list_specific_groups'
              - $ref: '#/components/schemas/list_groups_user_belongs_to'
              - $ref: '#/components/schemas/check_user_in_particular_group'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK