PAS ADMINISTRATION

User Management

CyberArk Training
1
OBJECTIVES

By the end of this lesson you will be able to:

• Describe the difference between users and accounts
• Describe the difference between different types of users and groups
• Manage internal users and groups in CyberArk
• Manage Externally provisioned users and groups

2
OVERVIEW

3
USERS VS. ACCOUNTS (1)

• Throughout this course we will be using the terms Users and Accounts.
• It is very important to understand the difference between the two.

• Access passwords
Users • Manage policies
People* who have been granted
access to the system • Typically defined by their Domain credentials

• Stored in Safes
Accounts • Examples include domain administrators, local administrators, root
The actual privileged account
ids and passwords accounts, service accounts and more

* Applications and CyberArk components are also users who access accounts

4
USERS VS. ACCOUNTS (2) User

Account

5
USERS AND GROUPS

• There are two main categories of users and groups in the system:

Locally Managed • Users that are created automatically in the Vault (Built-in).
(CyberArk) • Users that are added manually to the Vault.

Transparently
• Users that are automatically provisioned from an external directory.
Managed (LDAP)

6
VAULT AUTHORIZATIONS

• Can be assigned only at the user level.

• Cannot be inherited via group membership.
• Defined only via the PrivateArk Client.

7
PRIVATEARK CLIENT/PVWA SAFE PERMISSIONS

Safe Permissions
• There are some
differences in
terminology between
the PrivateArk Client
and the PVWA
• Key Differences
• PrivateArk Client
• Owners List
• Files
• PVWA
• Members List
• Accounts

8
SAFE AUTHORIZATIONS

• Assigned to users and/or

groups.
• Can be inherited via group
membership.
• Can be defined in the
PrivateArk Client or PVWA
(typically defined via
PVWA).

9
LOCAL USER MANAGEMENT
(BUILT-IN)

10
BUILT-IN USERS AND GROUPS (VAULT)

• After the Vault has been installed a set of

predefined users and groups are created
in the system .

11
BUILT-IN USERS AND GROUPS (COMPONENTS)

• When a new component is installed, dedicated

users and groups are created automatically
with relevant permissions.

12
BUILT-IN VAULT AUTHORIZATIONS

Built-in users are assigned different Vault Authorizations based on their role and function.
• Administrator
• Auditor
• Backup
• Batch

• DR
• NotificationEngine
• Operator

• Master

13
BUILT-IN VAULT AUTHORIZATIONS: EXAMPLES

The built-in Administrator user The built-in Auditor user has

has full vault authorizations “Audit Users” vault
(by default). authorization (by default).

14
BUILT-IN SAFE AUTHORIZATIONS

• Built-in users and groups are added to all newly created safes based on their role and function.
• Auditor (Auditors)
• Backup (Backup Users)
• Batch
• DR (DR Users) Added by default to all safes
with relevant permissions
• NotificationEngine (Notification Engines)
• Operator (Operators)
• Master

15
PVWA PERMISSIONS

The tabs and buttons available in the PVWA depend on the logged-in user’s group membership.
• Administration (Vault Admins)
• Monitoring (Auditors)
• Accounts (Users)
• Reporting (PVWAMonitor)

17
PVWA PERMISSIONS: EXAMPLES

• Members of Vault Admins

have access to the
ADMINISTRATION tab.
• Members of Auditors have
access to the
MONITORING tab.

18
LOCAL USER MANAGEMENT
(MASTER USER)

19
MASTER USER
The Master User is the most powerful user in the system, with full Vault and Safe authorizations
(which cannot be removed).

20
LOGIN WITH MASTER

• Access to the Master CD

(RecPrvKey)

• Master user Password

(defined during installation)

• Access only through the

PrivateArk Client

• Access only from the Vault

console and one additional
IP address
(EmergencyStationIP)

21
CHANGE MASTER PASSWORD

To change the Master user password, login with the Master user and click on “User > Set Password”

22
LOCAL USER MANAGEMENT
(MANUALLY ADDED)

23
MANAGING USERS AND GROUPS USING PRIVATEARK

• Users of the system are

configured in the PrivateArk
Client.

• No user configuration is
available in the PVWA

24
GENERAL TAB – MANUALLY ADDING A USER

You can manually add new users through the PrivateArk Client interface.

25
AUTHORIZED INTERFACES

Select which interfaces this user can log in from.

26
AUTHENTICATION

• Select the Authentication

method for this user.

27
VAULT AUTHORIZATIONS

• Configure the vault

Authorizations for this
user.

28
GROUP MEMBERSHIP

• Select which Groups you

want this user to be a
member of.

29
OTHER USER TABS

Configure the Business e-mail field for this user to receive e-mail notifications.

30
TRANSPARENT USER MANAGEMENT

31
DIRECTORY MAPPING

A Directory Map determines whether a User

Account or Group will be created in the Vault,
and the roles they will have. Active
Directory Vault
• User Mapping – allows for authentication and
defines user’s attributes, such as Vault Vault Authorizations
Authorization
Authorizations and Location. User Mapping • Add user
• Add Safe
• Etc…
• Group Mapping – makes LDAP groups
searchable from within CyberArk, allowing
Safe Authorizations
mapped groups to be granted safe Group Mapping
authorizations and to be nested within built-in
CyberArk groups.
CyberArk Groups
• Vault Admins
• Auditors

32
LDAP SETUP WIZARD

• The LDAP Wizard is used to map Active

Directory Groups to three predefined
CyberArk role based groups:
• Vault Admin Group
• Auditors Group
• Users Group
• Each predefined group has permissions
associated with that role

33
VAULT ADMIN GROUP – MAPPED TO AD GROUP

• You can use these

directory maps
immediately, modify the
relevant mapping rules, or
create new directory maps
using the PrivateArk
Client.

33 35
VAULT ADMINS – USER MAPPING, DEFAULT VAULT AUTHORIZATIONS

• The Default Authorizations

can be viewed using the
PrivateArk Client

36
VAULT ADMINS – USER MAPPING, AUTOMATIC NESTING

• The AD group CyberArk

Vault Admins is now
nested under the internal
Vault Admins group.

37
TRANSPARENT USER MANAGEMENT

• When users authenticate via LDAP for the first

time, they are provisioned automatically in the
Vault based on Directory Mapping.
• LDAP Users and Groups that have been
created in the Vault are marked with a white
LDAP User or Groups icon.
• If you delete a user within CyberArk, it will be
automatically re-created upon login if it still
exists within AD.
• A daily process checks which users map to the
various queries
• To block an LDAP User or Group from
CyberArk, remove them from all LDAP groups
with an associated directory mapping, or
disable/delete them in the external directory.

38
LDAP SYNCHRONIZATION

The following parameter determines if and when the Vault’s External users and
groups will be synchronized with the External Directory.
In the DBParm.ini file:

AutoSyncExternalObjects=Yes,24,1,5

Whether or not The hours

The number of
to sync with during which
hours in one
the External the sync will
period cycle
Directory take place

39
CUSTOM DIRECTORY MAPS

• Requirement: A subset of
Vault Admins (CyberArk
PVWA Admins) should
only have the ‘Manage
Server File Categories’
Vault authorization.

42
CUSTOM DIRECTORY MAPS CONFIGURATION STEPS
There are a number of steps that must be completed in order to create a custom user map.

1 2 3 4
• Create a New Directory • Update the user • Add an LDAP query to • Manually nest
Map for CyberArk template so that identify which LDAP CyberArk PVWA
PVWA Admin Users. CyberArk PVWA Admin users will receive the Admins under the built-
Users will be granted attributes defined in the in Vault Admins group.
only the “Manage User Template.
Server File Categories”
authorization.

43
CUSTOM DIRECTORY MAPS (1)

• Create a New Directory

Map for CyberArk PVWA
Admin Users.

44
CUSTOM DIRECTORY MAPS (2)
Update the user template so that CyberArk PVWA Admin Users will be granted only the “Manage
Server File Categories” authorization.

45
CUSTOM DIRECTORY MAPS (3)
Add an LDAP query to identify which LDAP users will receive the attributes defined in the
User Template.

46
CUSTOM DIRECTORY MAPS (4)

• Manually nest CyberArk

PVWA Admins under the
built-in Vault Admins
group.

47
CUSTOM DIRECTORY MAPS - RESULT
As a member of the Vault Admins group in CyberArk, the pvwaadmin01 user can see the
ADMINISTRATION Tab, but does not have the full set of vault permissions.

48
SUMMARY

49
SUMMARY

In this session we covered:

• The difference between users and accounts
• The difference between different types of users and groups
• Managing internal users and groups in CyberArk
• Managing Externally provisioned users and groups

50
THANK YOU

CyberArk Training
51