Access Control (Safes)

By the end of this session, you will be able to:

• Describe the Vault Model

• Describe what a Safe is

• Describe the key criteria for designing a
Safe model
Agenda • Describe basic access control concepts
and Safe permissions
• Create and manage Safes
• Add Safe Members and assign them
permissions
2

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Overview
• The Vault Model

• What is a Safe

• Viewing Safes

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 We use the metaphor of a bank
when talking about the CyberArk Encryption, Firewall, Audit,
Vault
Vault: and Authentication
• First you authenticate yourself to
the bank teller

• Then you use your key to access Safes Authorization

your safe deposit box

• Then you have access to

everything in the box
Passwords Policy

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Access control determines who
can access information and from
where
• CyberArk manages access
control by storing privileged
identities in Safes, only giving
access to authorized users
• A user's access to a Safe usually
applies to all the objects
(passwords) inside that safe

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Container in the Vault for data,
primarily privileged accounts
• Basis for managing Access Control to
privileged accounts
• The Vault and CyberArk components
have Safes for storing their data and
files
• Can be created manually or
programmatically (e.g., via the REST
API)

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Safes are stored in the Vault and can be viewed through a number of different means.

PVWA

PrivateArk Client
Vault file system
7

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Designing In this section we will discuss the main
a Safe Model considerations for designing the Safe model

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 To develop a system for how to store passwords in Safes through an
authorization model that meets the needs of the organization.

• There is no generic “Safe model” that fits all CyberArk

implementations
• Defining a Safe model is an individual, implementation-
specific process best defined during the planning stages

• Customers typically work with the implementation team to

create the Safe model during the implementation

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Who needs access to data  Internal (e.g. Employees) or External Users
stored in the Vault? (e.g. Partners, Contractors, etc.)

What is the security level of

data stored in the Vault?  Secret, Informational, Production, Development, Test, etc.

Who must not see  Is there any type of data that needs to be available
a specific type of data? to some users, but not to others?

Should additional access

 Multiple Central Policy Managers, system load,
limitations apply to
(specific) objects? regulations
10

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Safe Constraints
Safe names are limited to 28 characters

• For local admin accounts on HR production

servers running Windows based in a Boston
data center:
P-BOS-SRV-WIN-LAD-HR

• For Financial department test servers in a

New York data center running Linux:
T-NYC-SRV-LIN-FIN

11

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Safe Constraints
For performance reasons,
the number of objects
stored in a Safe should
be limited to 20,000
• This includes versions of
passwords
• The recommended
number of accounts or
files stored in a Safe is
between 3,000-5,000

12

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 13

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Access Control In this section we will discuss how to manage
access control to privileged identities in
CyberArk

14

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 ► Objects should be stored in Safes
following the principle of “least
privilege”
► If a user does not NEED access to a
password, they should not have access
to the Safe containing it
► Separate Safes for:
– Windows Desktop Accounts
– Windows Local Administrators
– Windows Domain Accounts
► The PVWA makes Safe structure
largely invisible to end users, so don't
15
oversimplify for their sake
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
 • The ACME corporation wants to onboard the
following accounts to CyberArk:
– 50 Windows server local admin accounts
– 10 Oracle sysadmin accounts
• 10 Windows servers host Oracle databases
(40 Windows servers do not host Oracle
databases).
• The Windows team needs to have access to
all Windows Servers local admin accounts
• The Oracle team needs to have access to all
Example: local admin accounts on Windows Servers
hosting Oracle Database and Oracle Database
ACME Corporation login accounts (sysadmin)

How many Safes would you create?

Which Safes will be accessed by which team? 16

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 50 Windows servers, of which 10 host Oracle databases

WIN-SRV
40
50 Windows
Server Accounts Windows Team

10 WIN-SRV-ORA

10 sysadmin 10
accounts DB-ORA Oracle Team

17

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Granular Safe Permissions

18

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Access to accounts and their
passwords is managed through
the permissions assigned to
Members of the individual
Safes

19

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • In the Safe Details view, we
can see the Users and
Groups who have been
granted access to this Safe.
• And if we have the
appropriate permissions, we
can also add new members
to the Safe and assign them
permissions.

20

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Users who have the List Accounts
permission can see the accounts in
the Safe
• Users who have the Use Accounts
and List Accounts permissions can
use the accounts in the Safe to log on
to a remote machine through a PSM
connection
• Users who have the Retrieve
Accounts and List Accounts
permissions can view the account
password and copy it
21

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Account Management permissions
enable users to perform such tasks as:
– Add accounts
– Edit accounts
– Initiate account management operations
through the CPM
– Rename accounts
– Delete accounts
– Unlock accounts

22

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Users who have the Manage Safe
permission can modify some of the
Safe properties

• Users who have the Manage Safe

Members permission can add or
remove users and groups – both Vault
users and external LDAP users – to
Safes and specify their Safe
authorizations

23

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Users who have the Authorize
account request permission can give
“confirmation” to Safe members
requesting permission to enter a Safe
when Dual Control is required.

• Users who have the Access Safe

without confirmation permission can
access the Safe without confirmation
(even if Dual Control is enabled).

24

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Grant End user access to Safes
• Grant Manager access to Safes

WIN-SRV

WIN-SRV-ORA

DB-ORA

25

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • There are some differences
in the terminology used in
the Private Ark Client and
the PVWA
• Private Ark Client
– Owners List
– Files
• PVWA
– Members List
– Accounts
26

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Creating and In this section we will discuss:

Managing Safes • The purpose of using Safes

• Creating a new Safe
• Assigning Safe permissions
• The connection between Safes and Platforms

27

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Add exceptions
Review/Edit Create Add
to Master Policy Create Safes
Master Policy Platforms Accounts
based on Platforms

• Business/audit • Technical settings • Exceptions to • Access control • Individual objects

rules for for managing Master Policy rules containing the required
managing passwords information (address,
passwords username, password,
• Basis for etc.) to manage
• Global policy exceptions privileged accounts
settings

28

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Not all users have the right to add Safes
• Vault Admins and Safe Managers have this permission

29

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 When adding a new Safe, the
user will be asked to provide:
• A unique safe name
• Optionally a description
• The policy for storing
password versions
• The CPM to manage the
Safe.

Additional considerations:
• A safe name cannot be
more than 28 characters
• Object-level access control
is not recommended 30

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Once the Safe is created, you can use the Add Member button to give access to the contents
of the Safe

31

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Users or groups can be searched and added as
members from Active Directory or from the Vault
• By default, members are assigned with
permissions to:
– Use accounts
– Retrieve accounts
– List accounts
– View Audit log
– View safe members
• The permissions can be modified for all users
except for Master

32

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 33

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Using the AllowedSafes
parameter, you can limit the
scope of a particular platform
to only those Safes that
match the regular expression
pattern
• For example, Accounts
associated with the LIN SSH
30 Platform can only be
stored in safes that start with
the string - “Lin-”
• This will help improve the
performance of the CPM and 34
simplify administrative tasks
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 Summary

35

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Summary
In this session we covered:
The Vault model
What is a Safe
The key criteria for designing a Safe
model
Basic Access Control concepts and Safe
permissions

How to create and manage Safes

How to add Safe Members and assign
them permissions

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 You may now complete the following
exercise:

Securing Windows Domain Accounts

• Safe Management
̶ Creating a Safe
̶ Add Safe Members

Exercises 37

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com