PAS ADMINISTRATION

User Management

CyberArk Training
1
OBJECTIVES

By the end of this lesson you will be able to:

• User management overview

• Predefined users and groups

• Manage internal users and groups in PrivateArk Client

• Transparent user management

• Vault authorizations, Safe authorizations, and PVWA permissions

• Directory mapping

2
USER • Users vs. Accounts
MANAGEMENT • Internal Users and Groups vs. Transparent Users and Groups
OVERVIEW

3
USERS VS. ACCOUNTS (1)

Throughout this course we will be using the terms Users and Accounts. It is very important to
understand the difference between the two.

• To access passwords
Users • To manage policies
People* who have been granted
access to the system • Typically defined by their Domain credentials

• Stored in Safes
Accounts • Examples include domain administrators, local administrators, root
The actual privileged account
ids and passwords accounts, service accounts and more

* Applications and CyberArk components are also users who access accounts

4
USERS VS. ACCOUNTS (2)

User

Account

5
INTERNAL VS. TRANSPARENT USERS AND GROUPS

There are two main categories of users and groups in the system:

Internal Users and • Users and Groups that are created automatically in the Vault (Built-in).
Groups (CyberArk) • Users and Groups that are added manually to the Vault.

Transparent Users • Users and Groups that are automatically provisioned from an external
and Groups (LDAP) directory.

6
INTERNAL VS. TRANSPARENT (2)

• Transparent users are Internal

provisioned automatically in User
the Vault when they
Transparent
authenticate via LDAP for User
the first time.

• LDAP Users and Groups Internal

that have been created in Group
the Vault are marked with a
white LDAP User or Groups
Transparent
icon. Group
• If you delete a transparent
user within CyberArk, it will
be automatically re-created
upon login if it still exists
within AD and answers the
mapping criteria
7
 • Pre-defined users and groups
PRE-DEFINED • The Master user
USERS & • Permissions
GROUPS • Logging in with Master
• Changing the Master user password

8
PREDEFINED USERS AND GROUPS

• The CyberArk Vault automatically creates

several users and groups during the
installation process.

• These users are created for administrative

tasks and eliminate the need for specific users
to be constantly available to carry out
administrative chores.

• Most of these users and groups become

owners of every Safe in the Vault, both existing
and new, with their authorizations
corresponding to the tasks they need to
perform.

• The most important user is the Master user

9
MASTER USER
The Master user is the most powerful user in the system, with full Safe and Vault authorizations that
cannot be removed.

10
LOGGING IN WITH MASTER

• Access only through the

Private Ark Client

• Master user Password

(defined during installation)

• Access to the Master CD

(RecPrvKey)

• Access only from the Vault

console and one additional
IP address
(EmergencyStationIP)

11
CHANGING THE MASTER PASSWORD

To change the Master user password, log in with the Master user and click on User -> Set Password

12
 • Managing Users and Groups via PrivateArk Client
USER
• Add User
MANAGEMENT • Authorized Interfaces
IN • Authentication
PRIVATEARK • Vault Authorizations
• Group Membership
CLIENT • General Tabs

13
MANAGING USERS AND GROUPS USING PRIVATE ARK CLIENT

• Users are stored in the

Vault database

• Most user management is

done via the PrivateArk
Client

• It is recommended that you

manage your users with an
external LDAP directory,
such as Active Directory

• Users can also be manually

created via the PrivateArk
Client

14
TRANSPARENT • LDAP integration

USER • Define Directory Mapping

MANAGEMENT • Manage Transparent Users and Groups

21
TRANSPARENT USER MANAGEMENT

• The Vault communicates

with LDAP-compliant
directory servers to obtain
user identification and
security information.

• This enables automatic

provisioning and creation
of unique users based
upon the external group
membership and attributes

22
LDAP INTEGRATION

• The first step is to connect

the Vault with an LDAP
server
(usually Microsoft Active
Directory).

• A new Wizard will guide

your through this process.

• You will be required to

provide the connection
details and credentials to
authenticate to LDAP.

23
DIRECTORY MAPPING

• The second step allows

you to define default
directory mappings.

• A Directory Map
determines whether a
User Account will be
created in the Vault, and
the roles they will have.

• This step is optional. You

may edit these directory
mappings later or create
custom mappings
according to your needs.

24
USER PROVISIONING

• Users are provisioned automatically in the Vault

the first time they authenticate via LDAP,
receiving roles and attributes based on the
Directory Mapping that applies to them.
• LDAP Users and Groups that have been created
in the Vault are marked with a white LDAP User
or Groups icon.
• If you delete a user within CyberArk, it will be
automatically re-created upon login if it still exists
within AD.
• To block an LDAP User or Group from CyberArk,
remove them from all LDAP groups with an
associated directory mapping, or disable/delete
them in the external directory.
• A daily process checks which users map to the
various queries

25
LDAP SYNCHRONIZATION

The parameter AutoSyncExternalObjects in the dbparm.ini file determines if, how

often, and when the Vault’s External users and groups will be synchronized with the
External Directory.

AutoSyncExternalObjects=Yes,24,1,5

Whether or not The hours

The number of
to sync with during which
hours in one
the External the sync will
period cycle
Directory take place

26
 • Vault authorizations

AUTHORIZATIONS • Safe authorizations

• PVWA permissions

27
AUTHORIZATIONS (1)

There are two categories of authorizations in the system:

• Can be assigned only to users (not groups).

Vault Authorizations • Cannot be inherited via group membership.
• Defined only via the Private Ark Client.

• Assigned to users and/or groups.

Safe Authorizations • Can be inherited via group membership.
• Can be defined in the Private Ark Client or PVWA

28
AUTHORIZATIONS (2)

Safe Authorizations Vault Authorizations

29
VAULT AUTHORIZATIONS – ADMINISTRATOR

• Predefined users are

assigned different Vault
authorizations based on
their role and function.

• For example: The built-in

Administrator user has
full Vault authorizations by
default.

30
VAULT AUTHORIZATIONS – AUDITOR USER

• On the other hand, the

built-in Auditor user only
has “Audit Users” vault
authorization by default.

31
SAFE AUTHORIZATIONS

• Most predefined users and

groups are added to all
newly created safes based
on their role and function.
• For example: users in the
Auditors group are
automatically added to all
Safes with permissions to:
• List
• View audit
• View Safe Members

• The list of groups that are

added automatically to
newly created safes is
controlled by a parameter in
the dbparm.ini file.

32
PVWA PERMISSIONS

• The tabs and buttons

available in the PVWA
depend on the logged-in
user’s membership in a
CyberArk built-in group.

• Members of Vault Admins

have access to the
ADMINISTRATION tab.

33
PVWA PERMISSIONS

• Members of Auditors
have access to the
MONITORING tab.

34
PVWA PERMISSIONS

• Members of Security
Admins and Security
Operators have access to
the SECURITY pane.

35
DIRECTORY • What it does

MAPPING • Preparing LDAP

• Pre-defined mappings

36
DIRECTORY MAPPING

A Directory Map determines whether a User

Account or Group will be created in the Vault and
the roles they will have. Active
Directory Vault
There are two kinds of Directory Map:
Vault Authorizations
• User Mapping – allows for authentication and User Mapping • Add user
Authorization • Add Safe
defines user’s attributes, such as Vault • Etc…
Authorizations and Location.

• Group Mapping – makes LDAP groups Safe Authorizations

Group Mapping
searchable from within CyberArk, allowing
mapped groups to be granted safe
authorizations and to be nested within built-in CyberArk Groups
CyberArk groups. • Vault Admins
• Auditors

37
PREPARE ACTIVE DIRECTORY ENVIRONMENT

Request creation of 4 groups in LDAP:

• CyberArk Vault Admins
• CyberArk Safe Managers
• CyberArk Auditors
• CyberArk Users

38
PREDEFINED DIRECTORY MAPPINGS

The LDAP Integration Wizard

is used to map AD groups to
the four predefined CyberArk
roles:

• Vault Admins
• Safe Managers

• Auditors

• Users

39
 VAULT ADMINS MAPPING – VAULT AUTHORIZATIONS

• The Vault Admins

mapping is applied to any
user who is a member of
the LDAP group CyberArk
Vault Admins

• LDAP users are

provisioned in the Vault with
the appropriate Vault
authorizations the first time
the users log in

33 40
CUSTOM DIRECTORY MAPPING

Beginning with PAS version

10.10, custom directory
mappings can be created via
a simplified wizard in the
PVWA

42
SUMMARY

43
SUMMARY

In this session we covered:

• User management overview
• Predefined users and groups
• Manage internal users and groups in PrivateArk Client
• Transparent user management
• Vault authorizations, Safe authorizations, and PVWA permissions
• Directory mapping

44
EXERCISES

You may now proceed to completing the following exercises:

USER MANAGEMENT

• Know the Players

• LDAP Integration and Directory Mapping
• LDAP Integration
• Configure Predefined Directory Mappings
• Test the LDAP Integration and Predefined Mappings
• Configure Custom Directory Mapping
• Test Custom Directory Mapping
• Unsuspend a suspended user (optional)
• Log in with Master

45
PRIVATEARK CLIENT/PVWA SAFE PERMISSIONS

Safe Permissions

• There are some

differences in
terminology between
the Private Ark Client
and the PVWA
• Key Differences
• Private Ark Client
• Owners List
• Files
• PVWA
• Members List
• Accounts

46
ADDITIONAL RESOURCES

Utilities

• Sample RestAPI Scripts

Documentation

• End User Guide

47
THANK YOU

CyberArk Training
48