PAM Administration

User Management

© 2023 CyberArk Software Ltd. All rights reserved

 By the end of this session, you will be able to:

1. Describe the difference between Users and

Accounts

Agenda 2. Describe the difference between Internal users and

groups and Transparent users and groups

3. Describe the roles of predefined users and groups

4. Manage internal users and groups in PrivateArk

Client and PVWA

5. Manage Transparent users

6. Describe the difference between Vault authorizations,

Safe authorizations, and PVWA permissions

7. Describe how directory mapping works

8. Create custom directory mapping

© 2023 CyberArk Software Ltd. All rights reserved

 User Management Overview

Users vs. Accounts

Internal Users and Groups vs.
Transparent Users and Groups

© 2023 CyberArk Software Ltd. All rights reserved

 Users vs. Accounts
Throughout this course we will be using the terms Users and Accounts. It is very important to understand
the differences between the two.

Users • To access passwords

People* who have been • To manage policies
granted access to the system • Typically defined by their Domain credentials

Accounts • Stored in Safes

The actual privileged account • Examples include domain administrators, local administrators,
IDs and passwords root accounts, service accounts and more

* Applications and CyberArk components are also users who access accounts

© 2023 CyberArk Software Ltd. All rights reserved

 Users vs. Accounts
User

Account

© 2023 CyberArk Software Ltd. All rights reserved

 Internal vs. Transparent Users and Groups
There are two main categories of users and groups in the system:

• Users and Groups that are created automatically in the Vault

Internal Users and Groups (Built-in).
(CyberArk)
• Users and Groups that are added manually to the Vault.

Transparent Users and • Users and Groups that are automatically provisioned from an external
Groups (LDAP) directory.

© 2023 CyberArk Software Ltd. All rights reserved

 Internal vs. Transparent

• Transparent users are provisioned

automatically in the Vault when they
Internal User
authenticate via LDAP for the first time.

• These Users and Groups are marked Internal Group

with a white LDAP User or Groups
icon.
Transparent User
• If you delete a transparent user within
CyberArk, it will be automatically
re-created upon login if it still exists Transparent Group
within AD and answers the mapping
criteria

© 2023 CyberArk Software Ltd. All rights reserved

 Predefined Users & Groups

Predefined users and groups

The Master user
⎼ Permissions

⎼ Logging in with Master

⎼ Changing the Master user password

© 2023 CyberArk Software Ltd. All rights reserved

 Predefined Users and Groups

• The CyberArk Vault automatically creates several

users and groups during the installation process.
• These users are created for administrative tasks and
eliminate the need for specific users to be constantly
available to carry out administrative chores.
• Most of these users and groups become owners of
every Safe in the Vault, both existing and new, with
their authorizations corresponding to the tasks they
need to perform.
• The most important user is the Master user

© 2023 CyberArk Software Ltd. All rights reserved

 Master User
The Master user is the most powerful user in the system, with full Safe and Vault authorizations
that cannot be removed.

© 2023 CyberArk Software Ltd. All rights reserved

 Logging in
with Master
• Access only through the
PrivateArk Client

3-Factor Authentication:
1. Master user password
(defined during installation)
2. Access to the RecPrvKey
3. Access only from the Vault
console and one additional
IP address
(EmergencyStationIP)

© 2023 CyberArk Software Ltd. All rights reserved

 Changing the Master Password
To change the Master user password, log in with the Master user and click on User →Set Password

© 2023 CyberArk Software Ltd. All rights reserved

 User Management in PrivateArk Client

Managing Users and Groups via PrivateArk

Client
Adding Users
⎼ Authorized Interfaces

⎼ Authentication

⎼ Vault Authorizations

⎼ Group Membership

⎼ General Tabs

© 2023 CyberArk Software Ltd. All rights reserved

 Managing Users and
Groups Using Private
Ark Client
• Users are stored in the Vault
database
• It is recommended that you
manage your users with an
external LDAP directory, such
as Active Directory

• Users can also be manually

created via the PrivateArk
Client

© 2023 CyberArk Software Ltd. All rights reserved

 General Tab – Manually Adding a User
You can manually add new users through the Private Ark Client interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Authorized Interfaces
Select which interfaces this user can log in from.

© 2023 CyberArk Software Ltd. All rights reserved

 Authentication

Select the Authentication method

for this user.

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Authorizations

Configure the Vault authorizations

for this user.

© 2023 CyberArk Software Ltd. All rights reserved

 Group Membership

Select which Groups you want this

user to be a member of.

© 2023 CyberArk Software Ltd. All rights reserved

Other User Tabs
Configure the Business e-mail
field for this user to receive
e-mail notifications.
 User Management in PVWA

Managing Users and Groups

via PVWA
⎼ Create and edit CyberArk Users

⎼ Create groups and assign users

⎼ View all users ( both LDAP and CyberArk )

⎼ Disable a user or activate a suspended user

⎼ Reset a user’s password

© 2023 CyberArk Software Ltd. All rights reserved

 Managing Users
Using PVWA
Starting on PAM version 13,
we introduced our User
Management module in the
web portal administration view
(PVWA).

This view enables you to:

• Create and Edit CyberArk Users
• Create Groups and Assign users
to them
• Disable a user or Activate a
suspended user
• Reset a user’s password

© 2023 CyberArk Software Ltd. All rights reserved

 Create New CyberArk Users
You can manually add new users through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Edit CyberArk Users
You can edit CyberArk users through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Create Groups
You can manually create new groups through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Disable and Activate Users
You can disable a user or activate a suspended one through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Reset A User’s Password
You can reset a user’s password through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved

 Transparent User Management

LDAP integration
Define Directory Mapping
Manage Transparent Users and Groups

© 2023 CyberArk Software Ltd. All rights reserved

 Transparent User
Management

• The Vault communicates with

LDAP-compliant directory
servers to obtain user
identification and security
information

• This enables automatic

provisioning and creation of
unique users based upon the
external group membership
and attributes

© 2023 CyberArk Software Ltd. All rights reserved

 LDAP Integration

A new Wizard will

guide your through
this process.

The first step is to connect the

Vault with an LDAP server
(usually Microsoft Active
Directory).

You will be required to provide the

credentials of a bind account to
authenticate to LDAP.

© 2023 CyberArk Software Ltd. All rights reserved

 Directory Mapping

• The second step allows you

to define default directory
mappings.

• A Directory Map links an

LDAP group with one of the
built-in CyberArk groups and
determines how user
accounts are created in the
Vault and the roles they will
have.

• You can edit these directory

mappings later or create
custom mappings according
to your needs.
© 2023 CyberArk Software Ltd. All rights reserved
 User Provisioning

• Users are provisioned automatically

in the Vault the first time they
authenticate via LDAP, receiving
roles and attributes based on the
Directory Mapping that applies to
them.

• LDAP Users and Groups that have

been created in the Vault are marked
with a white LDAP User or Groups
icon.

© 2023 CyberArk Software Ltd. All rights reserved

 User Removal

• If you delete a user within CyberArk,

it will be automatically re-created
upon login if it still exists within AD.

• To block an LDAP User or Group

from CyberArk, remove them from
all LDAP groups with an associated
directory mapping, or disable/delete
them in the external directory.

• A daily process checks which users

map to the various queries.

© 2023 CyberArk Software Ltd. All rights reserved

 LDAP Synchronization
The parameter AutoSyncExternalObjects in the dbparm.ini file determines if, how often, and when
the Vault’s External users and groups will be synchronized with the External Directory.

AutoSyncExternalObjects = Yes, 24, 1,5

Whether or not The hours

The number of
to sync with the during which the
hours in one
External sync will take
period cycle
Directory place

© 2023 CyberArk Software Ltd. All rights reserved

 Authorizations

Vault authorizations
Safe authorizations
PVWA permissions

© 2023 CyberArk Software Ltd. All rights reserved

 Authorizations
There are two categories of authorizations in the system:

• Can be assigned only to users (not groups).

Vault Authorizations • Cannot be inherited via group membership.
• Can be defined via the Private Ark Client or PVWA.

• Assigned to users and/or groups.

Safe Authorizations • Can be inherited via group membership.
• Can be defined in the PrivateArk Client or PVWA

© 2023 CyberArk Software Ltd. All rights reserved

 Authorizations
Safe Authorizations Vault Authorizations

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Authorizations –
Administrator
• Predefined users are assigned different
Vault authorizations based on their role
and function.
• The built-in Administrator user has full
Vault authorizations by default.

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Authorizations –
Auditor User
The built-in Auditor user only has the
“Audit Users” Vault authorization by
default.

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Authorizations
– Backup User

• The built-in Backup user only

has the “Backup all safes”
Vault authorization by default.
• Starting in version 13.x Vault
Authorizations can also be
configured and viewed from
PVWA

© 2023 CyberArk Software Ltd. All rights reserved

 Safe Authorizations

• Most predefined users and

groups are added to all newly
created Safes based on their
role and function.
• Users in the Auditors group
are automatically added to all
Safes with permissions to:
⎼ List accounts
⎼ View Safe members
⎼ View audit log

© 2023 CyberArk Software Ltd. All rights reserved

 Safe Authorizations

The list of groups that are

added automatically to newly
created Safes is controlled by
a parameter in the dbparm.ini
file.

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Permissions
• The tabs and buttons available in the PVWA depend on the logged-in user’s membership
in a CyberArk built-in group.
• Members of Vault Admins have access to the Administration tab.

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Permissions
Members of Auditors have access to the Privileged Sessions tab.

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Permissions
Members of Security Admins and Security Operators have access to the Security pane.

© 2023 CyberArk Software Ltd. All rights reserved

 Directory Mapping

What it does

Preparing LDAP

Pre-defined mappings

© 2023 CyberArk Software Ltd. All rights reserved

 Directory Mapping
A Directory Map determines whether a
User Account or Group will be created in
the Vault and the roles they will have.
Active
Directory Vault
There are two kinds of Directory Map:
• User Mapping – Vault Authorizations
allows for authentication and defines user User Mapping • Add user
Authorization • Add Safe
attributes, such as Vault Authorizations
• Etc…
and Location.
• Group Mapping –
Safe Authorizations
makes LDAP groups searchable from Group Mapping
within CyberArk, allowing mapped groups
to be granted safe authorizations and to
be nested within built-in CyberArk CyberArk Groups
groups. • Vault Admins
• Auditors

© 2023 CyberArk Software Ltd. All rights reserved

 Prepare the Active
Directory
Environment
Request creation of 4 groups in
LDAP:
• CyberArk Auditors
• CyberArk Safe Managers
• CyberArk Users
• CyberArk Vault Admins

© 2023 CyberArk Software Ltd. All rights reserved

 Predefined Directory
Mappings

The LDAP Integration Wizard is

used to map AD groups to the
four predefined CyberArk roles:
• Vault Admins
• Safe Managers
• Auditors
• Users

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Admins
Mapping – Vault
Authorizations
• The Vault Admins mapping
is applied to any user who
is a member of the LDAP
group CyberArk Vault
Admins
• LDAP users are provisioned
in the Vault with the
appropriate authorizations
the first time the users log in

© 2023 CyberArk Software Ltd. All rights reserved

 Custom Directory Mapping
In addition to the predefined mappings, you can create custom directory mappings via a simplified
wizard in the PVWA

© 2023 CyberArk Software Ltd. All rights reserved

 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 In this session we covered:
• The difference between Users and Accounts
Summary • The difference between Internal users and
groups and Transparent users and groups
• The roles of predefined users and groups
• How to manage internal users and groups in
the PrivateArk Client and PVWA
• How to manage Transparent users

• The difference between Vault authorizations,

Safe authorizations, and PVWA permissions
• How directory mapping works
• How to create custom directory mappings

© 2023 CyberArk Software Ltd. All rights reserved

 Utilities
Sample RestAPI Scripts

Documentation
PAM Documentation

Additional
Resources
You may now complete the following exercise:

User Management
• Know the Players
• LDAP Integration and Directory Mapping
̶ Review LDAP Integration and pre-defined Directory Mappings
̶ Test the LDAP Integration and Pre-defined Mappings
̶ Configure Custom Directory Mapping
̶ Test Custom Directory Mapping
• Unsuspend a Suspended User
• Log In With Master