PAM Administration
User Management
© 2023 CyberArk Software Ltd. All rights reserved
                                                    By the end of this session, you will be able to:
                                                    1.   Describe the difference between Users and
                                                         Accounts
              Agenda                                2.   Describe the difference between Internal users and
                                                         groups and Transparent users and groups
                                                    3.   Describe the roles of predefined users and groups
                                                    4.   Manage internal users and groups in PrivateArk
                                                         Client and PVWA
                                                    5.   Manage Transparent users
                                                    6.   Describe the difference between Vault authorizations,
                                                         Safe authorizations, and PVWA permissions
                                                    7.   Describe how directory mapping works
                                                    8.   Create custom directory mapping
© 2023 CyberArk Software Ltd. All rights reserved
         User Management Overview
                                                    Users vs. Accounts
                                                    Internal Users and Groups vs.
                                                    Transparent Users and Groups
© 2023 CyberArk Software Ltd. All rights reserved
         Users vs. Accounts
        Throughout this course we will be using the terms Users and Accounts. It is very important to understand
        the differences between the two.
             Users                                  • To access passwords
             People* who have been                  • To manage policies
             granted access to the system           • Typically defined by their Domain credentials
              Accounts                              • Stored in Safes
              The actual privileged account         • Examples include domain administrators, local administrators,
              IDs and passwords                       root accounts, service accounts and more
             * Applications and CyberArk components are also users who access accounts
© 2023 CyberArk Software Ltd. All rights reserved
   Users vs. Accounts
                                                              User
                                                    Account
© 2023 CyberArk Software Ltd. All rights reserved
         Internal vs. Transparent Users and Groups
        There are two main categories of users and groups in the system:
                                                    • Users and Groups that are created automatically in the Vault
             Internal Users and Groups                (Built-in).
             (CyberArk)
                                                    • Users and Groups that are added manually to the Vault.
             Transparent Users and                  • Users and Groups that are automatically provisioned from an external
             Groups (LDAP)                            directory.
© 2023 CyberArk Software Ltd. All rights reserved
   Internal vs. Transparent
   • Transparent users are provisioned
     automatically in the Vault when they
                                                      Internal User
     authenticate via LDAP for the first time.
   • These Users and Groups are marked               Internal Group
     with a white LDAP User or Groups
     icon.
                                                    Transparent User
   • If you delete a transparent user within
     CyberArk, it will be automatically
     re-created upon login if it still exists       Transparent Group
     within AD and answers the mapping
     criteria
© 2023 CyberArk Software Ltd. All rights reserved
         Predefined Users & Groups
                                                    Predefined users and groups
                                                    The Master user
                                                      ⎼ Permissions
                                                      ⎼ Logging in with Master
                                                      ⎼ Changing the Master user password
© 2023 CyberArk Software Ltd. All rights reserved
   Predefined Users and Groups
   • The CyberArk Vault automatically creates several
     users and groups during the installation process.
   • These users are created for administrative tasks and
     eliminate the need for specific users to be constantly
     available to carry out administrative chores.
   • Most of these users and groups become owners of
     every Safe in the Vault, both existing and new, with
     their authorizations corresponding to the tasks they
     need to perform.
   • The most important user is the Master user
© 2023 CyberArk Software Ltd. All rights reserved
   Master User
   The Master user is the most powerful user in the system, with full Safe and Vault authorizations
   that cannot be removed.
© 2023 CyberArk Software Ltd. All rights reserved
   Logging in
   with Master
   • Access only through the
     PrivateArk Client
   3-Factor Authentication:
   1. Master user password
      (defined during installation)
   2. Access to the RecPrvKey
   3. Access only from the Vault
      console and one additional
      IP address
      (EmergencyStationIP)
© 2023 CyberArk Software Ltd. All rights reserved
   Changing the Master Password
   To change the Master user password, log in with the Master user and click on User →Set Password
© 2023 CyberArk Software Ltd. All rights reserved
         User Management in PrivateArk Client
                                                    Managing Users and Groups via PrivateArk
                                                    Client
                                                    Adding Users
                                                      ⎼ Authorized Interfaces
                                                      ⎼ Authentication
                                                      ⎼ Vault Authorizations
                                                      ⎼ Group Membership
                                                      ⎼ General Tabs
© 2023 CyberArk Software Ltd. All rights reserved
   Managing Users and
   Groups Using Private
   Ark Client
   • Users are stored in the Vault
     database
   • It is recommended that you
     manage your users with an
     external LDAP directory, such
     as Active Directory
   • Users can also be manually
     created via the PrivateArk
     Client
© 2023 CyberArk Software Ltd. All rights reserved
   General Tab – Manually Adding a User
   You can manually add new users through the Private Ark Client interface.
© 2023 CyberArk Software Ltd. All rights reserved
   Authorized Interfaces
   Select which interfaces this user can log in from.
© 2023 CyberArk Software Ltd. All rights reserved
   Authentication
   Select the Authentication method
   for this user.
© 2023 CyberArk Software Ltd. All rights reserved
   Vault Authorizations
   Configure the Vault authorizations
   for this user.
© 2023 CyberArk Software Ltd. All rights reserved
   Group Membership
   Select which Groups you want this
   user to be a member of.
© 2023 CyberArk Software Ltd. All rights reserved
Other User Tabs
Configure the Business e-mail
field for this user to receive
e-mail notifications.
         User Management in PVWA
                                                    Managing Users and Groups
                                                    via PVWA
                                                      ⎼ Create and edit CyberArk Users
                                                      ⎼ Create groups and assign users
                                                      ⎼ View all users ( both LDAP and CyberArk )
                                                      ⎼ Disable a user or activate a suspended user
                                                      ⎼ Reset a user’s password
© 2023 CyberArk Software Ltd. All rights reserved
   Managing Users
   Using PVWA
   Starting on PAM version 13,
   we introduced our User
   Management module in the
   web portal administration view
   (PVWA).
   This view enables you to:
   • Create and Edit CyberArk Users
   • Create Groups and Assign users
     to them
   • Disable a user or Activate a
     suspended user
   • Reset a user’s password
© 2023 CyberArk Software Ltd. All rights reserved
   Create New CyberArk Users
   You can manually add new users through the PVWA interface.
© 2023 CyberArk Software Ltd. All rights reserved
   Edit CyberArk Users
   You can edit CyberArk users through the PVWA interface.
© 2023 CyberArk Software Ltd. All rights reserved
   Create Groups
   You can manually create new groups through the PVWA interface.
© 2023 CyberArk Software Ltd. All rights reserved
   Disable and Activate Users
   You can disable a user or activate a suspended one through the PVWA interface.
© 2023 CyberArk Software Ltd. All rights reserved
   Reset A User’s Password
   You can reset a user’s password through the PVWA interface.
© 2023 CyberArk Software Ltd. All rights reserved
         Transparent User Management
                                                    LDAP integration
                                                    Define Directory Mapping
                                                    Manage Transparent Users and Groups
© 2023 CyberArk Software Ltd. All rights reserved
   Transparent User
   Management
   • The Vault communicates with
     LDAP-compliant directory
     servers to obtain user
     identification and security
     information
   • This enables automatic
     provisioning and creation of
     unique users based upon the
     external group membership
     and attributes
© 2023 CyberArk Software Ltd. All rights reserved
         LDAP Integration
 A new Wizard will
 guide your through
 this process.
                                                       The first step is to connect the
                                                       Vault with an LDAP server
                                                       (usually Microsoft Active
                                                       Directory).
                 You will be required to provide the
                 credentials of a bind account to
                 authenticate to LDAP.
© 2023 CyberArk Software Ltd. All rights reserved
   Directory Mapping
   • The second step allows you
     to define default directory
     mappings.
   • A Directory Map links an
     LDAP group with one of the
     built-in CyberArk groups and
     determines how user
     accounts are created in the
     Vault and the roles they will
     have.
   • You can edit these directory
     mappings later or create
     custom mappings according
     to your needs.
© 2023 CyberArk Software Ltd. All rights reserved
   User Provisioning
   • Users are provisioned automatically
     in the Vault the first time they
     authenticate via LDAP, receiving
     roles and attributes based on the
     Directory Mapping that applies to
     them.
   • LDAP Users and Groups that have
     been created in the Vault are marked
     with a white LDAP User or Groups
     icon.
© 2023 CyberArk Software Ltd. All rights reserved
   User Removal
   • If you delete a user within CyberArk,
     it will be automatically re-created
     upon login if it still exists within AD.
   • To block an LDAP User or Group
     from CyberArk, remove them from
     all LDAP groups with an associated
     directory mapping, or disable/delete
     them in the external directory.
   • A daily process checks which users
     map to the various queries.
© 2023 CyberArk Software Ltd. All rights reserved
         LDAP Synchronization
         The parameter AutoSyncExternalObjects in the dbparm.ini file determines if, how often, and when
         the Vault’s External users and groups will be synchronized with the External Directory.
                                                            AutoSyncExternalObjects = Yes, 24, 1,5
                                                     Whether or not                          The hours
                                                                        The number of
                                                    to sync with the                      during which the
                                                                         hours in one
                                                        External                           sync will take
                                                                         period cycle
                                                        Directory                              place
© 2023 CyberArk Software Ltd. All rights reserved
         Authorizations
                                                    Vault authorizations
                                                    Safe authorizations
                                                    PVWA permissions
© 2023 CyberArk Software Ltd. All rights reserved
         Authorizations
         There are two categories of authorizations in the system:
                                                    • Can be assigned only to users (not groups).
            Vault Authorizations                    • Cannot be inherited via group membership.
                                                    • Can be defined via the Private Ark Client or PVWA.
                                                    • Assigned to users and/or groups.
            Safe Authorizations                     • Can be inherited via group membership.
                                                    • Can be defined in the PrivateArk Client or PVWA
© 2023 CyberArk Software Ltd. All rights reserved
         Authorizations
                                                    Safe Authorizations   Vault Authorizations
© 2023 CyberArk Software Ltd. All rights reserved
   Vault Authorizations –
   Administrator
   • Predefined users are assigned different
     Vault authorizations based on their role
     and function.
   • The built-in Administrator user has full
     Vault authorizations by default.
© 2023 CyberArk Software Ltd. All rights reserved
   Vault Authorizations –
   Auditor User
   The built-in Auditor user only has the
   “Audit Users” Vault authorization by
   default.
© 2023 CyberArk Software Ltd. All rights reserved
   Vault Authorizations
   – Backup User
   • The built-in Backup user only
     has the “Backup all safes”
     Vault authorization by default.
   • Starting in version 13.x Vault
     Authorizations can also be
     configured and viewed from
     PVWA
© 2023 CyberArk Software Ltd. All rights reserved
   Safe Authorizations
   • Most predefined users and
     groups are added to all newly
     created Safes based on their
     role and function.
   • Users in the Auditors group
     are automatically added to all
     Safes with permissions to:
          ⎼ List accounts
          ⎼ View Safe members
          ⎼ View audit log
© 2023 CyberArk Software Ltd. All rights reserved
         Safe Authorizations
              The list of groups that are
              added automatically to newly
              created Safes is controlled by
              a parameter in the dbparm.ini
              file.
© 2023 CyberArk Software Ltd. All rights reserved
   PVWA Permissions
   • The tabs and buttons available in the PVWA depend on the logged-in user’s membership
     in a CyberArk built-in group.
   • Members of Vault Admins have access to the Administration tab.
© 2023 CyberArk Software Ltd. All rights reserved
   PVWA Permissions
   Members of Auditors have access to the Privileged Sessions tab.
© 2023 CyberArk Software Ltd. All rights reserved
   PVWA Permissions
   Members of Security Admins and Security Operators have access to the Security pane.
© 2023 CyberArk Software Ltd. All rights reserved
         Directory Mapping
                                                    What it does
                                                    Preparing LDAP
                                                    Pre-defined mappings
© 2023 CyberArk Software Ltd. All rights reserved
         Directory Mapping
          A Directory Map determines whether a
          User Account or Group will be created in
          the Vault and the roles they will have.
                                                               Active
                                                              Directory                                    Vault
          There are two kinds of Directory Map:
          • User Mapping –                                                                 Vault Authorizations
            allows for authentication and defines user   User Mapping                     • Add user
                                                                          Authorization   • Add Safe
            attributes, such as Vault Authorizations
                                                                                          • Etc…
            and Location.
          • Group Mapping –
                                                                                           Safe Authorizations
            makes LDAP groups searchable from            Group Mapping
            within CyberArk, allowing mapped groups
            to be granted safe authorizations and to
            be nested within built-in CyberArk                                              CyberArk Groups
            groups.                                                                       • Vault Admins
                                                                                          • Auditors
© 2023 CyberArk Software Ltd. All rights reserved
   Prepare the Active
   Directory
   Environment
   Request creation of 4 groups in
   LDAP:
   • CyberArk Auditors
   • CyberArk Safe Managers
   • CyberArk Users
   • CyberArk Vault Admins
© 2023 CyberArk Software Ltd. All rights reserved
   Predefined Directory
   Mappings
   The LDAP Integration Wizard is
   used to map AD groups to the
   four predefined CyberArk roles:
   • Vault Admins
   • Safe Managers
   • Auditors
   • Users
© 2023 CyberArk Software Ltd. All rights reserved
   Vault Admins
   Mapping – Vault
   Authorizations
   • The Vault Admins mapping
     is applied to any user who
     is a member of the LDAP
     group CyberArk Vault
     Admins
   • LDAP users are provisioned
     in the Vault with the
     appropriate authorizations
     the first time the users log in
© 2023 CyberArk Software Ltd. All rights reserved
   Custom Directory Mapping
   In addition to the predefined mappings, you can create custom directory mappings via a simplified
   wizard in the PVWA
© 2023 CyberArk Software Ltd. All rights reserved
              Summary
© 2023 CyberArk Software Ltd. All rights reserved
                                                    In this session we covered:
                                                    • The difference between Users and Accounts
                    Summary                         • The difference between Internal users and
                                                      groups and Transparent users and groups
                                                    • The roles of predefined users and groups
                                                    • How to manage internal users and groups in
                                                      the PrivateArk Client and PVWA
                                                    • How to manage Transparent users
                                                    • The difference between Vault authorizations,
                                                      Safe authorizations, and PVWA permissions
                                                    • How directory mapping works
                                                    • How to create custom directory mappings
© 2023 CyberArk Software Ltd. All rights reserved
             Utilities
               Sample RestAPI Scripts
             Documentation
                 PAM Documentation
Additional
Resources
             You may now complete the following exercise:
             User Management
             • Know the Players
             • LDAP Integration and Directory Mapping
                ̶ Review LDAP Integration and pre-defined Directory Mappings
                ̶ Test the LDAP Integration and Pre-defined Mappings
                ̶ Configure Custom Directory Mapping
                ̶ Test Custom Directory Mapping
             • Unsuspend a Suspended User
             • Log In With Master