13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF

CyberArk University
Privileged Account Security Administration
Exercise Guide
CyberArk University Exercise Guide page 1
6/24/2018
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Contents
CONTENTS ............................................................................................................................................................. 2
INTRODUCTION ..................................................................................................................................................... 6
USING SKYTAP...............................................................................................................................................................6
INTERNATIONAL USERS ...................................................................................................................................................8
USER MANAGEMENT ........................................................................................................................................... 12
CREATING A CUSTOM USER MAPPING .............................................................................................................................12

NESTING THE POWER USERS GROUP UNDER THE BUILT-IN CYBERARK GROUPS .........................................................................19
Nesting the Power Users group under Vault Admins .........................................................................................19
Nesting the Power Users group under the PVWAMonitor group .......................................................................21
Viewing the differences between Vault Admins and Power Users groups .........................................................23
PASSWORD MANAGEMENT – PART 1 .................................................................................................................. 27
EDITING THE MASTER POLICY .........................................................................................................................................27

MANAGING A LINUX ACCOUNT WITH SSH ........................................................................................................................29
Adding a Safe .....................................................................................................................................................29
Duplicating a Platform .......................................................................................................................................32
Adding a Linux account ......................................................................................................................................35
Changing the password ......................................................................................................................................39
Auditing Account Activity ...................................................................................................................................40
MANAGING A WINDOWS DOMAIN ACCOUNT ...................................................................................................................41
Add a Safe ..........................................................................................................................................................44
Adding a Windows Account ...............................................................................................................................46
CONFIGURING THE MASTER POLICY .................................................................................................................... 48
PRIVILEGED ACCESS WORKFLOWS ...................................................................................................................................48

Require dual control ...........................................................................................................................................48
Require users to specify reason ..........................................................................................................................50
PASSWORD MANAGEMENT............................................................................................................................................50
PASSWORD MANAGEMENT – PART 2 .................................................................................................................. 51
CONFIGURING A LOG-ON ACCOUNT.................................................................................................................................51

MANAGING A WINDOWS LOCAL SERVER ACCOUNT WITH RECONCILIATION .............................................................................54
Create a Safe ......................................................................................................................................................56
Adding an Account .............................................................................................................................................57
CONFIGURE AND TEST DUAL CONTROL.............................................................................................................................59
Adding a manager to an existing safe ................................................................................................................59
6/24/2018
Testing Dual Control ...........................................................................................................................................61
EXCLUSIVE PASSWORDS WITH AUTOMATED RELEASE AND ONE-TIME USE ..............................................................................65
Adding a Master Policy exception for Exclusive Passwords ...............................................................................65
Adding a Master Policy exception for One-Time Passwords ..............................................................................66
Reducing the Minimum Validity Period ..............................................................................................................67
Testing Exclusive Passwords ...............................................................................................................................67
MANAGING AN ORACLE ACCOUNT ..................................................................................................................................70
Adding a Safe .....................................................................................................................................................70
Adding an Account .............................................................................................................................................72
MANAGING A LINUX ACCOUNT WITH SSH KEY ..................................................................................................................73
Generate a Key-Pair ...........................................................................................................................................73
Verify You Are Able to Log in with the Private Key .............................................................................................78
Add an Account with an SSH key ........................................................................................................................81
ONBOARDING ACCOUNTS ................................................................................................................................... 83
ACCOUNTS FEED ..........................................................................................................................................................83

Configure Automatic Onboarding Rules .............................................................................................................83
Configure and Run Windows Accounts Discovery ..............................................................................................86
Verify Automatically Onboarded Accounts ........................................................................................................92
Manually onboard discovered accounts.............................................................................................................92
PASSWORD UPLOAD UTILITY ..........................................................................................................................................94
Add the Administrator as a member of target safe ...........................................................................................94
Configure and run PUU ......................................................................................................................................95
PRIVILEGED SESSION MANAGER ........................................................................................................................ 102
ENABLING PSM FOR TWO PLATFORMS ..........................................................................................................................102

TESTING PSM FOR A LINUX USER .................................................................................................................................104
TESTING PSM FOR AN ORACLE USER .............................................................................................................................107
PSM SECURE CONNECT ..............................................................................................................................................108
AUDITING USER ACTIVITY IN THE PSM............................................................................................................................112
PRIVILEGED THREAT ANALYTICS ........................................................................................................................ 114
UNMANAGED PRIVILEGED ACCESS ................................................................................................................................114

SUSPECTED CREDENTIAL THEFT AND AUTOMATIC PASSWORD ROTATION ..............................................................................116
SUSPICIOUS PASSWORD CHANGE ..................................................................................................................................118
SUSPICIOUS ACTIVITIES IN A SESSION AND AUTOMATIC TERMINATION ...................................................................................120
REPORTS ............................................................................................................................................................ 124
GENERATE “PRIVILEGED ACCOUNTS INVENTORY” REPORT..................................................................................................124

GENERATE “SAFES LIST” REPORT AND “USERS LIST” REPORT..............................................................................................126
6/24/2018
COMMON ADMINISTRATIVE TASKS ................................................................................................................... 129
BACKUP AND RESTORE ................................................................................................................................................129

Enabling the Backup and DR users ...................................................................................................................129
Installing the PrivateArk Replicator..................................................................................................................131
Create a Safe and an Account to test Backup ..................................................................................................136
Running a Backup.............................................................................................................................................137
Delete the Linux02 Safe ....................................................................................................................................137
Running a Restore ............................................................................................................................................138
REMOTE CONTROL CLIENT ...........................................................................................................................................139
Configuring the Remote Control Client on the Vault: .......................................................................................139
Connecting with the Remote Control Client from the Components server: .....................................................141
Create a password file for the Remote Agent ..................................................................................................142
Verify the changes made with the Remote Control Client ...............................................................................143
ROTATING CPM LOGS ................................................................................................................................................143
LOG IN WITH MASTER .................................................................................................................................................145
OPTIONAL EXERCISES ......................................................................................................................................... 146
USAGES ...................................................................................................................................................................146
Manage a Scheduled Task Usage .....................................................................................................................146
Managing a Configuration File Usage ..............................................................................................................151
CUSTOM FILE CATEGORIES...........................................................................................................................................155
6/24/2018
6/24/2018
CyberArk Privileged Account Security – Administration
Introduction
Using Skytap
Before beginning exercises, here are a few tips to help you navigate the labs more
effectively.
There are two ways to access the virtual machines: directly via the browser or through
RDP.
 Click directly on the screen icon to access the virtual machine directly in your
browser.
 Click on the RDP button in the upper right-hand corner of the VM box.
If you are using any keyboard other than a standard US, then it is strongly recommended
that you use an RDP connection rather than the HTML 5 client directly in the browser.
When using RDP, all you need to do is set the keyboard language in Windows and
everything should work fine.
Go to the section for International Users for instructions on changing the keyboard.
1. Click the large monitor icon to connect with the HTML 5 client.
2. If HTML does not work try direct RDP. Inform your instructor if you do this, because
some actions will not work as shown in the book.
6/24/2018
3. Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine.
4. The clipboard icon will allow you to copy and paste text between your computer and
your lab machine.
5. The full screen icon will resize your lab machine to match your computer’s screen
settings to avoid scrolling.
6/24/2018
6. You may need to adjust your bandwidth setting on slower connections.
International Users
By default, the lab machines are configured to us a US English keyboard layout. If you
use a machine from a country other than the US, you may experience odd behavior from
your lab machines. The solution is to install the keyboard layout for your keyboard on our
lab machines. Follow the process below to find and configure the correct keyboard layout
for your keyboard.
From the Start Menu launch “Add a language.”
7. Click “Add a language.”
6/24/2018
8. Select your language. Click Open.
9. Select your specific locality or dialect. Click Add.
6/24/2018
10. With the option English (United States) selected, click the Move down button. This
will make your language the default. Don’t remove US English altogether as your
instructor may need it if he/she connects to your machine.
Note: If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options
next to your language to install that. Otherwise, close the Language window.
11. In the system tray, click ENG, then choose your keyboard layout. You may switch
back and forth between keyboard layouts. Your instructor may need to switch back
to ENG to help you with exercises, occasionally.
6/24/2018
6/24/2018
User Management
Creating a Custom User Mapping
In this first exercise, you will create a custom user mapping that will map a group of ‘Power
Users’. This group will have the ability to modify the Master Policy and platforms, view
reports, and reset users’ passwords, but will not be able perform other Vault functions,
such as adding safes.
1. On the Components Server, open the PrivateArk Client and log in to the Prod
Vault as the Administrator user with the password Cyberark1.
2. You will probably see a message like the one below. This appears because the user
Administrator has not connected to the system recently. Just click Yes to clear
expired history.
3. Go the Tools pull down, select Administrative tools, then select Directory
Mapping.
4. On the Directory Mapping for Server Prod screen, press the Add button.
6/24/2018
5. On the New/Update Directory Map in the Map Name field, enter Vault Power Users
and check the Users check box.
6. Click the User Template… button.
6/24/2018
7. In the New Directory Map Window, select the Authorizations tab
8. Check the following boxes: Audit Users, Reset Users’ Passwords, Activate Users,
and Manage Server File Categories.
9. Select the Authentication tab.
10. Click on the pull-down and examine the Authentication methods options available.
11. Select LDAP Authentication and press OK.
6/24/2018
12. Back on the New/Update Directory Map press the Add... button to create a new rule.
13. Press the Browse… button to locate the Directory Name.
14. On the Choose Directory and Branch window, highlight cyber-ark-demo.
15. Expand the directory so that you can see the contents. Then press Select.
6/24/2018
16. In the Query Filter field, enter:
(&(objectclass=person)(memberOf=CN=CyberArk Power Users,ou=Cyber-

Ark Groups,DC=Cyber-Ark-demo,dc=local))
Note: This “Power Users” query is available in the LDAPQueries.txt file on the Desktop of
the Components server along with other sample queries.
17. Press the Test button to confirm that the query returns include “CN=poweruser01”.
6/24/2018
18. If the query results include “power user” entries, continue on to the next step.
19. Press OK and then OK again to exit the New/Update Directory Map window.
** You may receive an error message that the Vault does not support PKI **
If you get the error message above, go back to your user template, select the
Authentication tab, click on the pull-down and specifically choose LDAP authentication
for your Authentication method, even though it may already be selected.
20. After adding the new mapping, press the Close button.
21. You will receive a message asking ‘Are you sure you want to update Map order?’
Press Cancel.
6/24/2018
About ‘Mapping Order’
The mapping order is important for users who belong to multiple groups/mappings. For
example, if a user belongs to both Power Users and Vault Admins mappings, the user will
receive the privileges for the first mapping listed. If Power Users was listed first, a user
who is also a Vault Admin user would only receive the subset of vault authorizations,
instead of the full set provided by the Vault Admins mapping.
22. Highlight the Vault Power Users mapping and press the down button to move it
below the Vault Admins Mapping.
23. After reordering the map order, press Close.
24. This time, you can press Yes when asked ‘Are you sure you want to update the Map
order?’
6/24/2018
Nesting the Power Users group under the built-in CyberArk groups
In this section, we will place the mapped LDAP group CyberArk Power Users under the
CyberArk internal groups Vault Admins and PVWAMonitor.
Nesting the Power Users group under Vault Admins
Next you will nest the LDAP group CyberArk Power Users under the internal Vault Admins
group. This will allow members of the Power Users group to view the POLICIES and
ADMINISTRATION tabs in the PVWA.
1. Go to Tools > Administrative Tools > Users and Groups…
2. Select System > Vault Admins.
3. Press Update…
6/24/2018
4. Press Add… > LDAP Group.
5. Press Add from LDAP (You may not see all of the groups shown below).
6/24/2018
6. In the Filter field of the Find External User/Group screen, enter “cyberark p”. This will
find the Power Users. Press Search.
7. Select the Cyberark Power Users in the Search Results.
8. Press OK until you return to the Users and Groups on Server Prod window.
Nesting the Power Users group under the PVWAMonitor group
Next you will nest the LDAP group CyberArk Power Users under the internal
PVWAMonitor group. This will allow members of the Power Users group to view the
REPORTS tab in the PVWA.
1. Within the Users and Groups on Server Prod window, highlight PVWAMonitor and
press Update…
6/24/2018
2. Press Add and select LDAP Group.
3. Select CyberArk Power Users.
4. Press the Arrow button to move it to the field on the right.
5. Press OK, to confirm the addition of CyberArk Power Users to the PVWAMonitor
group.
6/24/2018
6. Press OK again to close the Update Groups: PVWAMonitor window.
7. Press Close to close the ‘Users and Groups on Server Prod’ window and complete
the nesting process.
8. Log off from the PrivateArk Client.
Viewing the differences between Vault Admins and Power Users groups
Next, you will login to the PVWA to view the differences between Vault Admins and
CyberArk Power Users directory mappings within the PVWA.
Up to this point we have been logging in with users who were created on the CyberArk
system and authenticated by CyberArk.
Since the LDAP integration has already been configured, we will log in to the PVWA with
Active Directory credentials and be authenticated with LDAP. From this point forward, you
will use LDAP Authentication for all users except Administrator. The Administrator user will
use CyberArk Authentication.
Note: For the duration of this class, all passwords for all users and accounts will be Cyberark1,
unless otherwise noted.
9. Open Chrome, go to the PVWA and choose LDAP as the authentication method.
10. Enter vaultadmin01 and Cyberark1 as the password. Press Sign in.
6/24/2018
11. Confirm that your LDAP authentication was successful and you are able to view the
Policies, Reports, and Administration screens. This verifies that the LDAP user
(vaultadmin01) has the correct Vault Admins and PVWAMonitor privileges.
12. Go to POLICIES > Access Control (Safes) and verify that you can see the Add
Safe button in the upper right hand corner of the window. This confirms that the
vaultadmin01 user has been provided the Add Safes vault authorization.
6/24/2018
13. Log out of the PVWA and log back in as poweruser01 using LDAP as the
authentication method.
Note: This user should have access to the Policies, Accounts, Applications, Reports,
and Administration tabs because the CyberArk Power Users group was nested
under the Vault Admins and PVWAMonitor groups. However, it does not have
access to the Add Safe button because it was not provisioned as part of the ‘Power
Users’ user mapping.
14. Go to POLICIES > Access Control (Safes) and verify you do not see the Add Safes
button.
6/24/2018
15. Sign out of the PVWA.
6/24/2018
Password Management – Part 1

In this chapter, we will be performing a number of tasks linked to account password
management. Use the Chrome browser on your components server in order to connect to
the PVWA.
Please note:
Some features may require the use of the UI´s classic interface: In order to access this,
you may need to select “Additional details & actions in classic interface”
Editing the Master Policy
In this step, you will use the PVWA to modify the Master Policy to:
 Disable Require users to specify reason for access

 Verify passwords daily instead of weekly
1. Launch the PVWA and using LDAP authentication and log in as vaultadmin01.
2. Go to the POLICIES >Master Policy.
3. Choose Require users to specify reason for access and then click Edit Settings.
6/24/2018
4. Change the Basic Policy Rule Require users to specify reason for access from
Active to Inactive.
5. Press Save & Close.
6. Expand the Password Management section. Highlight Require password verification

every X days.
7. In the right-hand pane, click the pencil icon to edit the Value.
8. Change the value from 7 days to 1 and click the diskette icon to save the change.
6/24/2018
Managing a Linux Account with SSH
In this section, we will perform the basic tasks required to manage a privileged account on
a Linux server that we connect to using SSH. We will create a Safe to securely store the
account and a Platform to manage the account. We will then add the new account, verify
that we can connect with it, and see how an auditor can monitor the account activity.
Adding a Safe
1. If you are not already logged in, log in to the PVWA as vaultadmin01.
2. Go to POLICIES > Access Control (Safes).
3. Click Add Safe.
4. Enter Linux Finance as the Safe Name.
5. Press Save.
6/24/2018
6. Press Add Member to grant other users access to the new safe.
7. Enter linuxad in the Search field, select cyber-ark-demo.local in the Search In field
and press Search. Select LinuxAdminsFin and press Add.
6/24/2018
8. Close the Add Safe Member window.
Note: You should now see that the LinAdminsFin group has been added to the newly
created Linux Finance safe. Also note that the user logged in is the creator of the
safe and is granted full permissions to the safe by default.
6/24/2018
Duplicating a Platform
Next, you will create a platform to manage Linux accounts that connect with SSH.
1. Go to ADMINISTRATION and choose Platform Management.
2. Choose Unix via SSH and press Duplicate.
6/24/2018
3. Enter Linux SSH 30 in the Name field and optionally something like Linux servers via
SSH, rotate passwords every 30 days for a description and then press Save &
Close.
4. Highlight the newly created platform and press Edit.
6/24/2018
5. Go Automatic Password Management > General.
6. Change ImmediateInterval to 1.
Warning: Changing the ImmediateInterval field to 1 is only suitable for testing but should set to
5 or higher in a real environment.
7. Change AllowedSafes to Linux (case sensitive). This determines which safes can
use this platform.
8. Click Apply twice to save your changes, but do not exit the platform just yet.
6/24/2018
9. Press Apply and OK.
10. Now go to Password Change and change the value of the parameter
PerformPeriodicChange from No to Yes. This will enable the application of the
Master Policy rule Require password change every X days to accounts managed by
this platform.
11. Within the same window, go to Password Verification and change

VFPerformPeriodicVerification from No to Yes. This will allow the password to be
verified by the CPM automatically and without user intervention.
12. Click Apply and OK.
Adding a Linux account
Now you will create your first Linux account and store it in the Linux Finance safe and
manage it with the Linux SSH 30 platform.
1. Go to ACCOUNTS and click Add Account.
6/24/2018
2. On the Add Account page, select the following:
6/24/2018
3. Enter the Account details and click on Add:
Address: 10.0.0.20
User Name: logon01
Password: Cyberark1
Confirm Password: Cyberark1
4. On the Accounts page select the newly created account.
5. On the Account page press the Verify button to confirm that you created the account
correctly.
6/24/2018
6. Press the Refresh button.
Note: You will see a message saying that ‘The account is scheduled for immediate
verification’.
7. After a few minutes the message should disappear and the Last verified field will be
updated.
Note: You can speed up the process by restarting the CyberArk Password Manager
service in the Windows Services console. This is not something you would
normally do in a production environment.
6/24/2018
Changing the password
On the Account Details page press Press the Change button.
8. Press the Change button.
Note: You will see a message saying ‘Account is marked for change.
Hint: You can restart the CyberArk Password Manager service to move things along.
6/24/2018
9. After a few minutes press Refresh. The message should disappear and the ‘Last
modified’ field will be updated.
Auditing Account Activity
In this step you will review all of the activity related to the logon01 account.
1. Sign out of the PVWA and using LDAP Authentication, sign back in as auditor01.
2. On the Accounts page, click on the magnifying glass icon in the top right corner, to
search for all accounts the auditor has permissions to view.
3. Click on the logon01 account.
4. Click on the Activities tab to view the detailed activities log for this account.
6/24/2018
Managing a Windows Domain Account
In this section, we will be performing the tasks for managing a Windows domain account.
We will again duplicate an appropriate platform (though one adapted to managing
Windows domain accounts), add a safe, and then add the account.
1. Using LDAP authentication, login to the PVWA as vaultadmin01.
2. Go to the Administration page and click Platform Management.
3. Highlight the Windows Domain Account platform and press Duplicate.
4. Enter as the name Windows Domain Admins 15 (optionally you can give it a
meaningful description) and then press Save & Close.
6/24/2018
5. Select the Windows Domain Admins 15 platform and press the Edit button.
6. Click on UI & Workflows.
7. Change AutoVerifyOnAdd from No to Yes.
Note: This setting will prompt the CPM to automatically verify the password whenever a
new account assigned to this platform is added.
8. Press Apply.
9. Go to Automatic Password Management > General and set ImmediateInterval to 1

(as we did in the first platform).
10. Enter Win-Dom-Admins in the AllowedSafes field (this is case sensitive).
6/24/2018
Reminder: This setting restricts the safes to which this platform can be applied to those safes
with the string “Win-Dom-Admins” included in the name. This field is case sensitive
11. Press Apply.
12. Go to Password Change and set PerformPeriodicChange to Yes.
13. Go to Password Verification and set VFPerformPeriodicVerification to Yes.
14. Finally, go to Generate Password. Here, we are going to modify the password
length and complexity to give us more secure passwords for our domain admin
accounts. Set the values as follows:
6/24/2018
PasswordLength 12
MinUpperCase 3
MinLowerCase 3
MinDigit 2
MinSpecial 2
Note: The sum of the various complexity parameters must be less than or equal to
PasswordLength in order for password change to function. However, the system
does not check the values for you.
15. Press Apply and OK to close the platform.
Add a Safe
Now you will create a safe in which to store Windows domain accounts.
2. Click Add Safe.
3. Enter Win-Dom-Admins the Safe name. You can provide a meaningful description.
Leave the other values at their defaults and press Save.
6/24/2018
4. On the Safe Details page, click the Add Member button to grant other users access
to this safe.
5. Enter win in the Search field, select cyber-ark-demo.local in the Search In field, and
click Search.
6. Select WindowsAdmins.
7. Press Add, then Close.
6/24/2018
Adding a Windows Account
1. Go to the ACCOUNTS tab and press the Add Account button.
2. Enter the following and then press Save:
Store in Safe: Win-Dom-Admins

System Type: Windows
Platform Name: Windows Domain Admins 15
Address: cyber-ark-demo.local
User Name: admin01
Logon To: cyber-ark-demo
(Tip: Click the Resolve link after checking
the “Logon To:” box)
Password: Cyberark1
3. Select the newly created account from the list and then click on Additional details &
actions in classic interface to open the account in the classic interface.
6/24/2018
Note: Because AutoVerifyOnAdd was set to Yes, the account will be scheduled for
immediate verification.
4. Press Refresh every few minutes until the account is verified.
5. Copy the Safe name and the Name values to Notepad (we’ll be using these values
later).
6/24/2018
Configuring the Master Policy

In this section, we will configure the Master Policy with two objectives in mind:
 Configuring Privileged Access Workflows in anticipation of implementing Dual

Control
 Adding the exceptions for the platforms we created in the section Password
Management – Part 1
Privileged Access Workflows
In this section we will configure two options for our platform Linux SSH 30:
 Require dual control and access approval

 Require users to specify reason for access
Require dual control
1. Go to POLICIES > Master Policy > Privileged Access Workflows, select Require
dual control password access approval, and press Add Exception.
2. Select Linux SSH 30 and press Next.
6/24/2018
3. Click Active. Review the options available. When ready, press Finish.
6/24/2018
Require users to specify reason
1. Back in the Master Policy page, again under Privileged Access Workflows, select
the option Require Users to specify reason for access and press Add Exception.
2. Again select Linux SSH 30 and press Next.
3. Set Require users to specify reason for access to Active.
4. Press the Finish button when you are done.
Password Management
Based on what you have already learned, you should now be able to add Password
Management exceptions for the two platforms we created in the section Password
Management – Part 1. Add the following exceptions
Linux SSH 30 Require password change every 30 days
Windows Domain Admins 15 Require password change every 15 days
6/24/2018
Password Management – Part 2

In this section, we are going to continue to explore password management options.
Specifically, we will look at:
 Log-on accounts
 Windows server local admin accounts with reconciliation
 Dual control workflow
 Exclusive and one-time passwords
 Unix via SSH keys account (optional)
Configuring a Log-on Account
In this exercise you will add to our CyberArk PAS implementation a Linux privileged
account that is prevented by the host platform’s security policy from accessing the server
via SSH. You will then associate a ‘logon’ account with this new account, allowing you to
manage the password despite the SSH restriction. The logon account establishes the
connection to the target machine and executes a switch user operation to the privileged
account in order to change the password.
Note: In the Unix/Linux world, the account that is typically prevented from connecting to a
server remotely is the root account. Here in CyberArk training, we are going to use
an account named user01 and we will use the account we created earlier, logon01,
as the log-on account.
1. Log into the PVWA as vaultadmin01.
2. Go to the Accounts page and press the Add Account button.
3. On the Add Account screen and enter:
System Type: *NIX

Platform Name: Linux SSH 30
Store in Safe: Linux Finance
Address: 10.0.0.20
User Name: user01
Password: Cyberark1
4. Press Add.
6/24/2018
5. On the Account Details page, press the Verify button and select OK to the pop up
to confirm. The status will appear as ‘This account is scheduled for immediate
verification’.
Note: Remember, restarting the service CyberArk Password Manager will speed things
up. Press Refresh to update. After a few minutes, you should receive a message
stating that ‘The Central Policy Manager failed to verify the password’.
In the background the CPM received an ‘Access Denied’ message because the user01
accounts are restricted from logging in via SSH.
6. Open the account details page using the Additional details & actions in classic
interface option
7. Press the Logon Account Associate button.
6/24/2018
8. Highlight the logon01 account (created earlier - you may need to search to see this
user) and click Associate.
9. Press the Verify button and click OK to confirm. If you receive the following
message, press OK.
6/24/2018
Note: After a few minutes, the account should be verified. In the background the CPM
connected to the server as logon01 and switched to the user01 account to verify the
password.
Managing a Windows Local Server Account with Reconciliation
In this exercise you will create a Windows local server account for which the correct
password is unknown. In order to bring this account under management, you will
associate it with a domain administrator account (admin01) that can perform a password
change.
1. Go to ADMINISTRATION > Platform Management.
2. Highlight Windows Server Local Accounts and click Duplicate.
3. Enter Windows Server Local Admins 45 as the platform name, you may optionally
add a description like “Rotate password every 45 days”, and press Save & Close.
4. Highlight the newly created platform and press Edit.
5. Go to UI & Workflows.
6. Change AutoChangeOnAdd from No to Yes. This causes the CPM to initiate a

password change whenever a new account that uses this policy is created. Select
Apply to save your change.
6/24/2018
7. Go to Automatic Password Management > General and set both the Interval and
ImmediateInterval to 1.
Note: Once again, we are modifying these values for training purposes only, enabling us
to move a little faster. A one-minute immediate interval is suitable for testing but
should be set to five in a production environment. The Interval parameter should
never be set to 1 in a production environment.
8. Enter Win-Srv in the AllowedSafes field to limit the accounts against which this
platform will be applied. Click Apply to save your change.
9. Go to Password Reconcilation and enter following:
RCAutomaticReconcileWhenUnsynced: Yes
6/24/2018
ReconcileAccountSafe: Win-Dom-Admins
ReconcileAccountName: Operating System-Windows-Domain-
Admins15-cyber-ark-demo.local-admin01
(you can copy this from the notepad file
that you created earlier)
Note: Don’t forget to enable automatic password change and verification. Also, think
about what would be appropriate values for password length and complexity.
10. Press Apply and OK to close the platform.
11. Log out and exit the PVWA browser session.
12. Double-click the restart-services.bat on the desktop of your Components server.

This will cause the CPM server to reload all policies and force your configuration
changes to to take affect immediately (as well as restarting the PVWA and the PSM).
Create a Safe
Now we are going to create a Safe for our Windows server local administrator accounts.
To comply with data protection regulation, we are going to organize our safes so that only
US admins can access the passwords for US safes.
1. Go to POLICIES > Access Control (Safes) and click Add Safe.
2. Name the Safe Win-Srv-US. Leave the default values for the rest.
3. Add the AD group WindowsAdmins to the Safe with standard user rights.
6/24/2018
Adding an Account
Here we will add a local administrator account for your target Windows server.
Remember, we don’t know what the password is, so you could put anything in the
password fields (although they must match).
1. Log in again to the PVWA as vaultadmin01, go to the ACCOUNTS page, and press
Add Account.
2. Enter the following and press the Add button:
Store in Safe: Win-Srv-US

System Type: Windows
Platform Name: Windows Server Local Admins 45
Address: vfserver.cyber-ark-demo.local
User Name: localadmin01
Password: Cyberark1
Note: After adding the account, you should see a message stating ‘This account is
scheduled for immediate change’. This is because you set AutoChangeOnAdd to
Yes in the policy. Also note that there is a reconcile account already associated
with this new account.
6/24/2018
3. Press Refresh. Because the password for this account was not Cyberark1, the
password change will fail.
4. Press Refresh again and after a short time and you should receive a message
saying that the account was successfully reconciled. The first time an account is
reconciled it can take a longer time than anticipated.
6/24/2018
Configure and Test Dual Control
In this section, we will configure dual control for access to Linux accounts. The ability to
receive e-mails is required in order to test the full functionality of dual control.
Dual control is configured in the Master Policy. To enable it for Linux machines only, you
must add an exception to the Master Policy, based on the appropriate Platform.
Adding a manager to an existing safe
The workflow process is configured through safe membership, so we will need to add a
manager to the existing safe so that he/she can approve requests. We do not, however,
want the manager to be able to use the passwords, so we will remove that capability.
What might be the result if no one has been assigned the responsibility to respond to a
workflow request?
2. Highlight Linux Finance and press the Members button.
3. Click Add Member.
4. Enter mgr01 in the Search field, select cyber-ark-demo.local in the Search In field,
and press Search.
5. Select the mgr01 account.
6. Under Access, uncheck Use accounts and Retrieve accounts for this user. List
accounts should be checked.
6/24/2018
7. Scroll down and expand the Workflow link to access the Authorize account requests
check box. Check the Authorize account requests safe authorization box with
Level 1 selected.
6/24/2018
8. Press Add and Close.
Testing Dual Control
Testing this workflow requires us to wear a number of hats. We configured the system as
a vault administrator – vaultadmin01 – now we are going to become ordinary users of the
system.
 We will first log in as a user who has the right to access a password, but only with
manager approval – linuxuser01.
 We will then put on our manager hat and check our email, notice that we have a
notification for an approval request pending, log into the PVWA as that manager
user – mgr01 – using the link provided, and approve the request.
 Finally, we will return to the PVWA as linuxuser01, find the approval notification,
and access the target system with the password.
Note: Because we will be changing users, you might want to use two browsers or separate
browser sessions. You can also use incognito mode to open two separate sessions
with two separate users.
6/24/2018
1. Log out of the PVWA.
2. Log back in as the LDAP user linuxuser01 with the password Cyberark1.
3. Leaving the Search field blank, click on the magnifying glass icon to search for all
accounts.
4. Locate logon01 and select the Request Show password button.
5. Enter a reason to access. Turn on the Timeframe and specify the current date
through the last day of the class. Turn on Multiple access is required and then press
on the Send Request button.
6/24/2018
6. Sign out of this session and close the browser, to ensure that the linuxuser01
session has ended (otherwise the next steps will not work properly). Alternatively,
you can use a different browser or a private session.
7. Open a new browser session and open the email client at http://cyber-ark-
demo.local:8073/webmail/
8. Login as mgr01. You should have received an e-mail with the new request (if you do
not receive an email, make sure the ENE service is running on the Vault).
Note: Our email server is currently unable to convert URLs to clickable links, you will have
to copy and paste the URL into your browser’s address window. This is not an issue
with most commercial email clients.
9. Login to the PVWA as mgr01 password Cyberark1.
10. Go to Accounts and select Incoming Requests. Locate the incoming request from
linuxuser01 and press the Confirm button.
6/24/2018
11. Enter a reason and press Confirm.
12. Sign out, and close the browser to terminate the mgr01 session.
13. Browse to the email client at http://cyber-ark-demo.local:8073/webmail/ and login as

linuxuser01. You should receive an e-mail stating the request has been confirmed.
14. Login to the PVWA as linuxuser01, password Cyberark1 to see the Account Details
page. Notice the Status of the request is now confirmed. You are now be able to
show the password and access the previously requested account.
6/24/2018
15. Sign out of the linuxuser01 session.
Exclusive Passwords with Automated Release and One-time Use
In this exercise, you will configure the Windows Local accounts added earlier for exclusive
access with an automatic release based on the Minimum Validity Period.
Adding a Master Policy exception for Exclusive Passwords
Exclusive Passwords are configured in the Master Policy.
1. Using PVWA, login as vaultadmin01.
2. Go to POLICIES > Master Policy and select Enforce check-in/check-out exclusive

access and click Add Exception.
3. Select Windows Server Local Admins 45 and press Next.
6/24/2018
4. Press the Active button to enable Enforce check-in/check-out exclusive access and
click Finish.
Adding a Master Policy exception for One-Time Passwords
To allow for an automatic release of a checked-out password, you will need to enable
Enforce one-time password access for the platform Windows Server Local Admins 45.
1. Highlight Enforce one-time password access and press Add Exception.
6/24/2018
2. Select Windows Server Local Admins 45 and press Next.
3. Press Active to enable one-time password access for this platform and then click
Finish.
Reducing the Minimum Validity Period
Note: This next step is for testing/training purposes only and should not be used in a
production environment.
We will set the Minimum Validity Period to 5 minutes, so that we can see our results more
quickly. The MinValidityPeriod parameter is configured in the Platform.
1. Go to ADMINISTRATION > Platform Management, select Windows Server Local

Admins 45, and click Edit.
2. Go to Automatic Password Managment > Privileged Account Management.
3. Set MinValidityPeriod to 5.
4. Press Apply and OK to close the Platform and then sign out of the PVWA.
Testing Exclusive Passwords
1. Double-click the restart-services.bat on the desktop of your components server.

This will cause the CPM server to reload all policies and force your configuration
changes to to take affect immediately.
6/24/2018
2. Login to the PVWA as the LDAP user ‘will’ with the password Cyberark1.
3. Go to ACCOUNTS and press the magnifying glass to search for all accounts.
4. Click on the localadmin01 account and click the Show button. Will has now checked
out the password.
Note: Will or an admin can release the account manually by using the “Check-in” option,
however we will not use this option as we want to see the system release it
automatically at the end of the Minimum Validity Period.
5. Log out and log back in as vaultadmin01. You should notice a lock icon next to the
localadmin01 account.
6/24/2018
6. Hover over the lock icon, it should say “The object is locked by will”.
7. If you press Show, you will receive an error message.
After several minutes (remember the minimum validity period was set to 5 min), the
vaultadmin01 user will be able to access the password and the CPM will have changed the
password.
If the account is not released after several minutes, run the restart.bat file and check
again.
6/24/2018
Managing an Oracle Account
In this section, we will configure CyberArk to manage an Oracle DBA account. As in

previous exercises, we will create a Safe, duplicate a Platform, and then add the account.
Adding a Safe
1. Log in as vaultadmin01 and go to POLICIES > Access Control (Safes).
2. Press the Add Safe button.
3. Enter Oracle Finance as the Safe name and press Save.
In this section, we are going to create a Platform dedicated to managing accounts used to
access Oracle databases, such as a DBA account.
2. Choose Oracle Database and press Duplicate.
3. Enter Oracle DBA 30 and press Save & Close.
6/24/2018
4. Select Oracle DBA 30 and press Edit.
Note: Take a good look at the image above. You may notice that the only active platforms
are those that we have created. This image illustrates why it is a good idea to
deactivate unused platforms. Furthermore, the inactive platforms are not shown
when adding accounts, so you don’t have to scroll through a long list to find the one
you want (and possibly make a mistake).
5. Go to UI & Workflow and set AutoChangeOnAdd to Yes.
6/24/2018
6. Go to Automatic Password Management > General.
7. Set ImmediateInterval to 1.
8. Set AllowedSafes to Oracle.
9. Press Apply.
10. In the Generate Password section, add the equal sign character (‘=’ without the
quotes) to the PasswordForbiddenChars field. Make sure you add the new character
without deleting any of the existing characters.
11. Click OK to save the changes and close the Platform.
Adding an Account
1. Go the ACCOUNTS tab, click Add Account and enter the following:
Store in Safe: Oracle Finance
Device Type: Database
Platform Name: Oracle DBA 30
User Name: dba01
Address: 10.0.0.20
Port: 1521
Database: xe
6/24/2018
Password: Cyberark1
2. Press Add.
Note: Because the policy was set to AutoChangeOnAdd=Yes, the account will be set for
immediate change.
3. Press refresh until the ‘This account is schedule for immediate change’ message
disappears.
4. Press the Show button to display the new password.
Managing a Linux Account with SSH Key
In this section, we will perform the tasks required to manage a Linux account that connects
to its target server with a public-private key-pair.
Generate a Key-Pair
1. On the Components server launch puttygen from the Taskbar and click Generate.
6/24/2018
2. As instructed, you need to make random mouse movements in the blank area to
generate random data for the key.
6/24/2018
3. When the key is generated click Save Private Key.
4. Click Yes to store they key without a passphrase. The CPM does not support private
keys with passphrases.
5. Name the key root01.ppk.
6. Save to your Documents directory.
6/24/2018
7. Select all the text in the ‘Public key for pasting into Open SSH authorized keys file’
box and copy it to your clipboard.
8. Use putty to connect to 10.0.0.20.
6/24/2018
9. Login as root01 with the password Cyberark1.
10. Edit your authorized key file with vi.
vi ~/.ssh/authorized_keys
11. Press i (or the Insert button on your keyboard) to enter insert mode.
12. Right click inside the editor to paste the key. Verify that the key pasted correctly.
6/24/2018
Warning! It can be a bit tricky to copy and paste into a terminal window. Make sure that your
key text beging with the string “ssh-rsa “ and that it ends with “rsa-key-date” where
date is today’s date.
13. Press ESC then :wq -- (colon) (w) (q)
14. Press ENTER to exit and save.
15. Make sure the Key appears in the authorized_keys file (and that all characters were
pasted properly) by using the cat command:
cat ~/.ssh/authorized_keys
16. Exit your putty session.
Note: If you need help with the vi editor, you can read the tutorial at:
http://www.tutorialspoint.com/unix/unix-vi-editor.htm
Verify You Are Able to Log in with the Private Key
Now we will test that we are able to authenticate with the private key.
1. Open putty again.
2. Type 10.0.0.20 in the Host Name box, but do not connect yet. Navigate to
Connection > Data.
6/24/2018
3. Enter root01 in the Auto-login username field.
4. Navigate to Connection > SSH > Auth.
5. Click Browse and browse to the ppk file you created earlier.
6. Now click Open and verify that you are able to log on without supplying a username
and password.
6/24/2018
1. Login to PVWA as vaultadmin01 and go to ADMINISTRATION > Platform

Management.
2. Highlight Unix via SSH Keys (make sure that you choose “Unix via SSH Keys”
platform, not the “Unix via SSH” platform).
3. Press Duplicate.
4. Name your platform Linux via KEY 90 and click Save & Close. We won’t make any
modifications to this platform.
6/24/2018
Add an Account with an SSH key
1. Got to the ACCOUNTS tab and click the Add SSH Key button.
2. Add an account with the following properties. If you do not see the SSH Key
configuration area, you may have duplicated the wrong platform.
Store in Safe: Linux Finance

Device Type: Operating System
Platform Name: Linux via KEY 90
Address: 10.0.0.20
Username root01
Private Key: Browse to find the root01.ppk file you
created earlier.
3. Click Save.
6/24/2018
4. Click Change and select Rotate the SSH key immediately (by the CPM).
5. Click OK. This process can take a few minutes.
6. Once the change completes verify that you are NOT able to connect with putty using
the SSH key.
6/24/2018
Onboarding Accounts
In the following exercises you will use the Accounts Feed feature as well Password Upload
Utility to onboard accounts to the system.
Accounts Feed
In the next exercise you will use the Accounts Feed feature to automatically onboard
accounts.
Configure Automatic Onboarding Rules
In this section you will configure automatic Onboarding Rules in order to onboard newly
discovered accounts automatically, and provision them in the Vault without any human
intervention.
On the Components server, open Chrome and go to the PVWA.
Go to Accounts > Accounts Feed > Onboarding Rules and click on Create rule
In Select system type select Windows.
6/24/2018
In Select Scope select the following:
Machine Type: Server
Account Type: Local
Account Category: Any
Privileged Account Type: Any
Username (begins…): discovery
7. In Assign to platform select Windows Server Local Admins 45
6/24/2018
8. In Store in Safe select Win-Srv-US
9. In Define rule properties enter the following name:
Windows Server Local Admins US
6/24/2018
10. Review your rule, and if everything seems to be in order click on Create rule
Configure and Run Windows Accounts Discovery
The Accounts Discovery process requires an account to login to the domain and scan the
individual machines. You can use the existing admin01 account.
1. Go to Accounts > Accounts Discovery. You may have to scroll up a little to see the
option.
6/24/2018
2. Go to Discovery Management and click New Windows Discovery.
3. Enter cyber-ark-demo.local in the Domain field.
4. Press the Click to select an account from the Vault link.
6/24/2018
5. The Discovery process will automatically search for accounts in the cyber-ark-
demo.local domain. Click admin01 and press Select account.
6/24/2018
6. In the What to scan? section, click Browse.
7. Select the Computers container, and press OK.
6/24/2018
8. Under What recurring pattern to set for this Discovery? Select Onetime, then
click Done.
9. You will receive a message saying that the Windows discovery has been added.
Press OK.
Note: Here you can also speed up the process by restarting a service. Not the CyberArk
Password Manager service, but the CyberArk Central Policy Manager Scanner
service, which is the service responsible for executing account discovery scans.
10. Press the Refresh icon to update the status. You may need to back out of the
window and go back in to see the state change. This can take a few minutes.
6/24/2018
11. You should see the status change from Pending to Running
12. After several minutes, the process should appear as Completed.
Note: You may get an error message - Because many of the machines in the lab
environment are not running, the Accounts Discovery will fail to access them and
will return an error. However, the machines that we need should be available and
successfully scanned.
6/24/2018
Verify Automatically Onboarded Accounts
13. Go to Accounts > Accounts View. If you configured your automatic rules properly,
you should be able to see all the “discoveryXX” accounts in the accounts view. If you
assigned a reconcile account to the platform, the accounts added should also be
scheduled for immediate reconciliation.
Manually onboard discovered accounts
14. Next, go to Pending Accounts.
15. Enter localadmin02 in the Keywords field.
16. Select the resulting localadmin02 account and press the Onboard Accounts button
6/24/2018
17. In the Onboard Accounts window, enter the following:
Store in Safe Win-Srv-US
Assign platform Windows Server Local Admins 45
Password Automatically reconcile password

(this will only be available if the assigned
platform contains a reconcile account)
18. Press Onboard.
19. You should receive a message saying “Successfully onboarded 1 account(s) and
related dependencies. Press Done.
6/24/2018
20. Go to the ACCOUNTS page and search (press the magnifying glass icon top
right) for the newly created account. Because the platform was configured for
automatic reconciliation, you will see that the account was successfully reconciled.
Password Upload Utility
In this exercise, we are going to run the CyberArk Password Upload Utility, a command-
line tool for performing bulk uploads of accounts into the system. For convenience, we will
run the Password Upload Utility using the CyberArk administrator account.
We will be adding the new accounts to a new Safe that we create with the PUU –
LinuxPU.
The administrator does not have any custom safe authorizations and so cannot even see
the safes that we have created so far. We want to use our existing Linux Finance safe as
a template safe (basically a standard safe that provides parameters not given during the
execution of the PUU), so we just need to add the administrator to the Linux Finance safe
as a member before starting the Password Upload Utility process.
Add the Administrator as a member of target safe
1. Login to the PVWA via LDAP as vaultadmin01.
3. Select Linux Finance and click the Members button.
4. Click Add Member.
5. Enter admin in the search field, press the Search button.
6. Select Administrator and then click Add then Close.
6/24/2018
Configure and run PUU
1. Go to the C:\Password Upload Utility directory.
6/24/2018
2. First let’s look at the sample file provided with the PUU. Double-click the
passwords.csv file.
3. On the Text Import screen make sure that the file is only Separated by…Comma.
4. Press OK.
5. Review the contents of this file to see the options available for uploading accounts.
6/24/2018
6. Close the file when you are done (Note, we will use a preformatted file to perform the
actual import).
7. In the same folder, double-click the pu_passwords file.
8. Make sure that the file is Separated by…Comma and press OK.
6/24/2018
Note: This is a pre-formatted file with all the necessary information to upload into
CyberArk.
9. If you would like to experiment, you can add a line or two to the file. Adding the
information below would add a single new account in a separate Safe named
LinuxPU2.
Password_name: linuxadmin01
TemplateSafe: Linux Finance
Folder: Root
CPMUser: PasswordManager
Safe: LinuxPU2
Password: Cyberark1
DeviceType: Operating System
PolicyID: Linux SSH 30
Address: 10.0.0.20
UserName: linuxadmin01
10. Save and close the file when done. Be sure to maintain the same CSV format.
11. Double-click the Vault.ini file
6/24/2018
12. In the address field, enter the IP address your vault server (make sure you use the
IP address of your Vault Server).
VAULT = "My Vault".

ADDRESS=10.0.10.1
PORT=1858
#-----------------------------------
# Additional parameters (optional)
#-----------------------------------
13. Save and close the file.
14. Double-click the conf.ini file.
6/24/2018
15. Scroll down to the Mandatory parameters section, enter the following:
PasswordFile: pu_passwords.csv
DefaultTemplateSafe: Linux Finance
16. Open a command prompt. Change directories to c:\Password Upload Utility.
17. Enter dir to display the contents of the folder.
18. Run the following:
C:\Passwword Upload Utility> CreateAuthFile.exe user.ini

Enter CyberArk Vault username [None]: administrator
Enter CyberArk Vault password : Cyberark1
19. Run the following command.
PasswordUpload.exe conf.ini
6/24/2018
20. If configured correctly, you will see messages indicating that each password is being
stored.
21. When complete, you will receive a message displaying the total number of
passwords uploaded or updated.
22. Log in to the PVWA as Administrator using CyberArk authorization.
23. Go to the ACCOUNTS page and search for all accounts to verify that the new users
have been added.
24. Sign out of the PVWA session.
6/24/2018
Privileged Session Manager

In this section, we will enable the PSM and perform some tests to ensure that it is
functioning properly. We are going to enable the PSM through exceptions, rather than
globally.
Enabling PSM for two Platforms
The PSM is enabled through the Master Policy.
1. Login to the PVWA as vaultadmin01 using LDAP authentication.
2. Go to POLICIES > Master Policy.
3. In the Session Management section, highlight Require privileged session monitoring

and isolation.
4. Press Add Exception.
5. Select Linux SSH 30 and press Next.
6/24/2018
6. Press the Active button and press Finish.
Now, add an exception for the Oracle DBA 30 platform.
7. Press Add Exception again. Select Oracle DBA 30 and press Next.
8. Select Active and press Finish.
6/24/2018
Note: Prior to testing PSM, you can choose to wait approximately 20 minutes for all
components to refresh their configurations or you can restart all the CyberArk
services so the PSM and PVWA will see all the configuration changes immediately.
9. Sign out of the PVWA, and double-click the restart-services batch file on the desktop
of the components server.
Testing PSM for a Linux User
1. After restarting the services, login as vaultadmin01.
2. Go to the ACCOUNTS page and locate user01. Press the Connect button.
Note: You may be prompted to enter a reason for the connection.
3. If you are, enter something in the box provided.
4. After pressing OK, you will download an RDP file. Choose to open it with Remote
Desktop Connection (default) and press OK
6/24/2018
5. At the Remote Desktop Connection window, press the Connect button
6/24/2018
You may receive the following pop-up error messages. Clear the pop-ups and retry the
connection component.
If everything was configured correctly, you should see a message that your session is
being recorded.
6. Press Yes to accept the host key.
Optionally, run some Linux commands. In the example below the user is running:
cat /var/log/messages
mkdir user16
rm –R user16
7. Type Exit to end this session.
6/24/2018
Testing PSM for an Oracle User
1. Press the Back button to return to the main Accounts window.
2. At the ACCOUNTS page, select dba01.
3. Press the Connect button.
4. On the Remote Desktop Connection window, press Connect.
5. You should see a message stating that your session is being recorded.
If you receive a Remote Desktop Connect pop-up, “Your Remote Desktop Services
session has ended”, retry the connection component. You may have to connect a couple
of times before seeing the message.
Note: You may see an additional prompt.
6/24/2018
Later in the lab exercise, you will be logging in as an auditor and looking for any sessions
that issued commands with the word salary.
Note: The commands below will not produce any results because the table “scott.salary”,
does not exist. The purpose of this step is to allow the auditor to see someone tried
to access a salary table.
6. Run the following commands:
select * from dual;

create table psm01 (id01 int, psm01 varchar(40));
select * from scott.salary;
update scott.salary set salary =’1,000,000’ where id01 =1;
7. Type exit to end the session.
PSM Secure Connect
Next, you will configure Secure Connect, which allows you to launch a PSM connection
against unmanaged accounts. You will first need to switch to the classic UI and enable the
relevant platform.
1. Login to the PVWA as vaultadmin01 and press on Additional details & actions in
classic interface.
3. Select PSM Secure Connect and press the Pencil icon.
6/24/2018
4. Click the Active box and the Save icon.
5. You should see the status change to Active.
6. Go to POLICIES > Master Policy.
7. In the Session Management section, select Require privileged session monitoring

and press Add Exception.
8. Select PSM Secure Connect and press Next.
9. Select Active and press Finish.
10. Go to the ACCOUNTS page and click on Secure Connect.
6/24/2018
11. Enter the following:
Client: WinSCP
Address: 10.0.0.20
User Name: root01
Password: Cyberark1
Map Local Drives: Checked
12. Press Connect.
13. Press Connect.
6/24/2018
14. Press Yes to accept the RSA key.
15. Optional: When you have connected to WinSCP, copy a file from the PSM server to
target machine the local client.
Suggestion: C:\Deployment Logs\Deployment_Logs.txt.
6/24/2018
16. Press F10 to exit and quit the application.
Auditing user activity in the PSM
In this section, we are going to look at some of the audit information that was gathered by
CyberArk PAS during our PSM testing. To do so, we will need to connect as a user who is
a member of the Auditors group – auditor01.
1. Logout of the PVWA and log back in via LDAP as auditor01.
2. Go to the MONITORING pane.
3. Enter salary in the Search for Command and Events field and press Apply. Once
you locate the recording, click on Play.
4. Review the recording. Click Close when you are done.
6/24/2018
5. Click on the session line for more detail and find the command “select * from
scott.salary”.
Note that the recording will now start at the command selected.
6/24/2018
Privileged Threat Analytics
Unmanaged Privileged Access
Note: Because the PTA server can become unpredictable in the Skytap environment if it
gets suspended, it has been configured not to start automatically. To perform these
next steps, you will need to start your PTA server manually in Skytap.
In this section you will observe how the PTA detects when privileged accounts are being
used and then check if they are being managed by CyberArk. If the account is not
managed, the PTA will generate a security alert and add the account to the list of Pending
Accounts. The Vault Administrator can then onboard the account to the relevant safe.
First, we need to establish an SSH session to the target Linux server to create an alert on
the PTA, which we will review using the new Security pane in the PVWA.
1. Open PuTTy from the Components server and open an SSH session to 10.0.0.20
as root02 (password: Cyberark1).
Login to the PVWA as vaultadmin01 and go to Security > Security Events and
Verify that you can see the “Unmanaged privileged access” alert related to root02.
6/24/2018
2. Go to Accounts Discovery > Pending Accounts. Select root02 from the list (use
“Refine By” to search for the account if needed) and click on Onboard Accounts.
3. Onboard the account to the Linux Finance safe and associate the account with the
Linux SSH 30 platform.
4. Enter “Cyberark1” as the default password.
Note: “root.*” is defined by default as a privileged user in the PTA. You can add other
usernames (using regular expressions) that should also be detected by the PTA as
privileged accounts which should be managed by CyberArk PAS. To add additional
usernames login to the PTA and go to SETTINGS > Privileged Groups and Users
6/24/2018
Suspected Credential Theft and Automatic Password Rotation
In this section you will configure the PTA to detect when privileged accounts are being
used without first retrieving the password from PAS, and trigger the CPM to initiate a
password change.
1. Login to the PVWA as vaultadmin01 and go to POLICIES > Access Control

(Safes). Select the Linux Finance safe and click on Members.
2. Click on Add Member and search for the PTAUser in the Vault. Select the PTAUser.
Keep the default permissions and expand Account Management. Select “Initiate
CPM account management operations” and click on Add.
3. Repeat the above step to add the PTAAppUser to the Linux Finance safe as well
(including the “Initiate CPM account management operations” permission.
6/24/2018
4. Close and exit from your putty session to 10.0.0.20 if it is open.
5. Once again, open PuTTy from the Components server and open an SSH session to
10.0.0.20 as root02 (password: Cyberark1).
6. Login to the PVWA as vaultadmin01 and go to Security > Security Events and
Verify that you can see the “Suspected Credentials Theft” alert related to root02.
7. In the PVWA, go to the root02 account and verify the CPM changed the password.
8. Open the “Activities” tab to verify that the CPM changed the password after the PTA
detected the suspected credential theft alert and under Activities added the relevant
file category for Immediate Change.
6/24/2018
Suspicious Password Change
In this section you will configure the PTA to detect when a password is being changed
manually, bypassing the CPM, and have the PTA trigger the CPM to reconcile the
password.
For this exercise to work, you must associate a reconcile account with root02. You may
use the root01 account (based on SSH key) you created previously.
1. Login to the PVWA as vaultadmin01 and go to Accounts > Accounts View and
select the root02 account. Using the classic UI, associate root01 as the reconcile
account for root02.
6/24/2018
Go to Accounts > Accounts View and select root02 again and launch an SSH
connection via the PSM.
Type the following command to change the password of root02 back to Cyberak1:
passwd root02
Go back to the PVWA as vaultadmin01, and go to Security > Security Events. You
should be able to see two new alerts. One for a “Suspicious activities detected in a
privileged session”, and one for “Suspicious password change”.
Verify you can see the “Suspicious password change” alert and that an automatic
password reconciliation was initiated.
6/24/2018
Go to Accounts > Accounts View and select root02. Verify that root02 was indeed
reconciled by the CPM.
Suspicious activities in a session and automatic termination
In this section you will configure the PTA to detect when risky commands are being used
in a privileged session and to suspend a session automatically in case a risky command is
used.
2. Login to the PVWA as vaultadmin01 and go to Security > Security Configurations

> Privileged Session Analysis and Response. Find the SSH passwd command
(the command is used to manually change the password) and click on Edit.
6/24/2018
3. Configure the risk to a score of 90 and the response to “Suspend Session”. Click on
Update.
4. Go to Accounts > Accounts View and select the root02 account. Launch a
privileged session by clicking on the connect button. (If the session does not open,
make sure the Cyber-Ark Privileged Session Manager service is running).
5. After the session opens, try to run the passwd root02 command again. The session
should be suspended immediately and a disclaimer should appear letting the user
know the session was suspended.
6/24/2018
6. Login to the PVWA as auditor01. Go to Security > Security Events and verify you can
see the “Suspicious activities detected in a privileged session” alert. Verify the
session got a score of 90. Click on Resume to resume the suspended session.
7. Click on the session link and verify it takes you to the session details in the
Monitoring pane. If the session is still in progress, you should see the options to
terminate or monitor the session. If you already closed the session you should be
able to play the recording.
6/24/2018
Note: Auditor01 has access to the Security pane as it was added manually by us to the
Security Admins and Security Operators groups. Auditor01 was able to resume the
session as it was added manually by us to the PSMLiveSessionTerminators group.
6/24/2018
Reports
In this section you will be asked to create three types of reports
Generate “Privileged Accounts Inventory” report
1. Login to the PVWA as vaultadmin01 and go to the Reports tab and then click on
Generate Report.
2. Click Next to generate the “Privileged Accounts Inventory” report.
3. Review the options to filter the report but keep the default values, then click Next.
6/24/2018
4. Click Finish generate the report.
5. Select the refresh icon at the bottom of the page until the report status shows
“Done”. Open the report by clicking on the Excel icon.
6. Click OK to open with the default LibreOffice Calc.
6/24/2018
7. After going over the report, save the new report in the folder you created earlier in the
shared drive. If you are asked if you want to save the document in its current format,
click Keep Current Format.
Generate “Safes List” Report and “Users List” report
1. On the Components server, open PrivateArk Client and login as Administrator
2. Under Tools > Reports, click on Safes List to generate a safes list report
6/24/2018
3. Click Report Output and save the new report to the folder you created. (If you
cannot save it directly to the network drive, save it locally)
4. Right click on the report and open with LibreOffice Calc.
5. Under “Separator options” choose Seperated by: Comma
6/24/2018
6. Click OK
7. After reviewing the report, save a copy of the report to the folder you created in the
shared drive.
8. Select Keep Current Format.
9. Repeat these steps creating a Users List report and copy the report to the folder you
created in the shared drive.
10. By the end of this exercise you should have 3 reports in your named folder in the
shared drive. These reports are “Privileged Accounts Inventory”, “Safes List” and
“Users List”.
6/24/2018
Common Administrative Tasks
Backup and Restore
Again for the sake of convenience, we will be using our Administrator account to perform a
number of tasks during backup and restore.
We will begin by enabling two additional CyberArk accounts: Backup, which we will use to
execute the back up; and DR, the disaster recovery account that has authority to restore
objects, create Safes, etc.
Enabling the Backup and DR users
For this section of the exercise, you will log in to the PrivateArk Client on the
Components server in order to enable the users required to run a backup.
1. Use the PrivateArk Client to log into the Vault as administrator.
2. Go to Tools > Administrative Tools > Users and Groups.
3. Highlight the Backup user (located under System) and press Update.
6/24/2018
4. On the General tab uncheck the Disable User checkbox.
5. On the Authentication tab enter Cyberark1 in the Password and Confirm fields.
6. Press OK.
6/24/2018
7. Repeat the above steps in order to enable the DR user as well. For convenience, the
DR user will be used to restore the safes.
8. Log out of PrivateArk Client.
Installing the PrivateArk Replicator
1. On the Component Server, open Windows File Explorer and go to

C:\CyberArkInstallationFiles\EPV\Replicate.
2. Double-click setup.exe.
6/24/2018
3. Accept all of the default parameters to complete the installation. On the first screen
enter Next.
4. Click Yes to accept the license agreement.
5. Enter CyberArk for the user and company names and press Next.
6/24/2018
6. Press Next to accept the default destination location.
7. Press Next to accept the default safes location.
6/24/2018
8. Click the Finish button.
9. In Windows File Explorer go to C:\Program Files (x86)\PrivateArk\Replicate.
10. Double-click the Vault.ini file.
6/24/2018
11. In the Vault.ini file, enter “Vault” for the VAULT parameter.
12. Enter the IP address of your vault server in the address parameter.
VAULT = “Vault”
ADDRESS=10.0.10.1
PORT=1858
13. Save and close the file.
14. Open a Command Prompt.
15. Enter cd c:\Program Files (x86)\PrivateArk\Replicate.
16. Run the following:
CreateCredFile.exe user.ini
6/24/2018
Vault Username [mandatory] ==> backup

Vault Password…==> Cyberark1
17. Press enter to accept the defaults for the remaining questions.
Create a Safe and an Account to test Backup
Log in to the PVWA as Administrator (don’t forget to choose CyberArk authentication).

First we will create a Safe and an account that we will later delete in order to test the
restore process.
1. Go to the POLICIES > Access Control (Safes).
2. Press Add Safe. Enter Linux02 as the Safe Name and press Save.
3. Go to the Accounts page and click Add Account.
Store in Safe: Linux02
6/24/2018

Platform Name: Linux via SSH 30
Address: 10.0.0.21
User Name: root
Password: Cyberark2
Name (Custom): root.backup.test
Note: The target machine 10.0.0.21 does not exist. This is just a dummy account to test
Back-up and Restore.
5. Press Save and logout of the PVWA.
Running a Backup
To run the backup enter:

PAReplicate.exe vault.ini /logonfromfile user.ini /FullBackup
If the backup is successful, you should see a number of messages indicating that that files
are being replicated with a final message stating that the replication process has ended.
Delete the Linux02 Safe
1. Making sure you are logged into the PVWA as the administrator user, go to
POLICIES > Access Control (Safes).
2. Highlight Linux02 and click the Delete button.
6/24/2018
3. Press Yes to confirm that you would like to delete the safe and contents.
4. You will receive a message that the Root folder cannot be deleted for 7 days.
However, the contents of the safe should have been removed.
5. To confirm that the contents of the Linux02 safe have been deleted go to the
Accounts page.
6. Enter root in the search box and press the Search button.
7. The root account that you created earlier in this exercise using address 10.0.0.21,
should not appear.
Running a Restore
1. Go back to the command prompt and run the following command:
PARestore.exe vault.ini dr /RestoreSafe Linux02 /TargetSafe

LinuxRestore.
You will be prompted for the password for the DR user, which should be Cyberark1.
2. You should receive a message stating that the restore process has ended.
6/24/2018
3. Go back to the PVWA and search for root again.
4. You should now see the root account using address 10.0.0.21, residing in safe
LinuxRestore.
Note: The Target Safe (/LinuxRestore) is the name of the restored Safe to create. The
restore process does not overwrite an existing Safe – it creates a new one.
Therefore, this name must not correspond with an existing Safe.
Remote Control Client
Configuring the Remote Control Client on the Vault:
1. Logon to the Vault server with the local user Administrator and password Cyberark1.
2. Navigate to the Vault server installation folder.
(By default: C:\Program Files (x86)\PrivateArk\Server)
6/24/2018
3. Open the PARagent.ini file and add the IP address of your components server to the
“RemoteStationIPAddress” parameter. (10.0.20.1)
4. Edit the “UserCredentialsPath” parameter to:

“C:\Program Files (x86)\PrivateArk\Server\paragent.pass”
(including the quotes around the path).
5. Save the file.
6. Open a command line window from this location. You can do this by holding the Shift
key and right-clicking in a blank space in the folder, then selecting “Open command
window from here”.
7. In the command window run the following command:
PARagent.exe setpassword Cyberark1
8. You should now have a new file in the directory called: paragent.pass.
9. Go to the Services window in the Server Manager and start the PrivateArk Remote
Control Agent Service:
6/24/2018
Connecting with the Remote Control Client from the Components server:
1. Logon to the Components server and navigate to:
C:\CyberArkInstallationFiles\CyberArk Enterprise Password Vault\Remote Control Client
2. Open a command line window from this location. You can do this by holding the Shift
key and right clicking in a blank space in the folder, then selecting “Open command
window from here. You may need to expand the window to find a large enough blank
space.
3. Run the following command:

PARClient.exe 10.0.10.1/Cyberark1
4. After the DLLs have loaded you should see the PARCLIENT prompt:
6/24/2018
5. Run the following command to see the status of the Vault
status Vault
6. Run the following command to set the debug level of the Vault:
SetParm Vault DebugLevel=PE(14) /Immediate
7. Type exit to quit PARClient
Create a password file for the Remote Agent
You can also connect using a password file instead of typing the password in clear text.
1. Run the following command in order to create a password file:
PARClient.exe /createpassfile pass.pwd
2. Enter the same password you used before (Cyberark1) and confirm.
3. In order to connect to the PARAgent on the Vault Server using the newly created
password file, run the following command:
6/24/2018
PARClient.exe <IP Address of Vault Server> /usepassfile

<filename>
Verify the changes made with the Remote Control Client
1. Connect to your Vault server.
2. Click on the PrivateArk Server icon.
3. Examine the ITA log and verify the Debug level settings have been applied.
Rotating CPM Logs
All the CPM log files can be automatically uploaded to a Safe in the Vault on a periodic
basis, according to a predefined period of time in the CPM parameters file. Each time a log
file is uploaded to the Vault, it is copied to the History subfolder in the Log folder, and the
CPM begins writing to a new log file.
1. Log into the PVWA as vaultadmin01.
2. On the ADMINISTRATION tab, you should see that PasswordManager is already

selected as the CPM. If there were multiple CPMs you would select the appropriate
CPM from the pulldown list
3. Click CPM Settings.
6/24/2018
4. Select Configuration > General and scroll down to set the following parameters.
LogCheckPeriod: 1
LogSafeName: CPM_Logs
5. Click OK
6. Create a safe called CPM_Logs and assign PasswordManager as the password

manager.
7. Modify the Members list to add the Vault Admins group.
8. Grant the Vault Admins group all safe permissions.
9. The Vault Admins group will now be able to access the CPM logs.
6/24/2018
Log in with Master
There are some cases where you will need to log in to the Vault with the Master user. This
can be in case of an emergency or to give permissions to a user for safe when there are
no active users with the necessary permissions.
1. On the Vault server open C:\Program Files (x86)\PrivateArk\Server\dbparm.ini.
2. In order to use the Master user, the dbparm.ini file must point to the location of the
Recovery Private Key. By default this is the CD-ROM drive of the server. Because we
do not have a CD-ROM drive (we are using VMs for our lab exercises) you will need
to point it to the relevant location.
3. Update the RecoveryPrvKey parameter to point to the location of the file called
recprv.key in the Master CD folder:
RecoveryPrvKey=C:\CyberArk Installation Files\Master CD\recprv.key
4. Restart the Vault service (using the PrivateArk Server console with the stop light) as
any change to the dbparm.ini file requires a restart of the service.
5. Open the PrivateArk Client from the Vault server machine.
6. In the User name field, enter: Master.
7. In the Password field enter the password that was configured during the installation
process (Cyberark1).
Question: How many safes are listed?
8. Close the PrivateArk Client session.
9. Open the PrivateArk Client session and login as Administrator
Question: How many safes are listed?
10. You should notice that there are many more safes displayed when you were logged
in as the Master user.
6/24/2018
Optional Exercises
Usages
Manage a Scheduled Task Usage
In this exercise, you will configure a usage, which allows you to manage applications
(services, scheduled tasks) that are dependent on the main account.
The virtual machine “Target Windows” (vfserver - 10.0.10.50) server contains a scheduled
task, SchedTask01. The scheduled task is configured to send an email to the
vaultadmin01 account every time it is run.
We will be using the localadmin01 account for testing. We will modify the
MinValidityPeriod setting, so that the password does not change while we are trying to
use it by resetting it to its default value.
1. Logged in to the PVWA as vaultadmin01, navigate to Administration > Platform

Management, select Windows Server Local Admins 45 platform and press Edit
2. Go to Automatic Password Management > Privileged Account Management and

change MinValidityPeriod to 60.
3. Press Apply and OK.
4. To test the scheduled task, run the following command from a command prompt.
6/24/2018
schtasks /run /s 10.0.10.50 /tn SchedTask01
5. Because the localadmin01 account password was changed in an earlier exercise

without accounting for the associated scheduled task, the scheduled task will not
run properly (even though the return message says “SUCCESS”). You can
confirm that the schedule task did not complete properly by checking your email
client as vaultadmin01@cyber-ark-demo.local and seeing that you do not have any
messages referring to “scheduled task”.
6. Now, go to the localadmin01 Account Details and locate the Scheduled Task tab.
Press Add.
6/24/2018
7. Enter SchedTask01 in the Task Name field and enter vfserver in the Address field.
Press Save.
8. After pressing Save, click on the newly created scheduled task.
Note: The localadmin01 account is unable to update the scheduled task remotely, so you
will associate the usage with a domain account that contains the required privileges
to perform the update.
9. We are now looking at the Account Details for the Scheduled Task. Press the
Associate button.
6/24/2018
10. Select admin01 and press Associate to associate the scheduled task with the
admin01 domain account
11. Next, go back to the localadmin01 Account Details window and change the
localadmin01 password.
12. Select Change the password immediately (by the CPM) and press OK.
6/24/2018
13. Wait for the localadmin01 password to change.
Note: The scheduled task is associated with a different platform than the localadmin01
account. After the localadmin01 account has been changed, the flag will be set for
the scheduled task to be changed. The entire process could take in excess of 10
minutes to complete.
14. After the Windows password has been changed, select the scheduled task and open
the Account Details. You will see that the usage password is now scheduled for
immediate change.
15. Wait for the usage password to change and then re-run the scheduled task from the
command prompt.
16. Now check your email. You should receive a message stating that “The scheduled
task is working”.
6/24/2018
Managing a Configuration File Usage
In this exercise you will be using a usage to update a password in a text file whenever the
specified account’s password is changed.
The file app01.ini is located on the Linux server IP address 10.0.0.20 in the /var/opt/app
directory.
1. On your Components server, log in to the PVWA as vaultadmin01.
2. Navigate to the ADMINISTRATION tab and click Platform Management.
3. Select Linux via SSH 30 and press Duplicate. Enter Linux Apps via SSH 90 as the
name and click Save.
4. Select the newly-created platform and choose Edit.
5. Go to Automatic Password Management > General, set SearchForUsages to Yes

and press Apply.
6. Right-click UI & Workflows and choose Add Usages.
6/24/2018
7. After selecting Add Usages, you will have a new ‘Usages’ entry at the end of the UI &
Workflows section. Right click Usages and select Add Usage.
8. Enter TextConfigFile as the Value. Press Apply and OK.
9. In the interest of good practice, create a dedicated Safe for this purpose called Linux
Apps.
6/24/2018
10. Go to ACCOUNTS and press Add Account and enter the following:
Store in Safe: Linux Apps

Platform Name: Linux Apps via SSH 90
Address: 10.0.0.20
User Name: app-account01
Password: Cyberark1
11. Press Save.
12. Go to the Text Config File tab and press Add.
Address: 10.0.0.20
File Path: /var/opt/app/app01.ini
Password Regex Password=(.*)
Connection Type: SSH
14. Press Save.
6/24/2018
15. Go to the Account Details for the primary account (app-account01), click the
Change button page, and select Change the password immediately (by the CPM).
Note: This process can take several minutes to complete. The usage has interval settings,
just like the account. When the account changes, it scans the vault for usages,
marks those usages for change, and then according to those intervals the changes
take effect.
So it will be a few minutes between when the password changes and the file
changes.
16. After the password change is complete, connect to 10.0.0.20 with the app-account01.

cat /var/opt/app/appXX.ini | grep Password
You should see that the password matches the new password in the Vault.
6/24/2018
Custom File Categories
File category is the CyberArk term for the attributes or fields available on accounts
(Address, User Name, etc.). This section will detail the steps required to create and use
custom file categories, allowing you to categorize accounts based your organization’s
requirements.
1. Using the Components server, from the PrivateArk Client, log onto the Vault and go
to File > Server File Categories.
2. Press the New… button.
3. In the Add File Category window, enter the following:
6/24/2018
Name: BusinessUnit
Type: List
Valid values: International, Retail, and Corporate
4. After each value is added, select the Required Category checkbox and click OK.
5. Log out of the PrivateArk Client.
Now we’ll make the new BuinessUnit File Category a required field for accounts assigned
to the Oracle DBA 30 platform.
6. Log into the PVWA as.
7. Go to the ADMINISTRATION tab and click Platform Management.
8. Highlight Oracle DBA 30 and press Edit.
9. Go to UI & Workflows > Properties > Required. Right-click and select Add
Property from the context menu.
6/24/2018
10. Enter BusinessUnit in the Name field and press Apply and OK. This will make
BusinessUnit a required field on any accounts attached to the Oracle DBA 30 policy.
Now we will make the new BusinessUnit file category searchable.
11. Go to ADMINISTRATION > Options.
12. Right-click on Search Properties and select Add Property.
6/24/2018
13. Enter BusinessUnit in the Name field and press Apply and OK. This will allow the
new file category to be searchable.
14. Sign out of the PVWA session.
15. Run the restart-services batch file on the Components server Desktop.
16. Login to the PVWA as vaultadmin01.
6/24/2018
17. Go to the ACCOUNTS tab and open the dba01 account.
18. Click on the Edit button. Select Retail and press Save.
19. Enter retail in the Search field on the ACCOUNTS tab and press Go.
20. dba01 should be returned based on the new file category.
6/24/2018

13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF

Uploaded by

Copyright:

Available Formats

13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF

Uploaded by

Copyright:

Available Formats

CyberArk University

Privileged Account Security Administration

CyberArk University Exercise Guide page 1

USER MANAGEMENT ........................................................................................................................................... 12

CREATING A CUSTOM USER MAPPING .............................................................................................................................12

PASSWORD MANAGEMENT – PART 1 .................................................................................................................. 27

EDITING THE MASTER POLICY .........................................................................................................................................27

CONFIGURING THE MASTER POLICY .................................................................................................................... 48

PRIVILEGED ACCESS WORKFLOWS ...................................................................................................................................48

PASSWORD MANAGEMENT – PART 2 .................................................................................................................. 51

CONFIGURING A LOG-ON ACCOUNT.................................................................................................................................51

CyberArk University Exercise Guide page 2

ONBOARDING ACCOUNTS ................................................................................................................................... 83

ACCOUNTS FEED ..........................................................................................................................................................83

PRIVILEGED SESSION MANAGER ........................................................................................................................ 102

ENABLING PSM FOR TWO PLATFORMS ..........................................................................................................................102

PRIVILEGED THREAT ANALYTICS ........................................................................................................................ 114

UNMANAGED PRIVILEGED ACCESS ................................................................................................................................114

REPORTS ............................................................................................................................................................ 124

GENERATE “PRIVILEGED ACCOUNTS INVENTORY” REPORT..................................................................................................124

CyberArk University Exercise Guide page 3

BACKUP AND RESTORE ................................................................................................................................................129

OPTIONAL EXERCISES ......................................................................................................................................... 146

CyberArk University Exercise Guide page 4

CyberArk University Exercise Guide page 6

CyberArk University Exercise Guide page 7

6. You may need to adjust your bandwidth setting on slower connections.

From the Start Menu launch “Add a language.”

7. Click “Add a language.”

CyberArk University Exercise Guide page 8

8. Select your language. Click Open.

9. Select your specific locality or dialect. Click Add.

CyberArk University Exercise Guide page 9

CyberArk University Exercise Guide page 10

CyberArk University Exercise Guide page 11

Creating a Custom User Mapping

CyberArk University Exercise Guide page 12

6. Click the User Template… button.

CyberArk University Exercise Guide page 13

7. In the New Directory Map Window, select the Authorizations tab

9. Select the Authentication tab.

11. Select LDAP Authentication and press OK.

CyberArk University Exercise Guide page 14

13. Press the Browse… button to locate the Directory Name.

14. On the Choose Directory and Branch window, highlight cyber-ark-demo.

CyberArk University Exercise Guide page 15

16. In the Query Filter field, enter:

(&(objectclass=person)(memberOf=CN=CyberArk Power Users,ou=Cyber-

CyberArk University Exercise Guide page 16

CyberArk University Exercise Guide page 17

About ‘Mapping Order’

23. After reordering the map order, press Close.

CyberArk University Exercise Guide page 18

Nesting the Power Users group under Vault Admins

1. Go to Tools > Administrative Tools > Users and Groups…

2. Select System > Vault Admins.

CyberArk University Exercise Guide page 19

4. Press Add… > LDAP Group.

CyberArk University Exercise Guide page 20