Manage Accounts and Safes During Synchronization

This topic describes how to manage accounts and Safes during synchronization.

Add an account

To add an account in Conjur:

  1. Add an account to a synced Safe (the LOB User is an owner of that Safe).

  2. In the next sync interval, the account is added to the LOB and corresponding variables are created in Conjur.

  3. After the variables are created and loaded, create a delegation policy and grant permissions to hosts and users on the variables.

Rename an account

To rename an account that is syncing to Conjur:

  1. Give an account, that is synced to Conjur, a new name. (The LOB 'Conjur Sync' user is the owner of the Safe that the account is stored in.)

    In the next sync interval, the renamed account is added to the LOB

  2. After the variables are created and loaded, create a delegation policy and grant permissions to hosts and users for these variables.

    3. To delete variables that corresponded to the account before you renamed it, cleanup must be enabled. For details, see Delete accounts/Safes.

Add a Safe

  1. Create a new Safe with accounts and add the LOB User as an owner of that Safe. Alternatively, add the LOB User as an owner of an existing Safe.

    In the next sync interval, the accounts are added to the LOB and the variables are created in Conjur.

  2. After the variables are created and loaded, create a delegation policy and grant permissions to hosts and users on the variables.

Rename a Safe

To rename an Safe that is syncing to Conjur:

  1. In the Vault, rename the Safe. The LOB User is an owner of that Safe.

    In the next sync interval, the renamed Safe's accounts are added to the LOB and the variables are created in Conjur.

  2. After the variables are created and loaded, create a delegation policy and grant permissions to hosts and users on the variables.

    To delete variables that corresponded to the Safe before you renamed it, cleanup must be enabled. For details, see Delete accounts/Safes.

Delete accounts/Safes

When the Vault Synchronizer's cleanup functionality enabled, accounts and Safes deleted from the Vault/Privilege Cloud, are automatically deleted from Conjur as well. Cleanup occurs only during full synchronization, which occurs every 60 minutes by default.

This cleanup functionality is disabled by default. If this functionality was not enabled when installing/upgrading the Vault Synchronizer, we recommend enabling it to prevent a buildup of stale data.

Enable cleanup

Cleanup is controlled by the following parameters:

Parameter

Description

SYNC_CLEANUP

Enables or disables cleanup: True, False, DryRun

INTERVAL_MAX_CLEANUP_SIZE

Defines the maximum number of accounts to be deleted in each synchronization interval for each LOB

To enable cleanup and configure these settings, read through this page.

Deleting many accounts from Conjur (which is common when you first enable this feature) may take a long time and impact Conjur performance. We recommend the following mitigations:

  • Enable Vault Synchronizer cleanup during low usage times.

  • Limit the number of accounts to delete in each synchronization interval (default is 100 for each LOB) to allow the Synchronizer to complete the full Synchronization on time.

For a new Vault Synchronizer installation, set the required configuration in the VaultConjurSynchronizer.exe.config file and restart the Vault Synchronizer services to enable cleanup. For more information, see Install CyberArk Vault Synchronizer.

For existing Vault Synchronizer users, we recommend running the DryRun before enabling the Vault Synchronizer cleanup. For more information, see DryRun.

DryRun

In existing deployments, if the cleanup functionality is not enabled, there are most likely many accounts, Safes, and secrets whose corresponding resources are deleted from the Vault/Privilege Cloud but not from Conjur. If you want to enable the cleanup functionality, we recommend first performing a dry run. The dry run updates the synchronizer.log file with the expected deletions without actually performing the cleanup task.

The dry run may take time since it runs together with the synchronization process.

This information helps you plan how to roll out cleanup without impacting Conjur performance or applications. The synchronizer.log file lists the information based on the verbosity settings.

INFO verbosity lists the number of accounts that can be cleaned up from each LOB and Safe.

For example:

VCSS028I Dry run (cleanup): LOB <LOB name> contains <number> account(s) that can be cleaned up from Conjur
VCSS026I Dry run (cleanup): Safe <safe name> and all its content can be cleaned up from Conjur
VCSS027I Dry run (cleanup): Safe <safe name> contains <number> account(s) that can be cleaned up from Conjur

DEBUG verbosity lists the variables in the Safe that can be cleaned up.

For example:

>
VCSS044D Dry run (cleanup variable): Variables in safe <safe name> that can be cleaned up:
<variables listed line by line>

To start DryRun:

  1. Open VaultConjurSynchronizer.exe.config from the Synchronizer installation directory.

  2. Set SYNC_CLEANUP parameter value to DryRun. If you do not have the SYNC_CLEANUP parameter in the configuration file, add the parameter to the configuration file and start DryRun.

    <add key="SYNC_CLEANUP" value="DryRun" />
  3. Restart the synchronizer service as described in Run Vault Synchronizer and check the logs to see that the Vault Synchronizer is up and running.

After running the DryRun, distribute the actual deletions over multiple synchronization intervals to prevent this process from interfering with the Conjur performance. You can modify the INTERVAL_MAX_CLEANUP_SIZE to decide how to distribute the precise deletions over multiple synchronization intervals (default value is 100 for each LOB).

Enable Vault Synchronizer cleanup:

  1. Open VaultConjurSynchronizer.exe.config from the Synchronizer installation directory.

  2. Set the values for the following parameters:

    1. Set the SYNC_CLEANUP parameter value to True.

      <add key="SYNC_CLEANUP" value="true" />

    2. (Optional) Change the INTERVAL_MAX_CLEANUP_SIZE parameter value.

      <add key="INTERVAL_MAX_CLEANUP_SIZE" value="1200" />

      Add SYNC_CLEANUP and INTERVAL_MAX_CLEANUP_SIZE parameters to the configuration file if you do not have these parameters in the VaultConjurSynchronizer.exe.config file.

  3. Restart the synchronizer service as described in Run Vault Synchronizer and check the logs to see that the Vault Synchronizer is up and running.