Line of business (LOB)
This topic describes how to add and assign permissions to an line of business (LOB) user.
An LOB represents a business group that requires access to secrets from the Vault/Privilege Cloud. This enables segregation of duty (SoD). The LOB facilitates the syncing of accounts to Conjur. For more information, see Vault Synchronizer overview > How does it work?
Add an LOB
You can add LOBs before or after running the CyberArk Vault Synchronizer.
Adding an LOB requires adding a user and an account for the LOB user. If you are working with PAM - Self-Hosted 11.4 and later or with Privilege Cloud, you can use the GenerateLOBs script (recommended) to add LOBs. The script adds the LOB user and account for you.
Alternatively, you can add LOBs manually (all versions of PAM - Self-Hosted and Privilege Cloud).
-
Prerequisites:
-
PAM - Self-Hosted only: The machine where you are running the GenerateLOBs script requires a trusted certificate for the PVWA. To ensure that this certificate is trusted by the machine, the certificate must be added to the machine's LocalMachine\Root certificate store. We recommend you do this manually before you run the script. Alternatively, you can authorize the script to add the certificate to the trusted root for you.
-
Make sure that the PVWA/Privilege Cloud portal is accessible from the machine where you are running the script.
-
Recommended: Gather the information required by the GenerateLOBs script
Required informationDetail
Description
PVWA/Privilege Cloud portal URL
The URL for the PVWA/Privilege Cloud portal, starting with
https://and excluding the full path.For example:
-
PVWA: https://cyberarkvault.example.com
When the PVWA is behind a load balancer, use the load balancer's URL.
-
Privilege Cloud: https://myorg.privilegecloud.cyberark.com
Vault/Privilege Cloud admin credentials
The Vault/Privilege Cloud admin username and password.
These credentials are used during LOB creation and are not saved.
Vault address
The IP address of the Vault/Privilege Cloud component.
The name of the Synchronizer Safe that will store the LOBs. This is the name that was given to the Safe when the Vault Synchronizer was installed.
PAM - Self-Hosted users only: If you are working with multiple Vault Synchronizers to connect to a single Vault, make sure to specify the relevant Synchronizer Safe name, for example SyncSafe1 or SyncSafe2.
LOB names
You can add one or multiple LOBs simultaneously using this script. Decide on names for the LOBs. When the script prompts for the LOB names, list the names separated by commas.
The LOB name must not begin with a special character or number, and must not contain spaces.
LOB platform
The name of the platform for the LOB account (CyberArk Vault or a duplication of the CyberArk Vault platform).
Default: CyberArk Vault
-
-
-
The GenerateLOBs script and accompanying files are located in the Vault Synchronizer installation package, provided by CyberArk Customer Support. From the unzipped package ( <Sync-package directory>), copy the following files to the Windows machine where you are going to run the script:
-
The Modules folder
-
GenerateLOBs.ps1
-
-
Open a Windows PowerShell window, navigate to where you copied the GenerateLOBs script, and run the following command to start the script:
.\GenerateLOBs.ps1 -
The script opens. Follow all the prompts using the information you gathered above.
The LOBs are added. For each LOB, a user and an account are created.
-
For each LOB, add the LOB user to the list of members of each Safe that needs to sync with Conjur as described in Sync a Safe to Conjur - Add LOB user as member of target Safe.
-
Create an LOB Vault user using one of the following methods:
-
In PrivateArk Client, go to Tools > Administrative Tools > Users and Groups > New > User and create an LOB user in the Vault, provide a password for this LOB user, and update the following values:
Tab
Column
Value
General
User name
<LOB user name>
LOB user name cannot begin with a special character or a number, and cannot contain spaces.
User type
APPProvider
Authentication
Password
Enter a password for the LOB user, and enter it a second time for confirmation.
User Must Change Password at Next Logon
Uncheck
Password never expires
Check
- Log off from PrivateArk Client.
Create the LOB user in the Vault/Privilege Cloud using the following template:
The LOB user name cannot begin with a special character or a number, and cannot contain spaces.
POST https://<PVWA_IP>/PasswordVault/api/Users { "username":"<LOB user name>", "userType": "AppProvider", "initialPassword": "<password>", "authenticationMethod": ["AuthTypePass"], "location": "\\", "expiryDate": "", "vaultAuthorization":"", "enableUser": true, "changePassOnNextLogon": false, "passwordNeverExpires": true, "description": "<description>" }For more details, see:
-
-
Create an account in the PVWA/Privilege Cloud
-
In PVWA/Privilege Cloud, create an account for the LOB user using all of the following values:
Parameter Value System Type
Application
Platform Name
CyberArk Vault
- This value can be CyberArk Vault or any duplicate of the CyberArk Vault platform. Otherwise, the Vault Synchronizer will not be able to sync the LOB.
- Ensure that the platform is activated.
Store in Safe
The name given to the Synchronizer Safe when the Vault Synchronizer was installed.
User Name
The LOB user name as created in the previous step.
Address
The IP address of the Vault
For Privilege Cloud, contact CyberArk support.
Password
The password for the LOB user
Customize Account Name
The name of the account.
The account name must have a prefix of LOBUser_.
Allow automatic password management
Disabled
For example:
-
Add the LOB user to the list of members of each Safe that needs to sync with Conjur as described in Sync a Safe to Conjur - Add LOB user as member of target Safe.
-
Log off from PVWA.
-
Sync a Safe to Conjur - Add LOB user as member of target Safe
After you create an LOB user, you must add it to the list of members of each Safe that need to sync with Conjur by granting the user the following permissions:
|
Role |
Permissions |
|---|---|
|
Access |
|
|
Workflow |
Access Safe without confirmation |
To add the user as a member of the Safe, see:
-
PAM - Self-Hosted: Add Safe members
-
Privilege Cloud: Add Safe members
Delete an LOB
This section describes how to stop syncing an LOB.
|
After deleting an LOB, other hosts or users can no longer access the LOB variables. |
Step 1: Delete the LOB account in PVWA/Privilege Cloud
When you delete the LOB account in PVWA/Privilege Cloud, the Vault Synchronizer no longer syncs the LOB.
-
Log in to the PVWA/Privilege Cloud as a Vault/Privilege Cloud administrator.
-
Delete the LOBUser_<LOB name> user account from the Synchronizer Safe, created when installing the Vault Synchronizer.
Step 2: Delete the LOB user
When you delete the LOB user, it is no longer counted for license purposes.
Delete the LOB user in the Vault/Privilege Cloud using one of the following methods:
|
Tool |
Description |
|---|---|
|
PrivateArk Client (PAM - Self-Hosted users only) |
Delete the <LOB user name> user. |
|
PVWA REST API |
For details see: |
Step 3: Delete the LOB from Conjur
This step deletes the LOB from Conjur.
-
Create a policy file named deleteLob_<lobName>.yml with the name of the LOB you intend to delete.
-
In the policy file, input the below text, where <lobName> is the LOB you are deleting.
- !delete record: !group <lobName>-admins -
Log in to Conjur as admin and load the policy using the Conjur CLI:
conjur policy load delete -b <VaultName> -f <path to your policy>This can also be done using the Conjur v5 update policy REST API.
Supported LOBs
You can sync accounts from up to 10 LOBs to each Conjur cluster.
