What's new
New Dynamic Privileged Access versions are released and announced on a varying cadence. Occasionally, new versions that include only performance, stability and bug fixes, and do not require customer actions, are released without an announcement.
September 21, 2023
Dynamic Privileged Access data centers in Canada and Mumbai
We've added new data centers in Canada and Mumbai to meet the market demand in these regions. The new data centers are in addition to our existing data centers in Frankfurt (Germany), London (UK), and Virginia (USA).
August 7, 2023
Support for Google Cloud-based Linux targets
You can now reduce the risk of standing access rights to your Google Cloud VMs, by connecting natively in a just-in-time manner to Linux targets via DPA.
To enable just-in-time access to your Linux VMs in Google Cloud, you can onboard your Google Cloud organizations in Platform management.
For more details, see Add a Google Cloud organization.
Rapid AWS onboarding with AWS organizations
We have enhanced how DPA connects to your AWS environments to enable you to rapidly onboard an AWS organization’s accounts to DPA, eliminating the need to onboard each account individually. For more information, see Onboard an AWS organization.
June 12, 2023
Dynamic Privileged Access data center in London
We've added a new data center in London to meet the market demand in the EMEA region. The new data center is in addition to our existing data centers in Frankfurt, Germany and Virginia, USA.
June 7, 2023
Support for Windows targets from multiple domains
You can now reduce the risk of standing access rights to any Windows target from multiple domains.
As part of the deployment flow, you will need to define a strong account per domain, or per several domains.
In addition, we have added the option for Windows on-premises targets to securely store the strong account in a Privilege Cloud vault. (Previously, this capability was only available for cloud targets.)
For more information, see Add an on-premises domain.
If you are an existing customer and have already configured a domain for on-premises targets, see Migrate to support multi-domains.
No Identity connector installation required when deploying Windows targets
To reduce the footprint and ease deployment, we have removed the need to install the Identity connector for any type of target. This is supported when using DPA connectors of later than version 1.4.369.
Support for multiple on-premises networks
You can now add connector pools for on-premises targets. This enables you to define an on-premises network and select which connectors provide connectivity to that network by assigning them to the pool. For more information, see Connector pools.
June 4, 2023
Improved authentication support
-
End users can now complete their native connection to Linux targets by authenticating through a 3rd-party RADIUS as 1st or 2nd authentication factor. Previously, this capability was only available for Windows targets.
-
Azure Active Directory is now an approved directory for DPA. For more information, see Add Azure Active Directory as a directory service.
April 4, 2023
New comprehensive consolidated session monitoring view
Auditors, SOCs, and service administrators now have a consolidated view of session information available from Dynamic Privileged Access and Secure Cloud Access on the Shared Services platform.
The session information provides a comprehensive display of all sessions in a unified view, and delivers a one-stop shop for enhanced auditing and incident-response investigation.
To see this information, go to the CyberArk Audit service and click Session Monitoring.
For more information, see Session monitoring.
Dynamic Privileged Access data center in Frankfurt
We've added a new data center in Frankfurt to meet the market demand in the EMEA region. The new data center is in addition to our existing data center in Virginia, USA.
March 21, 2023
Support for Microsoft Azure-based Windows targets
You can now reduce the risk of standing access rights to your Azure VMs (in addition to the previously supported Linux targets), by connecting in a just-in-time manner to Azure-based targets via DPA.
To enable just-in-time access to your Windows cloud VMs in Azure, add a new Azure subscription in Platform management, and add Windows targets.
If you already use Azure for Linux VMs, you only need to verify you have a DPA connector installed on Windows, and edit the policy to include Windows targets.
For more details, see Add a Microsoft Azure subscription.
February 26, 2023
Improved connection guidance
We have upgraded the Connection guidance page for DPA administrators to include the alias script for SSH connections and MFA caching.
In addition, end users can now access the DPA tile in the Identity Security Platform and view a Connection guidance page to smooth their connection path. The page automatically generates key connection details and, for Windows targets, also creates the RDP file with the relevant information, available for download. For more information, see Connection guidance page and generate RDP file.
Connection string change
RDP and SSH connection strings now require your organization’s tenant subdomain to be included.
-
For RDP username field: <user@login_suffix>#<subdomain>@<target> (This is for RDP on-prem. For cloud you also will have the cloud domain.)
-
For SSH: <user>@<login_suffix>#<subdomain>@<target>@<DPA SSH gateway address>
For more information, see Connect to a Linux target and Connect to a Windows target via RDP clients.
February 6, 2023
Store the DPA strong account in Privilege Cloud for central account management
DPA allows you to securely store a strong account that is used to provision an ephemeral user just-in-time. The best practice for such an account is to manage it in CyberArk PAM. With this release, you can now store the strong account used for Windows AWS in the Privilege Cloud Vault, allowing you to centrally store this account with all other accounts, and easily rotate, control, and manage it.
For more, see Add and manage strong accounts.
Easy SSH Connection to multiple servers by using MFA caching
End users connecting to Linux targets can now enter their MFA details just once and then, in a configurable time period, connect to multiple targets with minimal user input. The user authenticates to DPA and downloads an SSH key, and uses that key in an SSH command to connect to the desired targets via DPA. This feature can easily be enabled on the DPA Settings page.
For more details on how to configure this, see MFA caching and for more details on how to use, see Connect to a Linux target using MFA caching.
Short SSH connection command using an alias
For short and easy connection commands, an alias can be created so end users don’t need to enter their details every time they make a connection.
For more, see Create and run alias commands.
New Policies API provides workflow integration and other automation capabilities
You can now automate creation of DPA policies by using the access policies API. You can integrate DPA with your ITSM ticketing system, create and update access policies on user request, and automatically create or update a policy for a new team member or for a new project.
For more details on how to leverage the DPA policies API, see Integrate with your ticketing system.
Extended network range to simplify DPA deployment
Configuration of Account IDs for Amazon AWS and Subscription IDs for Azure on a connector pool is now supported, for a wider range of networks.
For more, see Connector pools.
January 18, 2023
DPA and PSM installation
Now you can install your DPA connector on the same machine where you have installed a Privilege Cloud connector. If you have PAM Self-Hosted, you can install your DPA connector on the same machine where you have installed your PSM.
This functionality decreases the footprint as only one machine is needed for both DPA and Privilege Cloud connectors/PSM Self-Hosted.
-
This functionality is available with Privilege Cloud or PAM Self-Hosted version 13.0, where Privilege Cloud and PAM Self-Hosted are using a new unified GPO for both CPM and PSM. For more details about the unified GPO, see here.
-
The Privilege Cloud connectors/PSM Self-Hosted must be domain-joined to benefit from this functionality.
November 15, 2022
Connection guidance added to access policies page
Now, once you have created a policy, a Connection guidance link displays at the top right of the Recurring access policies page.
Clicking Connection guidance opens a form to help you use your RDP/SSH client to connect to your target using DPA.
October 23, 2022
Use APIs to automate DPA deployment in large scale environments
Organizations with large scale and dynamic environments need to make their DPA deployment as efficient as possible. If you have a high number of AWS accounts / Azure subscriptions, or a dynamic environment where new VMs are often spun up, you can benefit from automatic deployment of the DPA connectors and CA public keys.
You can now automate the following DPA scenarios using the DPA APIs as described in the Developer section:
-
Download, deploy and manage DPA connectors
-
Deploy a CyberArk SSH CA public key on target VMs to securely access them with DPA
Other scenarios that will soon be available for automation are create a DPA policy and onboard an entire AWS organization.
Include individual users in DPA access policies
DPA policies specify the identities that are allowed to access VMs and servers. Before now, we supported CyberArk identity roles and AD groups.
With this release, you can have more granularity by adding individual users in the access policy.
August 29, 2022
DPA now supports cloud Windows targets in AWS
You can now reduce the risk of standing access rights to your Windows cloud instances (in addition to the previously supported Linux targets), by connecting in a just-in-time manner to these targets through DPA. This is supported for the AWS cloud platform.
To enable just-in-time access to your Windows cloud EC2s in AWS, simply add a new (or edit an existing) AWS account in Platform management and add Windows targets.
You can:
-
Configure multiple AWS domains to be supported by DPA.
-
Add domain accounts for provisioning the ephemeral user on the target machines. Provide domain account credentials to be stored in the DPA service.
For Windows AWS targets, you don’t need to install the Identity connecter. You can utilize a new or existing new DPA connector, as long as it has connectivity to your cloud network.
Limitations:
-
To access a Windows AWS target, you need to upgrade your DPA connectors and have at least one connector installed on a Windows machine in the related connector pool.
-
For Windows on-prem targets, you still need to install the Identity connector together with the DPA connector.
July 27, 2022
Connect with personal user via SSH
DPA can now connect users to Linux target machines using their personal user. Customers who use local personal users or utilize centralized user management solutions (such as AD bridge solutions) for access to Linux machines can now configure DPA policies to use the authenticated user as the target profile instead of choosing a shared account (root, EC2-user).
Support organizations' outbound web-proxy
Some organizations use a proxy server, which adds an additional layer of security between their servers and outside traffic. DPA connectors that are deployed in a customer's environment help comply with the organization's standards by supporting outbound connection to the DPA service through their web proxy.
SAML-based authentication with external Identity Providers to connect natively to Linux targets
In addition to RADIUS-based authentication factors and built-in Identity MFA, you can use your external Identity Providers to provide SAML-based authentication to DPA when accessing Linux target machines. This capability was already available for connecting to Windows, and is now available for connecting to Linux as well.
For example, John wants to connect just-in-time to a Linux target machine. He launches a DPA session from his native SSH client. Since his organization is configured to work with an external Identity Provider, he can authenticate using a URL that directs him to his IdP. From there, he authenticates and seamlessly connects to the target.
May 16, 2022
Simplify and reduce the footprint of your DPA deployment by using connector pools
Until now, you were required to install one connector for each segregated subnet to use DPA. For large and segregated networks, this would require multiple connectors creating operational and cost overhead.
Today, by using connector pools, DPA connectors can be installed to cover a broad network.
Connector pools enable you to define a cloud network, that can consist of multiple subnets and VPCs/VNets, and assign connectors to the pool, to provide access to the network.
You can have one connector in the pool to serve all the targets in the defined network. Additionally, for high availability and scalability, you can add multiple connectors.
The following diagram describes an example of connectivity for a defined AWS cloud network using a connector pool and a single DPA connector for the pool:
In this example network, we created one connector pool and defined the network coverage to include VPC A and VPC B and assigned the DPA Connector to the pool.
Connector pools are supported for the following cloud platforms:
-
AWS
-
Azure
April 4, 2022
SAML-based authentication with external Identity Providers to connect natively to Windows targets
In addition to RADIUS based authentication factors and built-in Identity MFA, you can use your external Identity Providers to provide SAML-based authentication to DPA when accessing Windows target machines.
For example, John wants to connect just-in-time to a Windows target machine.
He launches a DPA session from his native RDP client. Since his organization is configured to work with an external Identity Provider, he can authenticate using a URL that directs him to his IDP. From there, he authenticates and seamlessly connects to the target.
February 28, 2022
Securely transfer files to and from Linux targets
*NIX administrators can now use DPA's just-in-time functionality to securely transfer files to and from Linux targets using native clients.
DPA supports Native SFTP clients such as WinSCP and FileZilla or the SCP command.
In the following example an end user connects to a Linux target through DPA's SSH gateway to securely transfer files:
February 20, 2022
Session diagnostic view (Beta)
Administrators can now view end users’ connections to SSH cloud targets through DPA. This new view provides administrators the ability to track connections status and troubleshoot connection errors.
December 27th, 2021
Introducing Dynamic Privileged Access
We are proud to introduce Dynamic Privileged Access, a new born-in-the-cloud, SaaS-delivered service and part of the Identity Shared Services Platform.
DPA provisions just-in-time access to cloud-hosted virtual machines and on-premise environments, reducing risk and enabling organizations to unlock the operational efficiencies.
DPA was designed to help reduce the risk associated with standing access to the IT estate. For day-to-day operations, administrators, DevOps engineers and business owners experience privileged access exactly when they require it for high-frequency-access use cases. For one-time tasks, support engineers receive ad-hoc, ITSM-ticket-initiated, session-limited, privileged access to highly sensitive infrastructure for the required amount of time.
DPA enables defining “who” can access “what,” based on the organization’s joiner, mover and leaver rapid changes, as well as the lifetime and business context of dynamic Amazon AWS/Microsoft Azure Linux or on-premises Microsoft Windows servers. Stop using static IDs and start leveraging your already-existing attributes like region, network and custom tags for application, project or environment. For the Microsoft Windows on-premises servers, users can query partial or specific Fully Qualified Domain Names (FQDNs).
Utilize the CyberArk access brokering service that enables users to connect to remote private networks without direct inbound connectivity. Enforce strong, adaptive, multi-factor authentication (MFA) for each specific identity based on behavioral analytics, and establish isolated sessions to your Amazon AWS/Microsoft Azure Linux or Microsoft Windows on-premises environments.
DPA provides support for native connectivity, enabling users to continue leveraging preferred RDP or SSH clients of choice, while enforcing modern MFA methods through the use of personal credentials in a native, browserless fashion.
DPA delivers value on day 1 by establishing agentless, non-intrusive connectivity without exposing the organization’s internal network. The solution is seamlessly integrated into CyberArk’s Identity Security Platform Shared Services, providing unified user management, authentication and component deployment.