Manage users
As a Vault administrator you are responsible for managing users in the Vault. Users can be created, deleted, updated, etc. These tasks are carried out through the Users and Groups window.
Overview
Users are divided into hierarchical levels that mirror the hierarchy in the office environment. Each department can have a User Manager who creates new Users and updates existing Users' properties. The User Managers can manage Users who are in the same hierarchical level and those in lower levels. In this way, User Managers have flexibility to control permissions of Users in other departments that are hierarchically beneath in the same way as their own Manager would.
For example, the Manager of the Engineering department is out of the office for one week. During that week, User permissions for members of that department need to be updated. Using the current hierarchy setup, any Department Manager above the engineering department can alter the permissions of the member of the Engineering department, and enable the Engineering team to continue working. Therefore, they don’t have to wait for their own Manager to return to the office to update their permissions.
This feature makes User Management flexible, giving control to a wider group of authorized Users.
User authorizations determine which tasks users can perform in the Vault. Each user is only given the authorizations that they require and no others. This helps to achieve segregation of duties and provides a flexible methodology for controlling user management tasks in the Vault.
Depending on the permissions granted to them, Users of each level can manage other Users who are at the same level or lower than them, giving control and flexibility in user management.
Users who are listed in an LDAP-compliant enterprise directory can also be managed transparently by the Vault. They can be added as Safe members and given security attributes and authorizations depending on their location in the directory. For more information, see Configure transparent user management using LDAP.
Types of users
The CyberArk license defines different types of users that can access the Vault through specific interfaces. The user type is defined when users are added to the Vault and when their properties are updated. All users are assigned a user type, including predefined users and those that are added manually or through an LDAP directory. In addition, Vault users that are used by CyberArk components to access the Vault are assigned a user type.
|
User Type |
Description |
Allowed Interfaces |
|---|---|---|
| EPVUser | EPV end user | PVWA, PrivateArk Client, PrivateArk Webclient, PACLI, PIMSU |
| PVWA | Password Vault Web Access component user | PVWA |
|
BizUser |
Business user |
PVWA |
| PSM | Privileged Session Manager component user | PSM |
| PSMUser | PSM end user - used for PSM workflow only | PSM, PVWA |
| PSMPServer | PSM for SSHServer | PSMPAPP |
| CPM | Central Policy Manager component user | CPM |
| ENE | Event Notification Engine component user | ENE |
| AIMAccount | Application Account end user | Application Provider, PVToolkit |
| AppProvider | Application Password Provider component user | Application Provider |
| OPMProvider | OPM component user | OPM |
| OPMUser | OPM end user | PIMSU |
| PIMProvider | Application Password Provider and OPM component users | Application Provider, OPM |
| POCAdmin | POC Administrative user – used for v8.0 POC installations only | PVWA, PrivateArk Client, PrivateArk Webclient, PACLI, PasswordUploadUtility |
| Authorized Interface/Component | Interface ID |
|---|---|
| PrivateArk Client, Webclient | WINCLIENT |
| PrivateArk Client, Webclient (pre v4.6) | GUI |
| Password Vault Web Access | PVWA |
| Password Vault Web Access (application user and gateway user) | PVWAApp |
| Central Policy Manager | CPM |
| Privileged Session Manager | PSM |
| Event Notification Engine | ENE |
| Application Password Provider | AppPrv |
| On-Demand Privileges Manager | PIMSU |
| PrivateArk CLI (PACLI) | PACLI |
| .NET API (v4.1 and below) | HTTPGW |
You can generate a License Capacity report which enables you to see the maximum number of licenses for each user type or object, and the number of used licenses for each one. For more information about the License Capacity report, refer to Report License Usage.
Add a user to a Vault
The Vault administrator is responsible for adding new users to the Vault. This process involves assigning a user name and password, defining permissions, and other managerial tasks.
To add a new user:
-
Log onto the PrivateArk Client as an administrative user.
- From the Tools menu, select Administrative Tools and then Users and Groups; the Users and Groups window appears.
-
In the hierarchy, select the Location where the user will be, then click New, then select User; the New User window appears.
-
In the different tabs of the New User window, fill in the information as described below. The General and the Authentication tabs are mandatory while the other tabs are optional.
This tab enables you to create a new User account and to specify if this is a Gateway account. You can insert a picture of the User which appears each time you view any Visual Security displays.
|
Option |
Defines … |
|---|---|
|
User Name |
The name of the user. Specify up to 128 characters in the username. Make sure that the first 28 characters are unique to the username. |
|
User type |
The user type. This determines the interfaces that the user will be able to use to access the Vault. Click Authorized Interfaces to view and modify the interfaces that the selected user type is authorized to use. For more information, refer to Manage users. |
|
Location |
The user’s Location inside the organization hierarchy. |
|
Replace Photo |
Enables you to select a photograph of the user that is used in visual security. |
|
Gateway Account |
This user account is the Gateway account. |
|
Disable User |
The user account is temporarily inaccessible. |
|
Quota |
The amount of disk space allocated to the User and currently in use by this user. |
|
Monitoring |
Whether or not email notifications will be issued if the user account cannot connect to its authorized interfaces. |
This tab determines the type of authentication method that the User will use to log onto the PrivateArk Client and access the Vault.
|
Option |
Defines … |
|---|---|
|
Authentication method |
The authentication method that the User will use to log onto the PrivateArk Client. |
|
Require RSA SecurID authentication |
The User is required to provide a SecurID passcode as well as the method specified above. |
|
Password/Confirm |
The User’s password that is created for him to enable him to logon to the Vault the first time. |
|
User Must Change Password … |
The User will change his password after he logs on the first time. |
|
Password Never Expires |
The PrivateArk Client will retain the User’s password until he decides to change it. |
|
Distinguished Name |
Specify the User’s distinguished name or select it from a list (for PKI authentication). |
This tab determines the authorizations that the User will have in the Vault.
|
Section |
Enables the user to … |
|---|---|
|
Add Safes |
Add Safes in the Vault. |
|
Audit Users |
Track user activities in the Vault. |
|
Add/Update Users |
Add and update users, manage network areas, and manage Locations in the same level or lower on the Vault hierarchy. |
|
Reset Users’ Passwords |
Reset user’s passwords and set the "User Must Change Password at Next Logon” for users in the same level or lower on the Vault hierarchy. |
|
Activate Users |
Activate or deactivate trusted network areas for users in the same level or lower on the Vault hierarchy. |
|
Add Network Areas |
Add, update, and remove network areas in the Vault that specify where the Vault can be accessed. |
|
Manage Directory Mapping |
Add, update, and remove directory maps that manage users transparently in the Vault. |
|
Manage Server File Categories |
Add, update, and remove file categories in the Vault. |
|
Backup All Safes |
Run backup procedures. |
|
Restore All Safes |
Run restore procedures. |
This tab is used to add a member to a group. Defining groups can make it easier to manage Safes since the permissions of more than one user can be modified in a single instance. Refer to Manage groups for more information.
This tab defines the time limitations to be applied to this User’s account.
|
Section |
Defines … |
|---|---|
|
History |
The number of days that users’ account activity records are stored before they can be deleted. This includes logon, logoff, user management, and other similar tasks. If this parameter is set to zero, user activities in the Vault will not be written in an audit log. |
|
Enable this User to logon at |
Whether the User can log on to the Vault during specific hours or whenever he wishes. |
|
Automatically expire User account on |
This User account is accessible for either a set period of time or for an indefinite period of time. |
This tab defines the user’s contact information.
|
Section |
Defines … |
|---|---|
|
Business address |
The User’s postal address. |
|
Internet |
E-mail addresses to which E-mails will be delivered. |
The following tabs include information that can be used later as reference for the Vault administrator.
| ■ | Personal details – the User’s first and last names appear on the Owners list and in User Reports to facilitate easy identification. |
| ■ | Phone/Notes |
Update users
After a User Account has been created for a User, it can be updated at any time by the Vault administrator. This is also relevant for external Users, although their General Details cannot be modified in the PrivateArk Client, but only in the external directory which supplies their details.
In order to update user accounts, the Vault administrator requires the following authorizations:
| ■ | Audit Users |
| ■ | Add/Update Users |
In order to reset user’s passwords and activate suspended users, the Vault administrator requires the following authorization:
| ■ | Audit Users |
| ■ | Reset Users’ Passwords |
| ■ | Activate Users |
-
Log on to the PrivateArk Client as an administrative user.
- In the Users and Groups window, select a user, then click Update; the Update Users window appears.
-
Make the relevant changes in the Update User Window (e.g., change password, update picture, etc.), then click OK.
-
Log on to the PrivateArk Client as an administrative user.
- In the Users and Groups window, select the user’s name to change, then click Rename.
-
Type the new name for the user, then click OK.
Delete users
When a User will not be using his User account any longer, you can delete the account from the Vault. This is important as it maintains the high level of security for the data in the Vault.
|
|
Although you can delete external Users’ accounts, the User must be deleted from the external directory to prevent a new User account being created for them when they next try to log on. |
To delete a user account:
-
Log on to the PrivateArk Client as an administrative user.
- In the Users and Groups window, select a User, then click Delete; a confirmation box appears.
-
Click Yes to remove the User’s account, and to prevent him from logging onto the PrivateArk Client.
Update user types and authorized interfaces
A user’s type and authorized interfaces can be updated in the same way as all their other user account properties.
To update a user’s type:
-
In the Users and Groups window, select a user, then click Update; the Update Users window appears.
-
In the General tab, from the User type drop-down list, select the user type to apply to the user account.
-
Click Authorized Interfaces; the Authorized Interfaces window appears. This window displays all the interfaces that can be accessed by the selected user type, as defined in the license.
To add authorized interfaces to the user account:
-
In the Available Interfaces list, select the authorized interface that the user will be able to use, then click the left-pointing arrow to move it over to the Authorized Interfaces list.
-
When the Authorized Interfaces list contains all the interfaces that the user will be able to access, click OK.
To remove authorized interfaces from the user account:
-
In the Authorized Interfaces list, select the interface to disable for this user, then click the right-pointing arrow to move it to the Available Interfaces list.
-
When the Authorized Interfaces list contains the updated list of the interfaces that the user will be able to access, click OK.
Familiarization with other users in the Vault
In the Vault, users only see other users that they are familiar with. This ensures that users are not aware of users who are owners of other Safes. For example, a user from the IT department should not necessarily be aware that users from the Finance department are also using the Vault.
Familiarization is defined by at least one of the following:
-
The user has the Audit Users authorization in the Vault. This user is familiar with all the users in his location and sub-locations in the user hierarchy.
-
All users who share a Safe and have the View Safe Members authorization are familiar with each other. This means that they can all see each other in the users’ hierarchy.
-
All users who are members of the same group are familiar with each other.
