Predefined users and groups
The Vault automatically creates several users and groups during installation and upgrade. These users are created for administrative tasks, and are available to carry out administrative purposes.
Predefined groups are added automatically to every Safe in the Vault, and the corresponding predefined user is added as a member. Users who are added to these groups immediately become owners of all the Safes, according to the Group’s authorizations in the Safes. These groups can be removed from the Safes according to the Vault configuration.
|
In Vaults that have been upgraded from previous versions, the predefined groups will only be added to Safes that are currently owned by the corresponding predefined users. These users will become members of a predefined group as well as remaining direct Safe members. |
Although the users and groups are created automatically, all these user accounts except Master, are disabled. You must activate them to use them.
Activate predefined users and groups
Activate the predefined users and groups that you want to use.
To activate predefined users and groups:
-
Log on to the PrivateArk Client as the Master User.
-
In the General tab of the User properties window, clear the Disable User checkbox.
-
In the Authentication tab, change the default passwords.
These users have important permissions, and their passwords must be non-obvious and known only by authorized users.
Predefined users
Following is a list of predefined users that you can activate and use.
|
User |
Description |
|---|---|
|
This user appears on the highest level of the User hierarchy and has all possible permissions. As such, it can create and manage other Users on any level on the User hierarchy. |
|
|
This user is a member of the Auditors group. This user appears at the top of the User hierarchy, enabling it to view all the Users in the Safe. The Auditor User can produce reports of Safe activities and User activities. This enables it to keep track of activity in the Safe and User requirements. |
|
|
This user is a member of the Backup Users group. It has the Backup Safe authorization, and can backup all, several, or individual Safes. |
|
|
Batch |
This user is an internal user that cannot be logged onto. This user carries out internal tasks, such as automatically clearing expired user and Safe history. |
|
DR |
This user is a member of the DR Users group and is specifically for use in Disaster Recovery. This user can replicate the Safes in the production Vault to the Disaster Recovery Vault, keeping it continuously up-to-date. |
|
This user has all the available Safe member authorizations, except Authorize password requests, and therefore has complete control over the entire system. This user is used to manage a full recovery when necessary.
|
|
|
NotificationEngine |
This user is installed with the Event Notification Engine (ENE). It retrieves information about activities that occur in Safes as well as contact details of recipients so that the ENE can send notifications. It is a member of the Notification Engines group. |
|
This user is a member of the Operators group that has the Manage Safe authorization which enables it to update the Safe properties and carry out other administrative operations, such as compressing the Safe and changing the size of the Safe. As the Operator user does not have any of the authorizations that would enable it to view the contents of a Safe, when it opens the Safe the Open Safe icon appears but not the Safe contents. In addition, it cannot view Safe logs or the Owners list. |
|
|
POCAdmin |
This user is installed as part of the POC installation for the |
Remove predefined users
|
|
Before removing any predefined users, contact your CyberArk support representative. |
All predefined users, except the Master user, can be removed from Safes that they were added to automatically during Safe creation. The PreDefinedUsersOwnerRemoval parameter in DBParm.ini determines whether or not all or none of the predefined users can be removed, or whether only the Auditor and Operator users can be removed.
By default, this parameter is set to ‘None’, meaning that immediately after installation no predefined users can be removed from Safes.
To remove predefined users:
-
In DBParm.ini, add the PreDefinedUsersOwnerRemoval parameter and specify the name of the predefined user to remove.
-
For example, PreDefinedUsersOwnerRemoval=Batch
-
Restart the Vault server.
For details about the parameters in DBParm.ini, see CyberArk Vault Server Parameter Files
Predefined groups
Following is a list of predefined groups that you can activate and use.
|
Group |
Description |
|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The Vault Admins |
The Vault Admins group is a group of Vault administrators. This group can be added to Safes with all Safe member authorizations. This group is added automatically to the following Safes:
|
|||||||||||||||
|
Auditors |
The Auditors group has the View audit and View Safe Members authorizations, which enables members to view the contents of the Safe, the activity logs, and the Owners list. The predefined Auditor user is added automatically to this group. |
|||||||||||||||
|
The Backup Users group has the Backup Safe authorization, which enables members to backup all, several, or individual Safes. It is recommended to use members of this group for backup operations and not grant this authorization to individual users. The predefined Backup user is added automatically to this group. |
||||||||||||||||
|
DR Users |
The DR Users group has the Backup Safe authorization and is used in Disaster Recovery. It is recommended to use members of this group for replication and not grant this authorization to individual users. The predefined DR user is added automatically to this group. |
|||||||||||||||
|
Notification Engines |
The Notification Engines group is a group of NotificationEngine users that are added during ENE installation, and which enable the ENE to send notifications about activities in the Safes. This group has the View audit and View Safe Members authorizations so that it can monitor activities in the Safe, but does not have access to any information. . |
|||||||||||||||
|
Operators |
The Operators group has the Manage Safe authorization, which enables members to update the Safe properties and carry out other administrative operations, such as compressing the Safe and changing the size of the Safe. The predefined Operator user is added automatically to this group. |
|||||||||||||||
|
PVWAGWAccounts |
The PVWAGWAccounts group is a group of gateway accounts that is shared with all Safes that will be accessed through the PVWA. |
|||||||||||||||
|
PVWAAccountsFeedAdmins |
This group can perform all Accounts Feed tasks:
This group is automatically added to the following Safes:
And has the following permissions in the above Safes:
|
Remove predefined groups
|
|
Before removing any predefined groups, contact your CyberArk support representative. |
All predefined groups can be removed from Safes that they were added to automatically during Safe creation. The PreDefinedGroupsOwnerRemoval parameter in DBParm.ini determines whether or not all or none of the predefined groups can be removed, or whether only the Auditors and Operators users can be removed.
By default, this parameter is set to ‘None’, meaning that immediately after installation no predefined groups can be removed from Safes.
To remove a predefined group:
-
In DBParm.ini, add the PreDefinedGroupsOwnerRemoval parameter and specify the name of the predefined user to remove.
-
For example, PreDefinedGroupsOwnerRemoval=Operators
-
Restart the Vault server.
For details about the parameters in DBParm.ini, see CyberArk Vault Server Parameter Files
