Automatically unlock accounts

The master policy enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. For details, see Enforce check-in/check-out exclusive access. After the user has used the password, the user checks the password back into Privilege Cloud. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password.

PSM can automatically unlock these exclusive accounts after a PSM session ends.


  • The enforce check-in\check-out exclusive access master policy rule is activated on the account platform.

  • Make sure that your Privilege Cloud Connector (or Connectors in case of multiple PSMs) is version 11.7 or higher.

Enable automatic unlock

  • The PSM machine must have trusted communication to the Privilege Cloud portal server.

  • Perform this task only if your Privilege Cloud Connector version 12.1.1 and lower.

  1. Manually run the ApiKeyManager.exe from <PSMInstallationfolder>\Vault. (The PSM installation folder that you entered during the Connector installation.)

    ApiKeyManager.exe add -f "<PSM installation folder path>\Vault\apigw.cred" -t <PSM app User> -u <admin username> -a <Privilege Cloud Portal url>/api





    Located in: <PSM installation folder>\vault\ psmapp.cred

    Username=< PSMApp User name>

    admin username

    CyberArk user, such as the one used during installation

    For example:


    ApiKeyManager.exe add -f "C:\Program Files (x86)\CyberArk\PSM\Vault\apigw.cred" -t PSMApp_ab12345 -u administrator -a

  2. Add the following to the vault.ini file (located in: <PSM installation folder>\vault\):

    Addresses="<Privilege Cloud Portal url>/api"
    ApiKeyPath="<PSM installation folder path>\Vault\apigw.cred"

Configure automatic unlock in the Privilege Cloud Portal

You must have permissions to configure platforms to perform this procedure.

To configure automatic unlock:

  1. In the Privilege Cloud Portal, open the relevant platform for editing. For details, see Edit a platform.

  2. In the left pane, click UI & Workflows > Privileged Session Management, and then set ExclusiveUnlockAfterPSMSession to Yes.

  3. Save your changes.

Configure Safes for PSM automatic unlock


Perform the following procedure only if you have Safes that you created before you upgraded the Connector to version 11.7.

PSM must have unlock permission on Accounts Safes to release accounts after use.

Run the SetSafesForPSMUnlockTool.exe to apply these permissions to existing Safes.

  • The tool adds the required permission on Account Safes where the user has sufficient permissions to do so. If there is one group of owners for all the Account Safes, one of the owners in this group runs the tool to apply the required permissions on all Account Safes. If the Account Safes are divided among different groups of owners, one of the owners in each group runs the tool to apply the required permissions on the group's Account Safes.
  • Internal Safes are excluded.

To apply the unlock permission to the Safe :

  1. Download from the CyberArk marketplace to your workstation.

  2. Unzip the file.

  3. Run SetSafesForPSMUnlockTool.exe.


    The tool requires:

    • .Net 4.0 or higher


    SetSafesConfiguration.exe /user <username> /logontype <logon type> /password <password> /url <Privilege Cloud Portal url>





    Admin user name.

    Get this information from CyberArk support.


    Authentication method to Privilege Cloud.

    The script supports the following authentication methods: Cyberark, LDAP, RADIUS, Windows. If not specified, the script uses Cyberark authentication.


    User's password


    Privilege Cloud Portal url used for REST calls

    /exclude <Exclude file path >

    Use this parameter to add the relevant PSM permission to all Safes except the Safes that are written in the exclude file.

    If not specified, the script uses the excludedSafes.txt file located in the same path.

    /include < Include file path >

    Use this parameter to add the relevant PSM permission only to the Safes specified in the include file.

    For example:


    SetSafesForPSMUnlockTool.exe /user username /logontype ldap admin_12 /password pass /url exclude.txt

Notes and limitations

  • When you use an account for several connections , the account is unlocked when the first session terminates.
  • Unlocking accounts whose platform was activated for check-in/check-out exclusive access or one-time password access can interfere with these flows.For details, see Enforce check-in/check-out exclusive access. Be aware of this when configuring platforms with PSM automatic unlock.