The master policy enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time.
PSM can automatically unlock these exclusive accounts after a PSM session ends.
The enforce check-in\check-out exclusive access master policy rule is activated on the account platform.
- Make sure that your Privilege Cloud Connector (or Connectors in case of multiple PSMs) is version 11.7 or higher.
Enable automatic unlock
Manually run the ApiKeyManager.exe from <PSMInstallationfolder>\Vault.
(The PSM installation folder that you entered during the Connector installation.)
ApiKeyManager.exe add -f "<PSM installation folder path>\Vault\apigw.cred" -t <PSM app User> -u <admin username> -a <Privilege Cloud Portal url>/api
Located in: <PSM installation folder>\vault\ psmapp.cred
Username=< PSMApp User name>
A CyberArk user, such as the one used during installation
ApiKeyManager.exe add -f "C:\Program Files (x86)\CyberArk\PSM\Vault\apigw.cred" -t PSMApp_ab12345 -u administrator -a https://xyz.eu.com/PasswordVault/api
Add the following to the vault.ini file (located in: <PSM installation folder>\vault\):
[API] Addresses="<Privilege Cloud Portal url>/api" ApiKeyPath="<PSM installation folder path>\Vault\apigw.cred"
Configure automatic unlock in the Privilege Cloud Portal
You must have permissions to configure platforms to perform this procedure.
To configure automatic unlock:
In the Privilege Cloud Portal, open the relevant platform for editing. For details, see Edit a platform.
In the left pane, click UI & Workflows > Privileged Session Management, and then set ExclusiveUnlockAfterPSMSession to Yes.
- Save your changes.
Configure Safes for PSM automatic unlock
Perform the following procedure only if you have Safes that you created before you upgraded the Connector to version 11.7.
PSM must have unlock permission on Accounts Safes to release accounts after use.
Run the SetSafesForPSMUnlockTool.exe to apply these permissions to existing Safes.
To apply the unlock permission to the Safe :
Download SetSafesForPSMUnlockTool.zip from the CyberArk marketplace to your workstation.
Unzip the file.
The tool requires:
- .Net 4.0 or higher
SetSafesConfiguration.exe /user <username> /logontype <logon type> /password <password> /url <Privilege Cloud Portal url>
Admin user name.
Get this information from CyberArk support.
Authentication method to Privilege Cloud.
The script supports the following authentication methods: Cyberark, LDAP, RADIUS, Windows. If not specified, the script uses Cyberark authentication.
Privilege Cloud Portal url used for REST calls
/exclude <Exclude file path >
Use this parameter to add the relevant PSM permission to all Safes except the Safes that are written in the exclude file.
If not specified, the script uses the excludedSafes.txt file located in the same path.
/include < Include file path >
Use this parameter to add the relevant PSM permission only to the Safes specified in the include file.
SetSafesForPSMUnlockTool.exe /user username /logontype ldap admin_12 /password pass /url https://abc.eu.com/exclude exclude.txt
Notes and limitations
- When you use an account for several connections , the account is unlocked when the first session terminates.
- Unlocking accounts whose platform was activated for check-in/check-out exclusive access or one-time password access can interfere with these flows.
For details, see Enforce check-in/check-out exclusive access.Be aware of this when configuring platforms with PSM automatic unlock.