This section provides limitations of the CyberArk Vault Synchronizer.

General Vault Synchronizer limitations

  • High availability is not supported

  • When working with multiple Vault Synchronizers:

    From multiple Vaults/Privilege Clouds to a single Conjur cluster

    Each Vault Synchronizer syncs its own configured Vault/Privilege Cloud.

    For maximum Vault/Privilege Cloud and Conjur performance, we recommend synchronizing up to 3 Vaults/Privilege Clouds.

    From a single Vault to multiple Conjur clusters

    (PAS only)

    Each Vault Synchronizer syncs from the Vault to its own configured Conjur cluster.

    We support up to 5 Vault Synchronizers, each syncing to a single Conjur cluster.

  • Synced accounts per LOB:

    • You can sync accounts from up to 10 LOBs to each Conjur cluster.

    • Each LOB can support up to 6,000 accounts, totaling a maximum of 60,000 accounts in each Conjur cluster.

    • When the Sync additional properties flag (SYNC_ALL_PROPERTIES) is false, each LOB can support up to 15,000 accounts, totaling a maximum of 150,000 accounts in each Conjur cluster.

  • We support two accounts in a dual account group.

  • Secret values that are synced from the Vault/Privilege Cloud must not be changed in Conjur. If such a secret value is changed, unexpected behavior may occur. Change secret values only in their source accounts in the Vault/Privilege Cloud.

  • The Vault Synchronizer syncs accounts found in the root folder of the Safe. Accounts located in sub-folders are not synced to Conjur.

  • The Vault Synchronizer skips any Safe name, account name, or virtual user name of a dual account that begins with a special character and logs an error.

  • The colon (:) symbol is not supported in the following names: Vault name, LOB user name, Safe name, Account name, Account property name (File category name), Virtual user name.

Deletion limitations

  • If you delete an account property without deleting the account, the Vault Synchronizer cleanup does not delete the variable associated with that property.

  • If you rename an account or Safe, the Vault Synchronizer will recreate these accounts and Safes with their new name, and delete the old accounts or Safes. This means that their permissions in Conjur must also be recreated to access them.

Upgrade limitations

To upgrade you must have:

  • CyberArk Vault Synchronizer v.10.4 or later.

  • CyberArk Vault Synchronizer installed with Secrets Manager Conjur Enterprise 10.9 or later.