Enable securely sharing non-app secrets and app credentials

This topic describes how to give CyberArk Identity end users the ability to share non-app secrets or User Password business application credentials with other CyberArk Identity end users, without requiring you to configure and deploy those applications first. For example, without your assistance, a team lead can grant access to a set of their business applications to other team members, then give those team members permission to view or edit the shared credentials.

CyberArk Identity end users can share the following app types:

The following workflow shows the steps required to allow users to share non-app secrets and User Password business application credentials with other CyberArk Identity users.

Before you begin

Complete the steps in Store Secured Items and business application credentials in the self-hosted PAM - Self-Hosted vault before enabling users to share non-app secrets and business application credentials.

Create the Shared Credentials Role and add users

Add users to a Role with the Shared Credentials Administrative Right to enable them to share non-app secrets and business application credentials.

Step 1: Create a Role with the Shared Credentials Administrative Right.

You can create a new Role with the Shared Credentials Administrative Right, or add the Shared Credentials Administrative Right to an existing Role.

To create a new Role, you need to be in a Role with the System Administrator or Role Management Administrative Right.
  1. In the Admin Portal, click Core Services > Roles.
  2. Click Add Role.
  3. Type the Role name and an optional description, then click Save.

  4. Click Administrative Rights > Add.
  5. Select the check box next to Shared Credentials, then click Add.

    For a description of the administrative rights, see Admin Portal administrative rights.

Step 2: Add users to the Shared Credentials Role.

  1. Click Members > Add to display the Add Members dialog box.

  2. Start typing the user name, Active Directory/LDAP group name, or Role name to search for and select members, then click Add.

    If your selection is part of an Organization, those users can only share with other users in their Organization.

    Users that receive a shared non-app secret or application do not need to be in a Role with the Shared Credentials Administrative Right; only users sharing their application credentials need to be in a Role with the Shared Credentials Administrative Right.
  3. Click Save.

Step 3: (Optional) Configure the User Shared Apps policy to require MFA for access.

For added security, you can optionally configure an authentication profile for shared business applications so that multi-factor authentication (MFA) is enforced when the user accesses the credentials of the shared application.

  1. In the Admin Portal, click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click User Security Policies > User Account Settings.

  3. In User Shared Apps, select an authentication profile that an end user (not the owner of the application) must use to launch the shared application, and to view, or edit the shared application credentials.

    Users that satisfy the same multi-factor authentication challenges when they sign in to the User Portal, within the specified Challenge Pass-Through Duration, are not prompted for MFA when they access the shared application.

  4. Click Save.

Step 4: (Optional) Configure settings to transfer application credential ownership to another user.

If an application owner is deprovisioned from CyberArk Identity, application access is removed for all recipients that share the application. To allow recipients of the shared application to continue using the application, you can transfer application credential ownership to another user in the event that the original owner is deprovisioned from CyberArk Identity.

Application credentials shared by suspended users continue to be available to share recipients.
  1. In the Admin Portal select Core Services > Policies > User Security Policies > User Account Settings > User Shared Apps.

  2. Click the checkbox next to Transfer ownership of shared app credentials.

  3. Select the Owner type (Manager or Specified User) and click Add to enter a priority list to transfer ownership.

    Credential ownership is transferred in the order specified in the Owner List and one at a time. For example, if the owner list includes two names, ownership is transferred to the first name or Manager in the list. If the first person is not available in CyberArk Identity, then next person in the list is used and so on.

    Owner Type Description
    Manager Transfers ownership of the shared application to the manager specified in the Users > Account page (for the original application owner). If no manager is specified in the Users > Account page and the original owner is deprovisioned from CyberArk Identity, the shared application is no longer available to recipients of the shared application.
    Specified User Transfers ownership of the shared application to the user(s) you select.
    If you want the new owner to have the ability to share the application with new recipients, make sure they are in a Role with the Shared Credentials Administrative Right; otherwise the new owner can't share the application credentials with new recipients.
  4. Click Save.

Refer to Manage credentials with Workforce Password Management for information on how users can share a User Password application in their User Portal with another user.

Create reports for shared application events

This topic describes how to create custom reports to capture CyberArk Identity shared application events. You can capture an audit history for the following:

  • Updates to password permissions for shared applications

  • Ownership transfers of shared applications

  • Updates to credentials for shared applications

To create a report for shared application events

  1. Log in to the Admin Portal and select Core Services > Reports.

  2. Click New Report and enter a name in the New Report text box.

  3. In the Editor, click Edit Script and then click Yes at the Edit Script message.

  4. Copy one of the following scripts shown below and paste it into the script editor:

    Report description Copy the following into the script editor:

    Audit history of updates to password permissions for shared applications

    Create this report to view changes to shared application password permissions. For instance, event data is captured for changes made to permissions (None, View, Edit) in the User Portal > Application Settings > Sharing tab for a shared application.

     
    select AppKey, ActionType, Principal, PrincipalType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields
    from Event
    where EventType='Cloud.Core.SharedAppPermissionChange'
    order by WhenOccurred desc

    Audit history of ownership transfers of shared applications

    Create this report to view when application credential ownership for a shared application is transferred to another user. This report also provides the name of the new owner.

     
    select OldAppKey, NewAppKey, OldOwnerUuid, NewOwnerUuid, WhenOccurred, OldOwnerName, NewOwnerName, AppName, Reason
    from Event
    where EventType='Cloud.Core.SharedAppOwnershipTransfer'
    order by WhenOccurred desc

    Audit history of updates to credentials for shared applications

    Create this report to view all changes to passwords for User Password applications. This details the application name, when the password was changed, and who changed the password.

     
    select AppKey, ActionType, VaultType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields
    from Event
    where EventType='Cloud.Core.AppCredentialsChange'
    order by WhenOccurred desc
  5. Click Save.