Manage platforms v10 interface

This topic describes what platforms are, the types of platforms, and how to manage them.

Overview

A platform defines shared characteristics for multiple accounts. It defines the technical settings for these accounts, such as:

  • Account properties
  • Credential management policies and timeframe. For example, how frequently a password will be changed or verified.
  • The rules that must be applied when a new random password is generated. These rules must match the password rules on the remote machine where the password will be used, so that the password will be accepted during the password change operation as well as during log on.
  • Session management. For example, how connection is established.
  • Linked accounts
  • Mail notifications
  • Workflows

The settings depend on the platform type. For details, see Platform types.

Each account defined in the system, must be associated with a relevant platform.

 
  • The default platforms included with PAM - Self-Hosted represent every device or application that PAM - Self-Hosted can manage out-of-the-box, as well as templates for Group platforms. We recommend that you treat all default platforms as templates. If you want to use a default platform, duplicate it, and use the duplicated platform. For details, see Add a new platform (duplicate).
  • By default, platform configurations are applied to all Safes. Use the AllowedSafe parameter to enable platforms for specific Safes.

To access the Platforms page, in the PVWA, click Administration , and then click Platform Management. You must be part of the Vault Admin group to access this page and manage platforms.

The Platforms page displays all of the platforms that either come out-of-the-box (as described in the CPM plugins section) or that you have added to your system. The platforms are categorized according to Platform types and are in a list view. In this mode you can see the affected policy rules for each platform. The values for each rule are the default values set in the master policy or according to the values set in the policy exception. For details, see Master Policy Rules. The policy rule cannot be edited directly from within the platform, but rather from the master policy or from exceptions created for a specific platform. For details, see The Master Policy and Exceptions.

Other platform properties can be viewed and edited from within a platform. For details, see Edit a platform.

To perform actions, add (duplicate or import), deactivate or activate, edit, export, and delete, on a platform, click the ellipsis button next to it.

Platform types

The following table describes the platform types.

Type

Description

Target

Target platforms are associated with target accounts. Target accounts allow users to connect to various machines and devices. Examples of target accounts are:

  • Operating systems
  • Databases
  • Security appliances
  • Network devices
  • Directories
  • Applications

Target platforms define the settings described in Overview.

Dependent

Dependent platforms are associated with dependent accounts.

Dependent accounts are accounts that represent resources, such as Windows Services or Windows Scheduled Tasks, that are accessed from a target machine, not necessarily the same target machine, and require the same credentials as the target machine. When changing a password, the CPM synchronizes the target account password with all other occurrences of that password in the related dependent accounts. For details, see Manage dependent accounts.

Group

A group platform is associated with a group. A group includes multiple accounts. Account groups are a group of accounts that share a password and for which passwords are managed together, whether the password change is scheduled or initiated by a user. For details, see Manage account groups.

Account that belong to a group have two platforms assigned to them:

  • Target platform. This is the typical platform associated with an account, which includes the CPM plugin that performs the password change on the target machine.
  • Group platform. This platform determines when the password is changed and the password policy.

Rotational group

Rotational group platforms are associated with a group of accounts for which the credentials are changed asynchronously.

This is beneficial in a dual account deployment. For details, see Manage dual accounts.

Add a new platform (duplicate)

To add a new platform, duplicate one of the existing platforms, and make changes to the newly created platform.

This procedure is relevant for all platform types.

We recommend that you employ a logical naming convention. Platform names must be unique.

After you create a customized platform, you can edit it at an time.

To duplicate a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Click the platform type that you want to duplicate: Targets, Dependents, Groups, or Rotational Groups.

  3. Select the platform, click the ellipsis button next to that platform, and then click Duplicate.
  4. On the Duplicate Platform dialog box, enter a logical name and a description, and then click Create.

    The new platform is added to the list of platforms.

  5. Select the platform from the list, and then click Edit.

  6. On the edit page, expand the properties in the left pane, and change them as required.

    For details on each property, see Platform properties.

Search and Filter platforms

You can search for a platform based on the platform name. You can also filter Target platforms.

To search for a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. In the Search box at the top of the window, enter the platform name, and click Search .

To filter Target platforms:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. In the Targets tab, click .
  3. Select one or more fields that you want to filter your target platforms by, and click Apply.
  4. To use a different set of filters, click Clear all filters, and select the filters that you want.

Import a platform

You can import all four platform types:

  • Target

  • Dependent

  • Group

  • Rotational group

Obtain the platform package from one of the following sources:

  • CyberArk Marketplace
  • Your CyberArk support representative

To import a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Click Marketplace to access the CyberArk Marketplace, and download the platform package that you want to import.
  3. Click Import Platform to upload it.

     

    This procedure is relevant only for importing platform packages. It is not relevant for importing PSM connectors.

Activate and deactivate a platform

You can deactivate platforms that are not in use in order to hide them from the platforms list when an account is created. This also facilitates step-by-step implementations during which platforms can be made active at different phases.

Inactive platforms cannot be assigned to new or modified accounts, and accounts associated with deactivated platforms are not managed automatically by the CPM.

This procedure is not relevant for dependent platforms. Dependent platforms are activated or deactivated according to the target platform they are associated with.

To activate or deactivate a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Click the platform type that you want to deactivate or deactivate: Targets, Groups, or Rotational Groups.

  3. Select the platform, click the ellipsis button next to that, and then click Deactivate or Activate.

Export a platform

You can export a platform when, for example, you want to upload it to CyberArk Marketplace or if you want to import it to a production environment from a development environment.

When you export a platform, a zip file is created with the CPM policy files and the PVWA settings. If there are additional CPM plugin files, you must add them manually to the zip file, before you import them to a new environment.

A full platform package contains the following files:

File

Description

CPM Policy file

Mandatory

An INI file that contains the settings that determine how the system will manage associated passwords. This file is mandatory. You can create a new CPM Policy file, or use an existing one.

PVWA Settings file

Mandatory

An XML file that contains the PVWA settings of the platform.

CPM plugin files

Optional

EXE or DLL executable files and other files with policy settings for a specific CPM plugin. For example, a CPM plugin that manages PMTerminal-compatible accounts requires a prompts and process file to be added.

To export a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Select the platform that you want to export.

  3. Select the platform, click the ellipsis button next to that platform, and then click Export.

    A zip file is downloaded to your computer.

Edit a platform

The Platforms page displays a logical view of all the platforms in the system, categorized by Platform types. The information displayed includes the policy rules for the platform, which can only be edited from the policy itself. Other platform properties can be edited from within the platform.

The following options in the platform settings page enable you to customize account management on supported target platforms:

  • UI & Workflows – Customizes account management workflows on target accounts, such as ticketing systems and associated logon and verification accounts.
  • Automatic Password Management – Defines how passwords are managed in the Privileged Access Manager - Self-Hosted solution.

To edit a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Click the platform type that you want to edit: Targets, Dependents, Groups, or Rotational Groups.

  3. Select the platform, click the ellipsis button next to that platform, and then click Edit.
  4. On the edit page, expand the properties in the left pane, and change them as required.

    For details on each property, see Platform properties.

Associate PSM connectors with the platform

PSM connectors are used to enable users to connect to target machines. This is done on a platform by platform basis and affects all the accounts that are associated with the platform. For more details on PSM connectors, see PSM Connectors.

To associate PSM connectors with a platform:

  1. In the PVWA, click Administration , and then click Platform Management.
  2. Select the platform to which you want to add connectors, click the ellipsis button next to that platform, and then click Manage Connectors.

  3. If this platform is not associated with a PSM server, you are prompted to select a PSM server.

    On the Manage Connectors window, select the PSM server through which the connectors will be managed, and then click Next.

  4. On the Manage Connectors window, select the PSM connectors that you want to associate with the platform, and then click Save.

    If the required connector is not in the list, you can upload a connector package from your local computer. It can be a connector that you have downloaded from CyberArk Marketplace, or a custom connector. For details, see Import PSM connectors.

     

    If you associated more than one connector with the platform, the first connector added will be the default connector. To change the default connector, follow the instructions in Edit a platform and change the PSMConnectionDefault property.

  5. PSM connectors are provided with default settings. To customize a connector, see Connection Component Configuration.