What's New

This section describes the new features and enhancements for each Privilege Cloud release.

2021 releases

August 2021 - Version 12.2

CyberArk Telemetry tool

Within the Technical Community, Privilege Cloud customers can now see data about adoption, time to value, component usage, license utilization and more. The Telemetry tool is a dashboard that presents this information in an easy-to-consume way, with additional information including compliance status for managed accounts, used platforms and plugins, and logged on users.

SCIM enhancements

In May, we introduced SCIM support in order to integrate Identity Governance and Administration (IGA) solutions with Privilege Cloud. We have now expanded the SCIM and SCIM PAM capabilities to support all SCIM and SCIM PAM endpoints. Customers will now be able to fully control, in one system, user and privileged data (accounts) life-cycle management including managing containers (Safes), Safes permissions, and privileged data (accounts).

To learn more, see Integrate with an IGA platform using SCIM.

New and unified user interface

As the number of CyberArk solutions grows, the look and feel, as well as the consistency and continuity across the CyberArk Identity Security platform becomes even more critical.

We have now introduced a clean, modern, and more accessible look and feel for the Privilege Cloud Portal. The new design will be aligned with Identity, Remote Access, Endpoint Privilege Manager and Cloud Entitlements Manager offerings, and will include:

  • New look for the Application layout

  • New look for the Filters and Search in all pages

  • New and accessible colors contrast and backgrounds

  • Deprecation of the comfortable and compact view.


Some screens have not been changed and will be redesigned in the future.

Graphical user interface, text, application, email

Description automatically generated

We also have introduced a new Safes view to list Safes along with the assigned CPM server and description

  • Single pane of glass for Safe details

  • Manage permissions of existing Safe members

To learn more, see Access control.

Link and unlink accounts in Account Details page

As an ongoing mission to simplify the user experience, we have added the ability to create linked accounts. Linked accounts are needed when there is more than one account for the password management process. Users can now select an account to associate as a Linked Account.

To learn more, see Linked accounts.

Linking and unlinking of accounts can also be done using Linked accounts REST APIs.

ServiceNow Quebec support

Integrating the privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Quebec version. The ServiceNow integration is now available in the CyberArk Marketplace.


This release includes several improvements in our REST API Web services around the User Management, Safes ,and Accounts areas for easier automation and usage.

The following new APIs were added:



Get Safe details

Retrieves the details of a single Safe

Get Safe member

Retrieves the set of permissions a member has for a Safe

Update member

Updates the set of permissions a member has for a Safe

Delete member

Removes all permissions a member has for a Safe

Update Safe

Updates a Safe's details

We also enhanced the following APIs:



Add account group

We expanded this REST API to add Account Group with Policy Type of Rotational Group in addition to PolicyType of Group. This enables our customers to add Rotational Groups via REST APIs. Rotational group platforms are associated with a group of accounts where the credentials are changed asynchronously.  This is beneficial in a dual account deployment.

Get users

Added ability to filter by user name and added sort options

Get groups

Added sort options

Managing Google Cloud Platform (GCP) IAM users    

We've introduced a new plugin that can manage passwords for Google Cloud Platform (GCP) IAM users when the IAM user is enabled, or not, with MFA. The plugin is available on the CyberArk Marketplace.

To learn more, see Google Cloud Platform (GCP) - Account management plugin.

Managing MS SQL 2019 passwords

MSSQL 2019 database is now officially supported with our existing MSSQL ODBC plugin. This applies to the MSSQL ODBC 13.1 The plugin is available on the CyberArk Marketplace.

Set a global PSM default connection method (RDP file or HTML5)

Until now, when configuring remote access all connections were established exclusively with HTML5 Gateway and Privilege Cloud admins needed to manually set a toggle to work with both connection methods (for example, HTML5 for remote access and RDP file for working within the network).

In this release, the default connection method is set to RDP, so when you configure remote access, all you need to do is configure the toggle on specific platforms. However, you can also choose to set the default connection method to HTML5, which can be easily done for you by CyberArk support.

Remote access connections - troubleshooting

During remote access connections, if an error occurred, the session was closed immediately. Now session error codes are displayed in the HTML5 connection tab when the end-user fails to establish a connection. The end-user sees the error message code and admins can then use the error code to troubleshoot the issue.

To learn more, see Troubleshooting connection issues.

Improved User Experience in PSM for SSH when integrating with Ticketing systems

In this version we added a retry mechanism that enables users to correct and re-enter the ticket ID when it includes invalid control characters, such as backspace or escape. This ensures session continuity and prevents the need to reconnect and initiate a new session to correct the entered Ticket ID. In addition, the retry mechanism is configurable and enables you to set the maximal number of retries.

Migration support for Conjur Enterprise with Privilege Cloud’s hybrid SaaS offering

If you have Conjur Enterprise deployed alongside your self-hosted PAM environment, you can now migrate to Privilege Cloud while supporting the same Conjur Enterprise deployment.

To learn more, see Conjur Enterprise V12.2.

June 2021

Offline access to privileged accounts

CyberArk Privilege Cloud is where customers manage their “keys to the kingdom” credentials, some of which are needed for critical operations and business continuity.

While our solution offers high availability and resiliency, we want to make sure that you can access business-critical accounts in those rare cases when the service is unavailable or if the user has no connectivity ("offline"). Utilizing the new CyberArk Mobile app, CyberArk now provides access to credentials even when Privilege Cloud is unavailable. Within the app, users can see the list of accounts to which they have permissions and select those that will be available for offline access. The Mobile app securely stores credential, protected with multi-factor and biometric authentication. When Privilege Cloud is unavailable, users can retrieve the stored credentials from the app and use them to connect directly to remote machines.

See Connect when Privilege Cloud is unavailable for more details for the end user. See Configure offline access to target machines for more details for the administrator. See Remote Access What's new for more details on the Mobile app release.


This capability is subject to additional license fees. Contact you CyberArk representative to inquire about it.

Privilege CloudConnector version 12.1.1 available

Privilege Cloud Connector version 12.1.1 is now available. For the upgrade process, see Upgrade the Privilege Cloud Connector to v12.1.1. Refer to Privilege CloudConnector end of life dates to determine the best time for you to upgrade your Connector.

For additional information about this release, see Release notes.

May 2021 - Version 12.1

SCIM support

Privilege Cloud now supports SCIM (System for Cross-domain Identity Management) and SCIM PAM in order to integrate with Identity Governance and Administration (IGA) solutions, such as Sailpoint. Integrating between PAM and IGA provides a unified view with centralized policy-based identity management for all identities, including privileged identities (individuals and applications) and access entitlements to ensure access policy and regulatory compliance. This allows you to control and automate the user and privileged data (accounts) life-cycle management including managing containers (Safes), Safes permissions, and privileged data (accounts).

To learn more, see Integrate with an IGA platform using SCIM.

New System Health dashboard

This release introduces a new System Health page, which provides administrators with a high-level health status report of the different components in Privilege Cloud and Secrets Manager Credential Providers environments.

Administrators can also reset passwords for the CyberArk component applicative users directly from the System Health dashboard. This helps streamline recovery from Privilege Cloud components connectivity issues.

To learn more, see Monitor system health.

ServiceNow Paris version support

Integrating a privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Paris version.

The ServiceNow Paris version integration is now available in the CyberArk Marketplace.

Accessibility improvements for the Accounts page

This release includes several accessibility improvements. We added missing tooltips to several attributes in our Accounts page.

Privileged Session Manager for SSH connections with modern authentication methods, including SAML, and single multi-factor authentication to multiple targets

To use these capabilities, *nix administrators who access target servers through PSM for SSH will either start by accessing the Privilege Cloud portal and selecting the required authentication method, generate an SSH Key with a pre-configured validity period that will be used to connect through PSM for SSH to any target server authorized for them or by using a dedicated REST APIs for generating the SSH key. For greater security, admins can protect the generated SSH key with a passphrase and proactively invalidate it in case of an incident. These capabilities for modern authentication and MFA caching for PSM for SSH can be achieved with any authentication method supported by Privilege Cloud, via the Privilege Cloud portal or API.

Platform Management enhancements

In this version we expanded the Platform Management interface to include access workflow policies indications, showing workflow-related settings and exceptions for each platform. This enables customers, using a single pane of glass, to gain better visibility of a platform and its effective policy.

In addition, Import Platform now supports importing Group and Rotation Group platforms in both the UI and the Rest API.


This release includes several improvements in our Safes, accounts, and User Management REST API Web services for easier automation and usage.

Get secret versions


Returns the versions of the account's secret.

Link an account (New)

Enables you to associate an existing account as a linked account of a different account. The linked account can be a Reconcile Account, a Logon Account or any other linked account defined on the platform level.

Delete Safe (New)

Deletes an existing empty Safe.

Add member


Adds a user or a group as a member with a specific set of permissions to an existing Safe.

Delete discovered accounts


Enables Admins to clear all Discovered Accounts and their dependencies from the Pending List.

Get all Safes


Returns a list of all Safes the requested user has permissions to view. This API is available with several capabilities, such as paging and searching according to specified values to create a more precise list.

Add Safe


Enables the user to create a new Safe.

Get all Safe members


Returns a list of all the members of a specific Safe.

Update group


Enables the user to edit the name of an existing group.

Get users


In addition to the information this API provides, for each user in the returned list the API also returns the groups the user is a member of.

Get groups


In addition to the information this API provides, for each group in the returned list the API also returns the users that are members of the group.

Generate Password REST API

This version introduces an option to generate an account password using REST API.

To generate a password for managed accounts, you can now call the Generate Password REST API and send the account ID details.

The API retrieves the account's old password and determines the new password complexity according to the account's platform policy.

To learn more, see Generate password.

Manage VMWare ESX/i 6.7 and 7.0 accounts

Management of VMWare ESX/i root and local privileged accounts via the ESX/i REST API and CLI is now supported for ESX/i 6.7 and ESX/i 7.0.

To learn more, see VMWare ESX/i.

The CPM plugin is now available in the CyberArk Marketplace.

PSM for SSH deployment on Red Hat Enterprise Linux 8 and CentOS 8

Customers transitioning or upgrading their Linux environments to the latest Red Hat Enterprise Linux 8 OS edition or CentOS 8 can now leverage the secure and native access capabilities of PSM for SSH by deploying it on these OS versions. This is applicable for Red Hat Enterprise Linux 8.0, 8.1, and 8.2 and CentOS 8.0, 8.1, and 8.2.

SSH Key Authentication to PSM for SSH in using your own SSHD

PSM for SSH installation can coexist with the operating system's original SSH daemon (SSHD) without replacing it. Customers who use SSH key authentication to CyberArk in PSM for SSH connections can now do so using their own SSHD version.

This is only supported for SSHD version 7.8 or above.

Support for OpenSSH 7.8 and above default SSH key format

Starting from this version, PSM for SSH supports the new default OpenSSH SSH key format both for authenticating to PSM for SSH and for connecting to target machines using PSM for SSH's OpenSSH client application.

Additional information about this format can be found in the OpenSSH 7.8 release notes.


This format is not supported by CPM and PSM and can only be used for PSM for SSH native connections.

Manage AWS root user account enforced with MFA

The AWS account root user is the secret zero, the AWS account owner who has full access to all resources in the account. AWS recommends not to use the root user, not to share the user, to use a strong password and to enable Multi-factor Authentication (MFA). These are great recommendations, but manually managing the user is still a risk, since there is always the human factor, which most of the time is the weakest link.

We are happy to release a new plugin that can automatically manage the AWS account root user password even if it is enforced with MFA by leveraging Time-based One-time Password (TOTP).

The plugin is available on CyberArk Marketplace.

Support MFA for Azure and AWS IAM users

Azure and AWS PSM connectors now support logging in to the cloud console with the IAM user enforced with Multi-factor Authentication (MFA). The user must enter the MFA code during the login sequence, therefore this step will be promoted to the user via the RDP session.

April 2021

Privilege Cloud increases the official SLA to 99.9%

Privilege Cloud is now committed to a 99.9% SLA. This improvement helps prove to our customers our commitment to making Privilege Cloud even more reliable and available.

Privilege Cloud data center in Singapore

We've added a new data center in Singapore to meet the market demand in the APJ region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, London, Sydney, Canada, and Japan further extends our global network.

February 2021

Conjur Secrets Manager Enterprise integration

Privilege Cloud integrates with Conjur Secrets Manager Enterprise to expand Privilege Access Security to the DevOps space and to modern and dynamic environments. Secrets that are stored and managed in Privilege Cloud can be shared with Conjur Enterprise and used via its clients, APIs, and SDKs to enhance security and reduce risks for the DevOps environments, including CI/CD pipelines, containerized applications, and cloud platforms.

The integration between Privilege Cloud and Conjur Enterprise provides Security, IT, and DevOps teams with a common platform to enforce privileged account security policies on all platforms – on-premises, cloud, and hybrid – to form a consistent, unified enterprise-wide Privilege Access Security Program.

For details, see CyberArk Vault Synchronizer.

2020 releases

December 2020

The following features and enhancements are included in the Privilege Cloud December 2020 release:

Bulk upload of accounts

There is a frequent need to upload a large number of known accounts into Privilege Cloud from an existing repository. This is especially valuable during early stages of implementing Privilege Cloud, migrating from another PAM solution, or onboarding a new department into the Privilege Cloud solution.

To address this challenge, we have introduced a new Bulk Upload of Accounts option within Privilege Cloud portal. Using the Bulk Upload operation reduces 50% of the onboarding time in Privilege Cloud portal compared to existing REST APIs scripts, and enables a much faster roll-out of PAM programs.

The new Bulk Upload of Accounts option includes a dedicated UI where the user can download a sample file, review the process status, and download a detailed result file with the failed accounts.

In addition, the Bulk Upload is asynchronous and enables customers to disconnect from Privilege Cloud portal while the onboarding request still runs in the background, ensuring that all accounts are onboarded.

We want to encourage you to use the Bulk Upload method and promote its use in REST API-based solutions.

The available REST APIs are:

Create bulk upload of accounts

Enables a user to add multiple accounts to existing Safes and groups.

Get bulk account upload result

Checks the status of a single bulk account upload and returns the results.

Get all bulk account uploads for user

Returns the status of all bulk account uploads that the user performed.

To learn more, see Add multiple accounts from a file.

Platform Management - search and filters

In this release we've added filtering capabilities to target platforms and the ability to search according to platform types.

To learn more, see Manage platforms.

Export discovered accounts

To better understand and share the progress in the deployment and onboarding of privileged accounts, customers are now able to extract and export the Pending Accounts list using two new REST APIs. The ability to export this list provides administrators an easier and more accessible way to manipulate the output data according to their needs, prioritizing and delegating the discovered accounts to multiple teams for better and faster coordination during the onboarding process.

In addition, administrators can provide valuable insights to their management, as well as demonstrate a return on investment (ROI) for their work on the Privilege Cloud implementation by tracking metrics such as the number of privileged and non-privileged, local, or domain accounts, or SSH keys that are still waiting to be onboarded and protected.

The available REST APIs are:

Get discovered accounts

Returns a list of all discovered accounts from the Pending Accounts list.

Get discovered account details

Returns information about a specific discovered account and its dependencies from the Pending Accounts list.

These APIs support capabilities such as paging, filtering, and searching according to specified values to create a more focused list.

Azure Discovered Accounts

Discovered Accounts APIs now support Microsoft Azure Active Directory (Azure AD) users.

The enhanced REST APIs are:

Add discovered accounts An API that enables you to add newly discovered accounts including Azure Active Directory (Azure AD) users to the Pending Accounts list in Privilege Cloud portal.
Get discovered accounts An API that returns a list of all discovered accounts from the Pending Accounts list, including Azure Active Directory (Azure AD).

Management of Windows Domain accounts with Kerberos

We are happy to introduce a new Windows CPM plugin for managing Windows domain accounts over LDAP.

The new plugin enables you to manage members of protected user groups over Kerberos and TLS/SSL.

Protected Users is a global security group and its primary function is to prevent users' credentials from being abused on the devices where they log in.

To learn more, see Windows Domain Accounts via LDAP.

Credential rotation for IAM users with MFA

MFA mitigates risks associated with password-only authentication methods by requiring additional factors of authentication.

More and more organizations are turning to MFA to secure their cloud environments and protect against unauthorized access, data breaches, and password-based cyber-attacks.

Credential management for the following cloud IAM users and keys authenticating to cloud consoles with MFA, is now supported for all of CyberArk out-of-the-box cloud plugins:

  • Amazon Web Services (AWS) IAM passwords and access keys

  • Microsoft Azure Active Directory user passwords and application keys

  • Google Cloud Platform (GCP) service accounts

To enhance the credential rotation of Azure Active Directory accounts, we have added keys support for logon and account reconciliation to Azure plugins.

To learn more, see Microsoft Azure Password Management and Microsoft Azure Application Keys.

Automatic Check-in in PSM sessions with exclusive access

The Enforce check-in/check-out exclusive access policy in the Master Policy enables organizations to restrict account credentials' use to a single user at a time.

In PSM sessions, until now, the credentials were locked automatically when the user connected with an account, but users had to manually check in the credentials to the Vault to release the account.

In this release we simplified the end-users' experience significantly by ensuring that once the PSM session ends, the account is automatically checked in without any user intervention.

To learn more, see Automatically unlock accounts.

Run custom code prior to connection when accessing Web applications through PSM

PSM can connect to Web applications using custom-built connectors. In some cases, there is a need to invoke custom operations before the actual connection to the target occurs, such as creating a temporary user just-in-time and using it for access. PSM connectors for Web applications can now be configured to run custom code prior to logging in to the target and can even provide on-the-fly data for the login process.

The Secure Web Application Connectors Framework PSM can be found in the CyberArk Marketplace.

Docs enhancements

Our documentation now employs a new SearchUnify custom search engine, which enables you to: 

  • Search for content across all products
  • Filter search results by product and category
  • Perform advanced searches

Like Google, SearchUnify provides:

  • ‘Did you mean’ functionality
  • Auto suggestions

Released components



CyberArk Privilege Cloud Connector

CyberArk Secure Tunnel


September 2020

The following features and enhancements are included in the Privilege Cloud September 2020 release:

Alero integration for remote vendor access

In addition to supporting remote access for employees, we now integrate with CyberArk Alero to support remote access for vendors. Providing a way to access the organization’s assets in a secure way, with no additional footprint on the customer’s premise.

This integration provides full audit capabilities and session isolation for sensitive assets that enable remote vendors VPN-less access while leveraging Zero-Trust access, JIT Provisioning, and biometric Multi-Factor Authentication.

To learn more, see Configure remote access for vendors.

EPM integration for securing loosely connected devices

One of the most common activities for managing local admin credentials is changing them on a regular basis. The mobility strategy that most organizations employ allows employees to work from any location, making it difficult to enforce the credentials policy because endpoints are not always accessible from the organization network.

To mitigate this issue, the CyberArk Endpoint Privilege Manager (EPM) integrates with Privilege Cloud to manage these Windows and Mac devices and change passwords as required, according to the organization policy.

To learn more, see Manage loosely connected devices.

Detailed email notifications

The Privilege Cloud event email notification service now provides detailed information on various events, including direct link URLs, to simplify the administrator's workflow and approval process. For example, when a request to access an account is being submitted, the approver receives an email with a link to the specific request.

To learn more, see Email notifications.

Privilege Cloud data center in Japan

We've added a new data center in Japan to meet the market demand in the APJ region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, London, Sydney and Canada further extends our global network.

Privilege Cloud Connector

The new Privilege Cloud Connector installer now enables you to select which function to install on the connector server. You can choose to install the CPMPSM, or both.

In addition, you can choose whether to install the CPM in disaster recovery (DR) mode or not.

To learn more, see Run the Connector setup wizard.

Released components



CyberArk Privilege Cloud Connector

CyberArk Secure Tunnel


Enhancement requests




Add a direct link to Privilege Cloud portal in approver email

August 2020

Watch video

The following features and enhancements are included in the Privilege Cloud August 2020 release:

Remote access

Providing access to your company employees from remote is essential to maintain business operations in an efficient and simple manner. Exposing the company's internal assets to the public network poses a great risk and must be secured. Privilege Cloud now integrates with CyberArk's Alero to allow remote company employees to access internal assets, VPN-less, protected with Privilege Cloud with no additional footprint.

You can also use remote access capabilities to access assets, when inside the network, and not only remotely.

To learn more, see Configure remote access for employees.

Privilege Cloud data center in Canada

We've added a new data center in Canada to meet the market demand in the North American region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, London, and Sydney, further extends our global network.

Platform management UI enhancements

Introducing our new platform management view with ability to import and connect PSM connectors.

The new view includes:

  • Separate tabs according to platform types: Targets, Dependents, Groups, and Rotational Groups

  • Aggregated view for each system type

  • Single pane of glass of a platform and its effective policy

  • Platform settings for password rotation verification and reconciliation

  • Actions like: Import Platform, Edit, Duplicate, Activate/Deactivate, Export, Import and Delete.

  • Onboarding of PSM Connectors to a platform – the ability to easily import PSM connectors and link them to a platform, all from one location.

Getting a List of platforms can also be done using REST API.

To learn more, see Manage platforms.

Automatic onboarding rules

You can now create and manage predefined rules that automatically onboard newly discovered accounts. This minimizes the time it takes to onboard and securely manage accounts, reduces the time spent on reviewing pending accounts, and prevents human errors that may occur during manual onboarding.

To learn more, see Onboarding rules.

Automatic dependencies discovery

Managing service accounts can be challenging, but also very important. These accounts can be very powerful and as a result are often targeted in attacks. The first challenge in managing these accounts is understanding where they are.

In this release, we introduce a major improvement to the dependencies discovery process, which allows it to discover and onboard dependencies for already managed accounts (that were added manually or using REST APIs) in addition to those that were onboarded by the discovery scanner.

Similar to the current behavior, accounts with a newly discovered dependencies will be disabled with the reason “Newly discovered dependency”, so the accounts' owners can review and validate that the new service is legitimate and is not a backdoor service aiming to inherit account's password.

To learn more, see Scan for accounts using Accounts Discovery.

SSH Keys support

You can now add, edit, and download SSH Key accounts, just as you would password accounts.

Add new SSH keys using the Add Account button located in the Accounts List, by selecting Unix as the System Type.

Direct link for accounts

This release introduces a new way to create a direct URL for a specific account details page.

Users can see this link in the new Account Group in the Account Details split view, where each Account group member has its own link to its specific account.

For simple sharing of accounts, users can send a direct URL to an account.

SAML authentication using REST API

This release introduces a new, updated way to authenticate to Privilege Cloud using the SAML authentication REST API.

This API uses the Logon REST method with the SAML authentication type (POST /auth/saml/logon) and supports only IdP initiated flows, meaning the user should already be authenticated and the SAML response should be sent to the Privilege Cloud portal SAML authentication API.

IdP initiated flow is now supported for customers who wish to use it. While CyberArk recommends using SP initiated flow as it ensures a more secured authentication channel, customers who rely on business applications using IdP initiated flow only, may enable this option using the EnableIdPInitatedSso configuration.

To learn more, see SAML logon.

User Management Rest API improvements

This release provides several improvements to our REST API Web services for easier automation and usage.

  • Get user details. This API now also returns a list of groups in which the user is a member.

  • Delete group. A new API that deletes an existing group.

PSM for SSH deployment on SUSE v12 SP2

Customers working with SUSE Linux Servers can now deploy PSM for SSH on SUSE Linux Enterprise Server v12 SP2.

Listing of Active PSM for SSH sessions in the Monitoring page

Auditors and Security teams can now view what PSM for SSH sessions are currently active, what commands are being performed and what is the risk score of each active session. This enables them to gain fuller visibility into user activities in the environment and achieve better monitoring.

Enhanced Audit Capabilities for PSM for SSH Just-in-Time access with SSH Certificates

Just in Time access with short-lived SSH certificate authentication enables organizations to provide secure access to remote *nix machines without the need to onboard the account to PAS, and without a need for credentials, public keys or standing access on the target.

Customers can now use this approach and benefit from the following capabilities that are available in other PSM for SSH authentication flows:

  • Create audit records and text recording files of keystrokes typed by privileged users in the session

  • View the session in the Monitoring page

  • Enable configuring prompts used for detecting passwords that may have been typed by users and hiding them from appearing in the audit records and text recordings.

  • Apply Command Access Control that enables blocking unauthorized SSH commands that a privileged user attempts to execute.

Enhanced Audit Capabilities for Automation Tools Access to *NIX machines through PSM for SSH

In addition to audits of remotely executed SSH commands (as usually used by automation tools), auditors can now also view audits of commands executed or performed on the target after logging in to a shell prompt. This could be useful when using the same account for automation tools and human access.

Smart-Card (PKI) authentication in direct PSM connections

We expanded the variety of authentication methods for direct PSM connections. In addition to CyberArk, LDAP, and RADIUS authentication, users can now authenticate to Privilege Cloud through direct connections with a user certificate, utilizing PKI infrastructure. These user certificates are usually stored on a smart card, to help facilitate a strong authentication policy. The PSM PKI authentication integrates seamlessly with the domain PKI infrastructure, allowing customers who already use PKI in their organization to immediately benefit from this new capability.

To learn more, see Configure PKI authentication for RDP connections.

FIPS support for SSH plugins

To benefit from the enhancements in our new terminal-based CPM engine (TPC), you can now use SSH-based plugins with the new FIPS support.

This release also includes bug fixes, enhanced security and performance.

To learn more, see Configure SSH-based features.

SAP plugin improvements

The SAP plugin allows management of SAP Netweaver accounts, which are used for many SAP applications (including SAP ERP). This SAP plugin already supports built-in and Dialog accounts used for human interactions. In this release, we added support for management of non-human accounts, designed for applications' use, such as 'System', 'Communication Data' and 'Service' user.

In addition, for enhanced security, the updated SAP plugin supports the secured SAP protocol, SNC, by default.

The plugin is available for download in the CyberArk Marketplace and is provided out of the box with any new Privilege Cloud installation.

To learn more, see SAP applications.

March 2020

The following features and enhancements are included in the Privilege Cloud March 2020 release:

Privilege Cloud data center in Sydney

We have added a new data center in Sydney to meet the market demand in the APJ region.

The new data center, in addition to our existing data centers based in North Virginia, Frankfurt, and London, further extends our global network.

RADIUS authentication support

We believe that deploying the Privilege Cloud environment in a secure manner is critical for our customers, and we see MFA as a cornerstone of secured Privilege Access. In this release, Privilege Cloud we have added support for RADIUS authentication for enforcing MFA for Windows and UNIX native access.

To learn more, see Configure RADIUS authentication

Self-service for PSM Connection Components management

Privilege Cloud now supports self-service management of PSM connection components. A new set of Web services enables customers and partners to add new targets for which secure sessions can be brokered without the need to involve the Cloud Services team, to streamline Privilege Cloud deployments. A simple script that wraps these Web services is also available.

ServiceNow ticketing integration

Privilege Cloud now supports ticketing integration with ServiceNow, to enable ticketing-based approval workflows for our customers.

To learn more, see Integrate with ServiceNow ticketing system.

New connection component for SQL Server Management Studio 18

A new PSM connection component was added to the PSM installation and to CyberArk Marketplace to enable secure access to SQL Server Management Studio (SSMS) 18.

Account groups

Account Groups are often used to synchronize passwords among multiple accounts. In this release, we added the ability to use Accounts Groups from the Privilege Cloud Portal and simplified the process of creating Account Groups and linking them to existing accounts.


Concurrent logins using REST API

To facilitate automating PAM deployments and operation, you can now use the login REST API with concurrent logins. Using a new parameter that can be controlled in the Login command, an application can be used to authenticate multiple times to Privilege Cloud without managing the sessions and without the application disconnecting. This new method enables an application to work simultaneously using the login REST API and any authentication method supported in the REST API, maintaining each thread in its own session with its own token.

To learn more, see Logon REST API.

Enhancements in Connection Components REST API

You can manage PSM connectors using a centralized repository. This simplifies management and ensures that all PSM servers are aligned with the required connectors and configuration. Any newly imported or updated connector in the repository is fetched by the PSM servers automatically, reducing the time it takes to configure new connectors.

The Connection Component REST API has been enhanced. In addition to importing the connection component configuration to the Privilege Cloud portal, this API also uploads the connection component package (a zip archive of relevant artifacts such as the Universal Connector executable and additional files needed for it to run) to the central safe in the Vault.

To learn more, see Import connection component.

REST API documentation

We have simplified the REST API section in our documentation to make it easier for you to find a REST API based on a topic, and to find references for more usage examples.

To learn more, see REST APIs.

January 2020

The following features and enhancements are included in the Privilege Cloud January 2020 release:

SOC2 certification

This is a new certification that is performed by an independent audit team, for assessing Privilege Cloud's system security, availability and confidentiality factors, and has determined that the service meets the complex cloud security requirements of today's world.

Native access for *nix administrators

The PSM for SSH preserves the benefits of the PSM, such as isolation, control, and monitoring, while enabling users to connect transparently to target Linux/Unix systems from their own workstation, using their choice of SSH client and without interrupting their native access workflow.

PSM for SSH records all activities that occur during privileged sessions in a compact format and stores them in Privilege Cloud, where they can be accessed by authorized auditors. It also provides privileged Single Sign-On capabilities and allows users to connect to target devices without exposing them to privileged credentials.

To learn more, see Connect using PSM for SSH.

Just in Time with short-lived SSH certificates

Secure access with SSH in dynamic or large-scale environments is problematic. Managing local account credentials and SSH keys for each user and server requires either high levels of automation or a large amount of manual processes, especially when machines are frequently spun-up. Having static SSH keys, shared accounts, or personal accounts leads to a larger number of privileged accounts, standing access on the target, and a larger attack surface, and does not follow the least privilege concept.

Privilege Cloud introduces Just in Time access with SSH certificate authentication to remote *nix machines without the need to onboard the account to Privilege Cloud, and without a need for credentials, public keys or standing access on the target.

An administrator stores a single private key in the Vault that acts as a certificate authority for certificate signing and stores the corresponding public SSH key on the remote machines.

There is no need to generate a private-public key pair for each account and remote machine.

End-users SSH to a remote machine through the PSM. After authenticating to Privilege Cloud, CyberArk signs and uses a short lived SSH certificate to authenticate to the remote machine with an isolated and controlled session.

Let's look at the following use case, for example:

Tina is an Information Technology Lead who is a Privilege Cloud service Administrator in her company. Paul is a Linux administrator who manages a group of administrators who oversee the production servers.

For Paul's administrators to have secure access to new production servers, Tina generates an SSH key pair that will act as a certificate authority (CA) for the production servers and stores the private key in an account in Privilege Cloud. The account is configured as an SSH certificate type and does not have a specific address assigned to it, so that it can be used for all production servers.

Tina also grants permissions to this account only to the production administrators.

Paul has set up a template for the production servers so that each new server is spun-up with the production CA public key as a trusted CA key.

Now, when a new production server is spun-up, Paul's administrators (for example, John) can instantly SSH to it through the Unix Connector, by specifying the target address and that it is a production server:

ssh john@root#production@TargetAddress@UnixConnectorAddress

After authenticating to Privilege Cloud, the PSM will sign an SSH key with the production CA private key so that the target can trust it and authenticate the user.

Native access for Windows and applications administrators

Privilege Cloud now supports native access for Windows and application administrators.

Users can now connect securely through the PSM to the target systems directly from their desktop using any standard RDP client application such as MSTSC or connection manager, preserving their native user experience and workflow.

To learn more, see Connect using RDP.

LDAP integration

You can now manage your Privilege Cloud-LDAP integration with more control and flexibility.

The Privilege Cloud portal includes a new module for LDAP integrations and management. Using this module, you can define the LDAP domain and directory mappings that determines whether a user account or group may be created in Privilege Cloud, and according to which criteria.

To learn more, see LDAP integration.

Privilege Cloud data center in London

We’ve added a new data center in London to meet the market demand in the EMEA region.

The new data center, in addition to our existing data centers based in North Virginia and Frankfurt, further extends our global network.

CyberArk Secure Tunnel installation wizard

CyberArk Secure Tunnel allows you to securely connect Privilege Cloud with your LDAP and SIEM servers. Various high availability configurations are supported, making sure LDAP authentication is always available in case of disaster or unavailability of one or more connector servers.

This release introduces an installation wizard that simplifies and streamlines the setup and configuration of the Cyberark Secure Tunnel. By the end of the process, you will establish connection and trust between your network and Privilege Cloud.

To learn more, see Install Secure Tunnel.

Non-human access management

Privilege Cloud integrates with Application Access Management (AAM) Credential Providers to eliminate hard-coded application credentials embedded in applications, scripts, or configuration files and instead managing them within Privilege Cloud as privileged accounts.

This release of Privilege Cloud includes a new application management module, accessible from the Privilege Cloud portal, where you can manage application authentication, accounts and access control.

To learn more, see Application Management.

You can also manage applications using the New Applications REST APIs.

Credential Providers

New Application Server Credential Provider JDBC Driver for Tomcat

Introducing a new Tomcat Secure JDBC Proxy Driver for Generic Data Sources using either XA or non-pooled and pooled DataSources, supporting Oracle, DB2, and MS SQL Server databases.

This new driver replaces the existing JDBC Proxy Driver, providing support for custom properties. It supports only specific DataSources.

Supports: Tomcat 7, 8.5 and 9.

Credential Providers hash authentication security improvements

For improved security, Credential Provider Hash Authentication now supports SHA-2 encryption.

Note: For applications using a version of Credential Provider earlier than 11.2 with hash authentication, the following steps are required:

  1. Generate a new hash value for each existing hash value of the application.

    To learn more, see Generate an application hash value.

  2. Update the application's details in Privilege Cloud portal with the new hash value or using the REST API.

    To learn more, see Update applications.

Enhanced account functionality

We’ve enhanced the functionality and UX in the Accounts page:

  • You can now delete an account from the UI.
  • When you create an account from the UI, you can now add another, continuously, streamlining the process of account provisioning.
  • The following parameters are now displayed for each account:
    • Account Name
    • Created Time

Web Services

This release introduces several new and updated REST API Web services for easier automation and usage.

Improvements when searching accounts

Searching for accounts and performing actions on them may be a common use case if you rely on automation and REST APIs.

This release introduces an enhanced Get Accounts REST API, which includes a new searchType parameter, which allows you to get accounts that either contain or start with the value specified in the Search parameter.

For examples on how to use our REST APIs, access GitHub.

New Applications REST APIs

We added the following Applications REST API methods:

  • List applications
  • List a specific application
  • Add application
  • List all authentication methods for a specific application
  • Delete specific application
  • Add application authentication
  • Delete a specific authentication

To learn more, see Applications.

2019 releases

October 2019

The following features and enhancements are included in the Privilege Cloud October 2019 release:

Removing hardcoded credentials from applications

Securing, managing and automatically replacing embedded and locally stored credentials can impose significant challenges and overhead costs to IT and security departments. Consequently, many organizations never change embedded passwords or locally stored SSH keys for applications, leaving the organization vulnerable to an attack.

Privilege Cloud now integrates with Application Access Manager (AAM) Credential Providers to empower developers and security teams to proactively secure resources, such as scripts, automated processes and applications when accessing sensitive information and assets, by using privileged accounts.

To learn more, see Secrets Manager Credential Providers integration

C³ Alliance Program

Privilege Cloud now supports integrations from the C³ Alliance partnership program.

By securing privileged accounts and using privileged data to detect and respond to threats, C³ Alliance provides joint customers the best protection against advanced threats through a comprehensive set of innovative cyber security solution.

Members of C3 Alliance include producers of enterprise software, infrastructure and security solutions, including authentication services, security information and event management (SIEM), vulnerability management scanners, and robotic process automation (RPA).

To learn more, see C³ Alliance Program.

Privilege Cloud data center in Frankfurt

We have added a new data center in Frankfurt to meet with the market demand in the EMEA region. The new data center, in addition to our existing data center based in North Virginia, is aimed at extending our global network with Privilege Cloud.

New User Management module

User management capabilities are key for streamlining administration of authorized users in Privilege Cloud. Our new User Management module includes the following capabilities:

  • Create and edit CyberArk users
  • Create groups and assign users to these groups
  • View all users (both LDAP and CyberArk users)
  • Disable a user or activate a suspended user
  • Reset a user’s password

To learn more, see User management.

CyberArk Secure Tunnel HA

CyberArk Secure Tunnel enables LDAP-based authentication from Privilege Cloud to your LDAP server. We now support different high availability configurations to make sure LDAP authentication is always available in case of disaster or unavailability of one or more connector servers.

The following configurations are supported:

  • Secure Tunnel can connect to multiple domain controllers in an Active Directory (AD)
  • Secure Tunnel can connect to multiple AD domains
  • Multiple Secure Tunnels can be deployed in a single network segment or multiple network segments

To learn more, see Deploy Secure Tunnel.

Windows 2019 Server target support

We now support Windows Server 2019 as a managed target system, including:

  • Management of local accounts
  • Management of service accounts (like Windows Services)
  • Discovery of local and service accounts using the AD
  • AD integration is now extended to support AD running on Windows 2019 Server

Connecting to Windows 2019 server targets using the PSM is also supported.

Manual password update

In some cases, a password needs to be changed manually and not automatically. In such cases you can set the password manually from the Account Details page. The password is changed only in the Vault, to match the password already set in the target machine.

To learn more, see Change password.

Performance improvements

The PSM session start-up phase is now 5 times faster.

Support for Firefox browser

The Privilege Cloud portal now supports Firefox browser.


This release introduces several new REST API Web services for easier automation and usage.

We added/updated the following REST API methods:

User Management

Get user details (updated)

Add user(updated)

Update user

Delete user

Create group


Get platforms

Get safes by platform ID


Delete directory mapping

For examples on how to use our REST APIs, access GitHub.