CyberArk's Privileged Access Manager - Self-Hosted is a full life-cycle solution for managing the most privileged accounts and SSH Keys in the enterprise. It enables organizations to secure, provision, manage, control and monitor all activities associated with all types of privileged identities, such as:

  • Administrator on a Windows server
  • Root on a UNIX server
  • Cisco Enable on a Cisco device
  • Embedded passwords found in applications and scripts


PAM - Self-Hosted includes the following products:

Product name


Enterprise Password Vault (EPV)

Enables organizations to secure, manage, automatically change and log all activities associated with all types of Privileged Passwords and SSH Keys.

Privileged Session Manager (PSM)

Enables organizations to control and monitor privileged accesses to sensitive systems and devices. PSM provides privileged session recording with DVR-like playback and text recording, as well as secure remote access to sensitive systems using privileged single sign-on, and without divulging the used credentials to the end users.

All users can connect securely via PSM to all types of systems and applications through the unified PVWA web portal user interface, in addition to the native methods described below.

Privileged Session Manager for Windows (PSM for Windows) enables users to securely connect through PSM to any remote target with a standard remote desktop client application like mstsc or a connection manager.

Privileged Session Manager for SSH (PSM for SSH) preserves the benefits of PSM, such as isolation, control and monitoring, whilst enabling users to connect transparently to target UNIX systems from their own workstation without interrupting their native workflow. PSM for SSH records all activities that occur during privileged sessions in a compact format in the Vault server, where they can be accessed by authorized auditors. PSM for SSH also provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.

Secrets Manager Credential Providers

Provides an Secrets Manager Credential Providers solution that fully addresses the challenges of hard-coded App2App credentials and encryption keys. The solution eliminates the need to store App2App credentials in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, audited and managed within CyberArk’s patented Digital Vault.

On-Demand Privileges Manager (OPM)

Provides a comprehensive solution that empowers IT and enables complete visibility and control of super users and privileged accounts across the enterprise.  Using the OPM, the complete PAM - Self-Hosted solution enables centralized management and auditing from a unified product to all aspects of privileged account management.

Privileged Threat Analytics (PTA)

Since privileged accounts are most often compromised as part of an attack, CyberArk Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the PAM - Self-Hosted platform, as well as accounts that are not yet managed by CyberArk, and looks for indications of abuse or misuse of the CyberArk platform. PTA also looks for attackers who compromise privileged accounts by running sophisticated attacks, such as Golden Ticket.

SSH Key Manager

Addresses the challenges that arise during authentication to target machines with SSH Keys, and helps organizations meet audit requirements by simplifying and automating SSH Keys management. SSH Keys are stored and protected in the Vault under strict policy and access control, similar to that of passwords, and you can determine how users access and use them, by defining access workflows. The SSH Key Manager can periodically rotate the SSH Keys that are stored in the Vault, and make sure the private key protected in the Vault is always synchronized with the public keys spread over target systems.

Solution Benefits

With CyberArk’s PAM - Self-Hosted solution, you can:

Vaulting Technology®

The PAM - Self-Hosted solution architecture is based on CyberArk’s Vaulting Technology® software. CyberArk discovered that by splitting the server interfaces from the storage engine, it can remove many of today’s technology barriers associated with network security. The Vaulting Technology® software creates a Single Data Access Channel, which significantly improves security and makes it possible to build 10 layers of security in a unified solution.

Security Layers

The PAM - Self-Hosted solution ensures the security of your organization's sensitive data using multiple security concepts, some of which are detailed briefly below:

How the Vault Protects your Passwords

Passwords that are stored in the Safe are protected in a variety of ways:

Method Description

The Vault cannot be entered without a password and/or key.

Timing restrictions

You can limit the times during which the Vaults/Safes can be opened (e.g., 8 a.m. to 5 p.m.).

Protected network area You can determine the locations on the network from which your Vault is accessed. This process is called defining a Private Network Area. For instance, an employee at an international company can set a Private Network Area so that the User account is only available from the Boston branch where the user resides.
Access control You can define the level of access to a Safe for other Users. For instance, you can authorize Users to work with files but not to delete them.
Auditing Each time files are accessed for any purpose, the activity is written in the Vault activity log. This enables you to track all file activity and benefit from detailed auditing facilities.
Version control The CyberArk Vault tracks versions of the passwords and files it stores. Every time a password or file is updated, a new version is created. This means that if the most recent version is corrupted, previous versions are still available. In addition, you can undelete passwords and files that have been previously deleted.
Dual control

Users may need to receive permission from other Users in order to open a Safe. For example, before another User can access a Safe they may need to request your permission and request confirmation.

Activity Logs The CyberArk Vault keeps records of all activities that take place inside it. An alert appears each time there is illegal activity in the Vault. For instance, an alert is issued when an attempt is made to logon to the Vault without the correct password.