Dual Control

The Dual Control parameters enable you to benefit from the Vault’s dual control mechanism. This means that whenever a user tries to retrieve an account, a request is created and confirmation must be received from authorized users.

Dual control is configured at system level in the Master Policy. For details, see Dual Control.

Configure Dual Control

In the System Configuration page, click Options and display the Dual Control parameters.

In the System Configuration page, click Options > Configurations > Privileged Session Management > Session Settings and value the following parameter to end the PSM session when the Timeframe ends.

Parameter Description


Determines whether to enforce the Timeframe set in the dual control request on the PSM connection.

If the parameter is set to Yes, PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner.

The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .

Define authorized users

This section describes how to define users who are authorized to confirm requests for access to privileged accounts. It is specifically for Vault administrators who manage Vault users and define the CyberArk workflows.

Set the confirmation requirement

When creating a Safe or changing Safe properties, you can specify that Users who wish to retrieve passwords require confirmation from an authorized Safe Owner.

Create an authorized user

Authorized Users can confirm requests by other users who require access to passwords. When you add a user as an Owner of the Safe, you can give them the ‘Authorize password requests’ authorization, or you can update an existing Safe member’s properties.

Note:  Any changes in the confirmers settings (eg, removing confirmers, changing confirmer levels, etc.) makes all existing requests obsolete. All existing active requests must be deleted and re-created.

Enable a Safe owner to access a Safe without confirmation

Although confirmation is specified in the Safe properties window and therefore applies to all Safe Owners, it is possible to give certain users authorization to access the Safe without requiring confirmation from other Safe Owners.

Confirmation by direct managers

To enforce the advanced Only direct manager can approve password access requests setting, the Vault must be configured to recognize LDAP directories so that it can identify the direct managers of users who create requests.

Direct managers must belong to a group that is defined as a direct manager group. A confirmer who is a direct owner of a Safe cannot confirm requests as a direct manager.
A direct manager who is a member of multiple groups which are owners of the same Safe, cannot confirm requests as a direct manager either.

For details about integrating with LDAP directories, see Configure transparent user management using LDAP.