Set up Workforce Password Management
This section describes how to set up Workforce Password Management for users.
Required tasks
Perform the tasks in this section before you test the deployment.
|
Task |
Description |
Instructions |
|---|---|---|
|
Add users to CyberArk Identity. |
Add users from the CyberArk Cloud Directory or an external directory server. |
|
|
Assign users to roles. |
Roles are used to control who can access features and services. Roles are applied to specific policies. All users should be assigned to at least one role. Make sure users have roles that enable them to share non-app secrets and business application credentials. |
|
|
Enable Workforce Password Management.
|
Users can use Workforce Password Management after you enable it. |
|
|
Enable Land & Catch. |
Land & Catch recognizes when users enter credentials and offers to add the site to their User Portal and store the user's credentials. Credentials are stored in CyberArk Identity or in the PAM - Self-HostedVault. |
|
|
Deploy the CyberArk Identity Browser Extension |
With the Browser Extension, users can conveniently sign in to applications and use Land & Catch by clicking an icon in their browser toolbar. |
|
|
Transfer ownership of shared applications or Secured Items from one user/owner to another.
|
When a user/owner is removed from CyberArk Identity, all users who shared access to the item can no longer access it. By transferring ownership to a different user, you ensure continued access for users with whom the application or Secured Item was shared. |
|
|
Enable email notification for shared items in the Identity Administration portal.
|
Each time a user shares a Secured Item or application, Workforce Password Management can send the recipient user an email notification. |
|
|
Enable TOTP.
|
TOTP is a time-based password that is valid for one use and must be used within a limited timeframe. TOTPs can be used to access user-added and admin-added applications. Users can save TOTP for an application and share it with other users as needed. |
Enable time-based one-time passwords (TOTP) for two-factor authentication |
Recommended tasks
Perform these tasks after initial deployment testing is completed.
|
Task |
Description |
Instructions |
|---|---|---|
|
Harden your deployment. |
Hardening is not required for initial testing but it is important after initial testing is completed. Follow our recommendations to harden your users' endpoints and browsers to ensure that the controls you implement with Workforce Password Management are not circumvented by a malicious actor. These recommendations are the minimal requirements for protecting your CyberArk Identity deployment. You must follow the recommendations in this topic or use equivalent methods (based on your organization's relevant expertise) to secure your deployment. |
|
|
Restrict application access. |
Restrict access to applications by defining application challenge rules for user-added applications, or based on the application URL, application domain, or user domain (email). |
|
|
Integrate CyberArk Identity with PAM - Self-Hosted Vault. |
Integrate your CyberArk Identity tenant with your PAM - Self-Hosted Vault so you can store Secured Items (notes and passwords) and application credentials in the self-hosted Vault. |
Store Secured Items and business application credentials in Privileged Access Manager - Self-Hosted |
|
Create custom reports to capture CyberArk Identity shared application events. |
Reports can capture an audit history for:
|
