chapter 2 Flashcards
(28 cards)
people, or applications or cyberark components, that have been granted access to the system in order to access passwords, manage policies. they are defined by their domain credentials
user
difference between users and accounts
what are the actual privileged account and passwords, they are stored in safes. ex: domain admins, local admins, root accounts and services accounts, etc
accounts
difference between users and accounts
What are internal users and groups in cyberark?
How are they added?
users and groups that are created automatically in the vault (built-in), and users and groups that are added manually to the vault
users and groups that are automatically provisioned from an external directory.
- provisioned automatically in the vault when they authenticate via ldap for the first time
- these users and groups are marked with a white LDAP users or groups icon
- if you delete a transparent user within cyberark, it will be automatically re-created upon login if it still exists within AD and answers the mapping criteria
what are transparent users and groups in LDAP?
- How are the provisioned?
- What color is their icon?
What happens if you delete a transparent user?
predefined users and groups
the most powerful user, with full safe and vault authorizations that cannot be removed
1. accessed only through the private ark client
3. has 3 factor authentication
a. password, defined during installation
b. access to the recovery private key, recprvkey
c. access only from the vault console and one additional ip address (emergency station IP)
master account
How do you change the master password?
login with the master user and click on user > set password
managing users and groups using private ark client
- users are stored in the vault database
- it is recommended that you manage your users with an external ldap directory, such as active directory
- users can also be manually created via the private ark client
How do you manually add?
private ark client interface
manage users using pvwa
what can you do in the user management module in the web portal administration view (pvwa)
create and edit cyberark users
create groups and assign users to them
disable a user or activate a suspended user
reset a user’s password
transparent user management
the (blank) communicates with LDAP compliant directory servers to obtain user identification and security information.
This enables automatic provisioning and creation of unique users based upon the external group membership and attributes
vault
LDAP integration
The first steps to LDAP integration?
- use the wizard to guide you: define the domain using the wizard - enter the domain name
- select domain controllers - connect the vault with a ldap server, usually AD
- create directory mapping using the credentials of a bind account to authenticate to ldap
a directory map links an ldap group with one of the built-in cyberark groups and determines how user accounts are created in the vault and the roles they will have
(blank)
users are provisioned (how) in the vault the first time they authenticate via LDAP, receiving roles and attributes based on the directory mapping that applies to them.
LDAP users and groups that have been created in the vault are marked with a (color) LDAP user or groups icon
automatically
white
if you delete a user within cyberark, it will be automatically (re-what) upon login if it still exists in AD
to block an LDAP user or group from cyberark, (do this) them from all LDAP groups with an associated directory mapping, or disable/delete them in the external directory
a (frequency) process checks which users map to the various queries
re-created
remove
daily
the parameter AutoSyncExternalObjects in the (something.ini) file determines if, how often and when the vault’s external users and groups will be synchronized with the external directory
What does the parameter look like?
AutoSyncExternal objects = yes, 24, 1,5
Which means
yes - determines whether or not to sync with the external directory
24 - the number of hours in one period cycle
1,5 - the hours during which the sync will take place
dbparm.ini
what are the 2 categories of authorizations in the system?
vault - can be assigned only to users (not groups), cannot be inherited via group membership, can be defined via the private ark client or PVWA
safe - assigned to users and or groups, can be inherited via group membership, can be defined in the private ark client or PVWA
predefined users are assigned different (system) authorizations based on their role and functions
the built in (blank) user has full vault authorizations by default
vault
administrator
what authorizations does the built in auditor user have by default?
audit users
what authorizations does the built in backup user have by default?
backup all safes
safe authorizations
most predefined users and groups are added to all newly created (s*****) based on their role and function
users in the auditors’ group are automatically added to all (s*****) with permission to
-list accounts
-view safe members
-view audit log
safes
safes
you can modify the list of groups that are added automatically to newly created safes is controlled by a parameter in the (*.ini)
dbparm.ini file
the tabs and buttons available in the <blank> depend on the logged in user's membership in a cyberark built in group</blank>
members of the vault admins have access to the (blank) tab
PVWA
administration
PVWA permissions
what tab do members of auditors have?
privleged sessions- monitoring and monitor (classic UI)
PVWA Permissions
what tab to members of security admins and security operators have access to?
security pane - security events and security configuration
a directory map determines whether a user account or group will be created in a vault and the roles they will have, what are the 2 kinds of directory maps?
user mapping - allows for authentication and defines user attributes, such as vault authorizations and location
group mapping - makes LDAP groups searchable from within cyberark, allowing mapped groups to be granted safe authorizations and to be nested within built in cyberark groups
what groups need to be created in LDAP for cyberark to work?
cyberark auditors
cyberark safe managers
cyber ark users
cyberark vault admins
