Full Transcript

PAM Administration User Management © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: 1. Describe the difference be...

PAM Administration User Management © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to: 1. Describe the difference between Users and Accounts Agenda 2. Describe the difference between Internal users and groups and Transparent users and groups 3. Describe the roles of predefined users and groups 4. Manage internal users and groups in PrivateArk Client and PVWA 5. Manage Transparent users 6. Describe the difference between Vault authorizations, Safe authorizations, and PVWA permissions 7. Describe how directory mapping works 8. Create custom directory mapping © 2023 CyberArk Software Ltd. All rights reserved User Management Overview Users vs. Accounts Internal Users and Groups vs. Transparent Users and Groups © 2023 CyberArk Software Ltd. All rights reserved Users vs. Accounts Throughout this course we will be using the terms Users and Accounts. It is very important to understand the differences between the two. Users To access passwords People* who have been To manage policies granted access to the system Typically defined by their Domain credentials Accounts Stored in Safes The actual privileged account Examples include domain administrators, local administrators, IDs and passwords root accounts, service accounts and more * Applications and CyberArk components are also users who access accounts © 2023 CyberArk Software Ltd. All rights reserved Users vs. Accounts User Account © 2023 CyberArk Software Ltd. All rights reserved Internal vs. Transparent Users and Groups There are two main categories of users and groups in the system: Users and Groups that are created automatically in the Vault Internal Users and Groups (Built-in). (CyberArk) Users and Groups that are added manually to the Vault. Transparent Users and Users and Groups that are automatically provisioned from an external Groups (LDAP) directory. © 2023 CyberArk Software Ltd. All rights reserved Internal vs. Transparent Transparent users are provisioned automatically in the Vault when they Internal User authenticate via LDAP for the first time. These Users and Groups are marked Internal Group with a white LDAP User or Groups icon. Transparent User If you delete a transparent user within CyberArk, it will be automatically re-created upon login if it still exists Transparent Group within AD and answers the mapping criteria © 2023 CyberArk Software Ltd. All rights reserved Predefined Users & Groups Predefined users and groups The Master user ⎼ Permissions ⎼ Logging in with Master ⎼ Changing the Master user password © 2023 CyberArk Software Ltd. All rights reserved Predefined Users and Groups The CyberArk Vault automatically creates several users and groups during the installation process. These users are created for administrative tasks and eliminate the need for specific users to be constantly available to carry out administrative chores. Most of these users and groups become owners of every Safe in the Vault, both existing and new, with their authorizations corresponding to the tasks they need to perform. The most important user is the Master user © 2023 CyberArk Software Ltd. All rights reserved Master User The Master user is the most powerful user in the system, with full Safe and Vault authorizations that cannot be removed. © 2023 CyberArk Software Ltd. All rights reserved Logging in with Master Access only through the PrivateArk Client 3-Factor Authentication: 1. Master user password (defined during installation) 2. Access to the RecPrvKey 3. Access only from the Vault console and one additional IP address (EmergencyStationIP) © 2023 CyberArk Software Ltd. All rights reserved Changing the Master Password To change the Master user password, log in with the Master user and click on User →Set Password © 2023 CyberArk Software Ltd. All rights reserved User Management in PrivateArk Client Managing Users and Groups via PrivateArk Client Adding Users ⎼ Authorized Interfaces ⎼ Authentication ⎼ Vault Authorizations ⎼ Group Membership ⎼ General Tabs © 2023 CyberArk Software Ltd. All rights reserved Managing Users and Groups Using Private Ark Client Users are stored in the Vault database It is recommended that you manage your users with an external LDAP directory, such as Active Directory Users can also be manually created via the PrivateArk Client © 2023 CyberArk Software Ltd. All rights reserved General Tab – Manually Adding a User You can manually add new users through the Private Ark Client interface. © 2023 CyberArk Software Ltd. All rights reserved Authorized Interfaces Select which interfaces this user can log in from. © 2023 CyberArk Software Ltd. All rights reserved Authentication Select the Authentication method for this user. © 2023 CyberArk Software Ltd. All rights reserved Vault Authorizations Configure the Vault authorizations for this user. © 2023 CyberArk Software Ltd. All rights reserved Group Membership Select which Groups you want this user to be a member of. © 2023 CyberArk Software Ltd. All rights reserved Other User Tabs Configure the Business e-mail field for this user to receive e-mail notifications. User Management in PVWA Managing Users and Groups via PVWA ⎼ Create and edit CyberArk Users ⎼ Create groups and assign users ⎼ View all users ( both LDAP and CyberArk ) ⎼ Disable a user or activate a suspended user ⎼ Reset a user’s password © 2023 CyberArk Software Ltd. All rights reserved Managing Users Using PVWA Starting on PAM version 13, we introduced our User Management module in the web portal administration view (PVWA). This view enables you to: Create and Edit CyberArk Users Create Groups and Assign users to them Disable a user or Activate a suspended user Reset a user’s password © 2023 CyberArk Software Ltd. All rights reserved Create New CyberArk Users You can manually add new users through the PVWA interface. © 2023 CyberArk Software Ltd. All rights reserved Edit CyberArk Users You can edit CyberArk users through the PVWA interface. © 2023 CyberArk Software Ltd. All rights reserved Create Groups You can manually create new groups through the PVWA interface. © 2023 CyberArk Software Ltd. All rights reserved Disable and Activate Users You can disable a user or activate a suspended one through the PVWA interface. © 2023 CyberArk Software Ltd. All rights reserved Reset A User’s Password You can reset a user’s password through the PVWA interface. © 2023 CyberArk Software Ltd. All rights reserved Transparent User Management LDAP integration Define Directory Mapping Manage Transparent Users and Groups © 2023 CyberArk Software Ltd. All rights reserved Transparent User Management The Vault communicates with LDAP-compliant directory servers to obtain user identification and security information This enables automatic provisioning and creation of unique users based upon the external group membership and attributes © 2023 CyberArk Software Ltd. All rights reserved LDAP Integration A new Wizard will guide your through this process. The first step is to connect the Vault with an LDAP server (usually Microsoft Active Directory). You will be required to provide the credentials of a bind account to authenticate to LDAP. © 2023 CyberArk Software Ltd. All rights reserved Directory Mapping The second step allows you to define default directory mappings. A Directory Map links an LDAP group with one of the built-in CyberArk groups and determines how user accounts are created in the Vault and the roles they will have. You can edit these directory mappings later or create custom mappings according to your needs. © 2023 CyberArk Software Ltd. All rights reserved User Provisioning Users are provisioned automatically in the Vault the first time they authenticate via LDAP, receiving roles and attributes based on the Directory Mapping that applies to them. LDAP Users and Groups that have been created in the Vault are marked with a white LDAP User or Groups icon. © 2023 CyberArk Software Ltd. All rights reserved User Removal If you delete a user within CyberArk, it will be automatically re-created upon login if it still exists within AD. To block an LDAP User or Group from CyberArk, remove them from all LDAP groups with an associated directory mapping, or disable/delete them in the external directory. A daily process checks which users map to the various queries. © 2023 CyberArk Software Ltd. All rights reserved LDAP Synchronization The parameter AutoSyncExternalObjects in the dbparm.ini file determines if, how often, and when the Vault’s External users and groups will be synchronized with the External Directory. AutoSyncExternalObjects = Yes, 24, 1,5 Whether or not The hours The number of to sync with the during which the hours in one External sync will take period cycle Directory place © 2023 CyberArk Software Ltd. All rights reserved Authorizations Vault authorizations Safe authorizations PVWA permissions © 2023 CyberArk Software Ltd. All rights reserved Authorizations There are two categories of authorizations in the system: Can be assigned only to users (not groups). Vault Authorizations Cannot be inherited via group membership. Can be defined via the Private Ark Client or PVWA. Assigned to users and/or groups. Safe Authorizations Can be inherited via group membership. Can be defined in the PrivateArk Client or PVWA © 2023 CyberArk Software Ltd. All rights reserved Authorizations Safe Authorizations Vault Authorizations © 2023 CyberArk Software Ltd. All rights reserved Vault Authorizations – Administrator Predefined users are assigned different Vault authorizations based on their role and function. The built-in Administrator user has full Vault authorizations by default. © 2023 CyberArk Software Ltd. All rights reserved Vault Authorizations – Auditor User The built-in Auditor user only has the “Audit Users” Vault authorization by default. © 2023 CyberArk Software Ltd. All rights reserved Vault Authorizations – Backup User The built-in Backup user only has the “Backup all safes” Vault authorization by default. Starting in version 13.x Vault Authorizations can also be configured and viewed from PVWA © 2023 CyberArk Software Ltd. All rights reserved Safe Authorizations Most predefined users and groups are added to all newly created Safes based on their role and function. Users in the Auditors group are automatically added to all Safes with permissions to: ⎼ List accounts ⎼ View Safe members ⎼ View audit log © 2023 CyberArk Software Ltd. All rights reserved Safe Authorizations The list of groups that are added automatically to newly created Safes is controlled by a parameter in the dbparm.ini file. © 2023 CyberArk Software Ltd. All rights reserved PVWA Permissions The tabs and buttons available in the PVWA depend on the logged-in user’s membership in a CyberArk built-in group. Members of Vault Admins have access to the Administration tab. © 2023 CyberArk Software Ltd. All rights reserved PVWA Permissions Members of Auditors have access to the Privileged Sessions tab. © 2023 CyberArk Software Ltd. All rights reserved PVWA Permissions Members of Security Admins and Security Operators have access to the Security pane. © 2023 CyberArk Software Ltd. All rights reserved Directory Mapping What it does Preparing LDAP Pre-defined mappings © 2023 CyberArk Software Ltd. All rights reserved Directory Mapping A Directory Map determines whether a User Account or Group will be created in the Vault and the roles they will have. Active Directory Vault There are two kinds of Directory Map: User Mapping – Vault Authorizations allows for authentication and defines user User Mapping Add user Authorization Add Safe attributes, such as Vault Authorizations Etc… and Location. Group Mapping – Safe Authorizations makes LDAP groups searchable from Group Mapping within CyberArk, allowing mapped groups to be granted safe authorizations and to be nested within built-in CyberArk CyberArk Groups groups. Vault Admins Auditors © 2023 CyberArk Software Ltd. All rights reserved Prepare the Active Directory Environment Request creation of 4 groups in LDAP: CyberArk Auditors CyberArk Safe Managers CyberArk Users CyberArk Vault Admins © 2023 CyberArk Software Ltd. All rights reserved Predefined Directory Mappings The LDAP Integration Wizard is used to map AD groups to the four predefined CyberArk roles: Vault Admins Safe Managers Auditors Users © 2023 CyberArk Software Ltd. All rights reserved Vault Admins Mapping – Vault Authorizations The Vault Admins mapping is applied to any user who is a member of the LDAP group CyberArk Vault Admins LDAP users are provisioned in the Vault with the appropriate authorizations the first time the users log in © 2023 CyberArk Software Ltd. All rights reserved Custom Directory Mapping In addition to the predefined mappings, you can create custom directory mappings via a simplified wizard in the PVWA © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved In this session we covered: The difference between Users and Accounts Summary The difference between Internal users and groups and Transparent users and groups The roles of predefined users and groups How to manage internal users and groups in the PrivateArk Client and PVWA How to manage Transparent users The difference between Vault authorizations, Safe authorizations, and PVWA permissions How directory mapping works How to create custom directory mappings © 2023 CyberArk Software Ltd. All rights reserved Utilities Sample RestAPI Scripts Documentation PAM Documentation Additional Resources You may now complete the following exercise: User Management Know the Players LDAP Integration and Directory Mapping ̶ Review LDAP Integration and pre-defined Directory Mappings ̶ Test the LDAP Integration and Pre-defined Mappings ̶ Configure Custom Directory Mapping ̶ Test Custom Directory Mapping Unsuspend a Suspended User Log In With Master

Use Quizgecko on...
Browser
Browser