02-PAM-ADMIN-User-Management.pdf

Full Transcript

PAM Administration
User Management

© 2023 CyberArk Software Ltd. All rights reserved
 By the end of this session, you will be able to:

1. Describe the difference between Users and
Accounts

Agenda 2. Describe the difference between Internal users and
groups and Transparent users and groups

3. Describe the roles of predefined users and groups

4. Manage internal users and groups in PrivateArk
Client and PVWA

5. Manage Transparent users

6. Describe the difference between Vault authorizations,
Safe authorizations, and PVWA permissions

7. Describe how directory mapping works

8. Create custom directory mapping

© 2023 CyberArk Software Ltd. All rights reserved
 User Management Overview

Users vs. Accounts
Internal Users and Groups vs.
Transparent Users and Groups

© 2023 CyberArk Software Ltd. All rights reserved
 Users vs. Accounts
Throughout this course we will be using the terms Users and Accounts. It is very important to understand
the differences between the two.

Users To access passwords
People* who have been To manage policies
granted access to the system Typically defined by their Domain credentials

Accounts Stored in Safes
The actual privileged account Examples include domain administrators, local administrators,
IDs and passwords root accounts, service accounts and more

* Applications and CyberArk components are also users who access accounts

© 2023 CyberArk Software Ltd. All rights reserved
 Users vs. Accounts
User

Account

© 2023 CyberArk Software Ltd. All rights reserved
 Internal vs. Transparent Users and Groups
There are two main categories of users and groups in the system:

Users and Groups that are created automatically in the Vault
Internal Users and Groups (Built-in).
(CyberArk)
Users and Groups that are added manually to the Vault.

Transparent Users and Users and Groups that are automatically provisioned from an external
Groups (LDAP) directory.

© 2023 CyberArk Software Ltd. All rights reserved
 Internal vs. Transparent

Transparent users are provisioned
automatically in the Vault when they
Internal User
authenticate via LDAP for the first time.

These Users and Groups are marked Internal Group
with a white LDAP User or Groups
icon.
Transparent User
If you delete a transparent user within
CyberArk, it will be automatically
re-created upon login if it still exists Transparent Group
within AD and answers the mapping
criteria

© 2023 CyberArk Software Ltd. All rights reserved
 Predefined Users & Groups

Predefined users and groups
The Master user
⎼ Permissions

⎼ Logging in with Master

⎼ Changing the Master user password

© 2023 CyberArk Software Ltd. All rights reserved
 Predefined Users and Groups

The CyberArk Vault automatically creates several
users and groups during the installation process.
These users are created for administrative tasks and
eliminate the need for specific users to be constantly
available to carry out administrative chores.
Most of these users and groups become owners of
every Safe in the Vault, both existing and new, with
their authorizations corresponding to the tasks they
need to perform.
The most important user is the Master user

© 2023 CyberArk Software Ltd. All rights reserved
 Master User
The Master user is the most powerful user in the system, with full Safe and Vault authorizations
that cannot be removed.

© 2023 CyberArk Software Ltd. All rights reserved
 Logging in
with Master
Access only through the
PrivateArk Client

3-Factor Authentication:
1. Master user password
(defined during installation)
2. Access to the RecPrvKey
3. Access only from the Vault
console and one additional
IP address
(EmergencyStationIP)

© 2023 CyberArk Software Ltd. All rights reserved
 Changing the Master Password
To change the Master user password, log in with the Master user and click on User →Set Password

© 2023 CyberArk Software Ltd. All rights reserved
 User Management in PrivateArk Client

Managing Users and Groups via PrivateArk
Client
Adding Users
⎼ Authorized Interfaces

⎼ Authentication

⎼ Vault Authorizations

⎼ Group Membership

⎼ General Tabs

© 2023 CyberArk Software Ltd. All rights reserved
 Managing Users and
Groups Using Private
Ark Client
Users are stored in the Vault
database
It is recommended that you
manage your users with an
external LDAP directory, such
as Active Directory

Users can also be manually
created via the PrivateArk
Client

© 2023 CyberArk Software Ltd. All rights reserved
 General Tab – Manually Adding a User
You can manually add new users through the Private Ark Client interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Authorized Interfaces
Select which interfaces this user can log in from.

© 2023 CyberArk Software Ltd. All rights reserved
 Authentication

Select the Authentication method
for this user.

© 2023 CyberArk Software Ltd. All rights reserved
 Vault Authorizations

Configure the Vault authorizations
for this user.

© 2023 CyberArk Software Ltd. All rights reserved
 Group Membership

Select which Groups you want this
user to be a member of.

© 2023 CyberArk Software Ltd. All rights reserved
Other User Tabs
Configure the Business e-mail
field for this user to receive
e-mail notifications.
 User Management in PVWA

Managing Users and Groups
via PVWA
⎼ Create and edit CyberArk Users

⎼ Create groups and assign users

⎼ View all users ( both LDAP and CyberArk )

⎼ Disable a user or activate a suspended user

⎼ Reset a user’s password

© 2023 CyberArk Software Ltd. All rights reserved
 Managing Users
Using PVWA
Starting on PAM version 13,
we introduced our User
Management module in the
web portal administration view
(PVWA).

This view enables you to:
Create and Edit CyberArk Users
Create Groups and Assign users
to them
Disable a user or Activate a
suspended user
Reset a user’s password

© 2023 CyberArk Software Ltd. All rights reserved
 Create New CyberArk Users
You can manually add new users through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Edit CyberArk Users
You can edit CyberArk users through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Create Groups
You can manually create new groups through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Disable and Activate Users
You can disable a user or activate a suspended one through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Reset A User’s Password
You can reset a user’s password through the PVWA interface.

© 2023 CyberArk Software Ltd. All rights reserved
 Transparent User Management

LDAP integration
Define Directory Mapping
Manage Transparent Users and Groups

© 2023 CyberArk Software Ltd. All rights reserved
 Transparent User
Management

The Vault communicates with
LDAP-compliant directory
servers to obtain user
identification and security
information

This enables automatic
provisioning and creation of
unique users based upon the
external group membership
and attributes

© 2023 CyberArk Software Ltd. All rights reserved
 LDAP Integration

A new Wizard will
guide your through
this process.

The first step is to connect the
Vault with an LDAP server
(usually Microsoft Active
Directory).

You will be required to provide the
credentials of a bind account to
authenticate to LDAP.

© 2023 CyberArk Software Ltd. All rights reserved
 Directory Mapping

The second step allows you
to define default directory
mappings.

A Directory Map links an
LDAP group with one of the
built-in CyberArk groups and
determines how user
accounts are created in the
Vault and the roles they will
have.

You can edit these directory
mappings later or create
custom mappings according
to your needs.
© 2023 CyberArk Software Ltd. All rights reserved
 User Provisioning

Users are provisioned automatically
in the Vault the first time they
authenticate via LDAP, receiving
roles and attributes based on the
Directory Mapping that applies to
them.

LDAP Users and Groups that have
been created in the Vault are marked
with a white LDAP User or Groups
icon.

© 2023 CyberArk Software Ltd. All rights reserved
 User Removal

If you delete a user within CyberArk,
it will be automatically re-created
upon login if it still exists within AD.

To block an LDAP User or Group
from CyberArk, remove them from
all LDAP groups with an associated
directory mapping, or disable/delete
them in the external directory.

A daily process checks which users
map to the various queries.

© 2023 CyberArk Software Ltd. All rights reserved
 LDAP Synchronization
The parameter AutoSyncExternalObjects in the dbparm.ini file determines if, how often, and when
the Vault’s External users and groups will be synchronized with the External Directory.

AutoSyncExternalObjects = Yes, 24, 1,5

Whether or not The hours
The number of
to sync with the during which the
hours in one
External sync will take
period cycle
Directory place

© 2023 CyberArk Software Ltd. All rights reserved
 Authorizations

Vault authorizations
Safe authorizations
PVWA permissions

© 2023 CyberArk Software Ltd. All rights reserved
 Authorizations
There are two categories of authorizations in the system:

Can be assigned only to users (not groups).
Vault Authorizations Cannot be inherited via group membership.
Can be defined via the Private Ark Client or PVWA.

Assigned to users and/or groups.
Safe Authorizations Can be inherited via group membership.
Can be defined in the PrivateArk Client or PVWA

© 2023 CyberArk Software Ltd. All rights reserved
 Authorizations
Safe Authorizations Vault Authorizations

© 2023 CyberArk Software Ltd. All rights reserved
 Vault Authorizations –
Administrator
Predefined users are assigned different
Vault authorizations based on their role
and function.
The built-in Administrator user has full
Vault authorizations by default.

© 2023 CyberArk Software Ltd. All rights reserved
 Vault Authorizations –
Auditor User
The built-in Auditor user only has the
“Audit Users” Vault authorization by
default.

© 2023 CyberArk Software Ltd. All rights reserved
 Vault Authorizations
– Backup User

The built-in Backup user only
has the “Backup all safes”
Vault authorization by default.
Starting in version 13.x Vault
Authorizations can also be
configured and viewed from
PVWA

© 2023 CyberArk Software Ltd. All rights reserved
 Safe Authorizations

Most predefined users and
groups are added to all newly
created Safes based on their
role and function.
Users in the Auditors group
are automatically added to all
Safes with permissions to:
⎼ List accounts
⎼ View Safe members
⎼ View audit log

© 2023 CyberArk Software Ltd. All rights reserved
 Safe Authorizations

The list of groups that are
added automatically to newly
created Safes is controlled by
a parameter in the dbparm.ini
file.

© 2023 CyberArk Software Ltd. All rights reserved
 PVWA Permissions
The tabs and buttons available in the PVWA depend on the logged-in user’s membership
in a CyberArk built-in group.
Members of Vault Admins have access to the Administration tab.

© 2023 CyberArk Software Ltd. All rights reserved
 PVWA Permissions
Members of Auditors have access to the Privileged Sessions tab.

© 2023 CyberArk Software Ltd. All rights reserved
 PVWA Permissions
Members of Security Admins and Security Operators have access to the Security pane.

© 2023 CyberArk Software Ltd. All rights reserved
 Directory Mapping

What it does

Preparing LDAP

Pre-defined mappings

© 2023 CyberArk Software Ltd. All rights reserved
 Directory Mapping
A Directory Map determines whether a
User Account or Group will be created in
the Vault and the roles they will have.
Active
Directory Vault
There are two kinds of Directory Map:
User Mapping – Vault Authorizations
allows for authentication and defines user User Mapping Add user
Authorization Add Safe
attributes, such as Vault Authorizations
Etc…
and Location.
Group Mapping –
Safe Authorizations
makes LDAP groups searchable from Group Mapping
within CyberArk, allowing mapped groups
to be granted safe authorizations and to
be nested within built-in CyberArk CyberArk Groups
groups. Vault Admins
Auditors

© 2023 CyberArk Software Ltd. All rights reserved
 Prepare the Active
Directory
Environment
Request creation of 4 groups in
LDAP:
CyberArk Auditors
CyberArk Safe Managers
CyberArk Users
CyberArk Vault Admins

© 2023 CyberArk Software Ltd. All rights reserved
 Predefined Directory
Mappings

The LDAP Integration Wizard is
used to map AD groups to the
four predefined CyberArk roles:
Vault Admins
Safe Managers
Auditors
Users

© 2023 CyberArk Software Ltd. All rights reserved
 Vault Admins
Mapping – Vault
Authorizations
The Vault Admins mapping
is applied to any user who
is a member of the LDAP
group CyberArk Vault
Admins
LDAP users are provisioned
in the Vault with the
appropriate authorizations
the first time the users log in

© 2023 CyberArk Software Ltd. All rights reserved
 Custom Directory Mapping
In addition to the predefined mappings, you can create custom directory mappings via a simplified
wizard in the PVWA

© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved
 In this session we covered:
The difference between Users and Accounts
Summary The difference between Internal users and
groups and Transparent users and groups
The roles of predefined users and groups
How to manage internal users and groups in
the PrivateArk Client and PVWA
How to manage Transparent users

The difference between Vault authorizations,
Safe authorizations, and PVWA permissions
How directory mapping works
How to create custom directory mappings

© 2023 CyberArk Software Ltd. All rights reserved
 Utilities
Sample RestAPI Scripts

Documentation
PAM Documentation

Additional
Resources
You may now complete the following exercise:

User Management
Know the Players
LDAP Integration and Directory Mapping
̶ Review LDAP Integration and pre-defined Directory Mappings
̶ Test the LDAP Integration and Pre-defined Mappings
̶ Configure Custom Directory Mapping
̶ Test Custom Directory Mapping
Unsuspend a Suspended User
Log In With Master