chapter 2 Flashcards
what is a user?
people, or applications, that have been granted access to the system in order to access passwords, manage policies. they are defined by their domain credentials
what are accounts? Where are they stored?
what are some examples?
the actual privileged account and passwords, they are stored in safes. ex: domain admins, local admins, root accounts and services accounts, etc
What are internal users and groups in cyberark?
How are they added?
users and groups that are created automatically in the vault, users and groups that are added manually to the vault
what are transparent users and groups in LDAP?
- How are the provisioned?
- What color is their icon?
What happens if you delete a transparent user?
users and groups that are automatically provisioned from an external directory.
1. provisioned automatically in the vault when they authenticate via ldap for the first time
2. these users and groups are marked with a white LDAP users or groups icon
3. if you delete a transparent user within cyberark, it will be automatically re-created upon login if it still exists within ad and answers the mapping criteria
What is the master user?
How is it accessed?
How many factors of authorization?
What are they?
most powerful user, with full safe and vault authorizations that cannot be removed
1. accessed only through the private ark client
3. has 3 factor authentication
a. master user password, defined during installation
b. access to the recovery private key, recprvkey
c. access only from the vault console and one additional ip address (emergency station IP)
How do you change the master password?
login with the master user and click on user > set password
How do you manually add?
private ark client interface
what are the authorized instances available when manually adding a user
EVD
GUI
HTTPGW
NAPI
PACLI
PIMSU
PVWA
WINCLIENT
XAPI
what can you do in the user management module in the web portal administration view (pvwa)
create and edit cyberark users
create groups and assign users to them
disable a user or activate a suspended user
reset a user’s password
the (blank) communicates with LDAP compliant directory servers to obtain user identification and security information.
What does this enable?
vault
This enables automatic provisioning and creation of unique users based upon the external group membership and attributes
what are the first steps to LDAP integration?
What do you enter in order to connect to an LDAP server?
What kind of account do you need?
define the domain using the wizard
enter the domain name
in order to connect to an LDAP server
provide credentials of a bind account to authenticate to LDAP
what are the second steps to LDAP integration?
What links a LDAP group with one of the built in cyberark groups?
define default directory mappings
a directory map links an LDAP group with one of the built in cyberark groups and determines how user accounts are created in the vault and the roles they will have
you can edit these directory mappings later or create customer mappings according to your needs
users are provisioned (blank) in the vault the first time they authenticate via LDAP, receiving roles and attributes based on the directory mapping that applies to them.
LDAP users and groups that have been created in the vault are with a (blank) LDAP user or groups icon
automatically
white
if you delete a user within cyberark, it will be automatically (blank) upon login if it still exists in AD
to block an LDAP user or group from cyberark, (blank) them from all LDAP groups with an associated directory mapping, or disable/delete them in the external directory
a (blank) process checks which users map to the various queries
re-created
remove
daily
the parameter AutoSyncExternalObjects in the (blank) file determines if, how often and when the vault’s external users and groups will be synchronized with the external directory
What does the parameter look like?
AutoSyncExternal objects = yes, 24, 1,5
Which means
yes - determines whether or not to sync with the external directory
24 - the number of hours in one period cycle
1,5 - the hours during which the sync will take place
dbparm.ini
what are the 2 categories of authorizations in the system?
vault and safe
what are vault authorizations?
can only be assigned only to users, not groups
cannot be inherited via group membership
can be defined via the private ark client or pvwa
what are safe authorizations?
assigned to users and or groups
can be inherited via group membership
can be defined in the privateark client or pvwa
predefined users are assigned different (blank) authorizations based on their role and functions
the built in (blank) user has full vault authorizations by default
vault
administrator
what authorizations does the built in auditor user have by default?
audit users
what authorizations does the built in backup user have by default?
backup all safes
most predefined users and groups are added to all newly created (blank) based on their role and function
users in the auditors’ group are automatically added to all (blank) with permission to
(blank)
(blank)
(blank)
safes
safes
list accounts
view safe members
view audit log
you can modify the list of groups that are added automatically to newly created safes is controlled by a parameter in the (blank)
dbparm.ini file
the tabs and buttons available in the <blank> depend on the logged in user's membership in a cyberark built in group</blank>
members of the vault admins have access to the (blank) tab
PVWA
administration
