test questions Flashcards by lindy chaffee

What do you need on the Vault to support LDAP over SSL?

A. CA Certificate(s) used to sign the External Directory certificate
B. RECPRV.key
C. a private key for the external directory
D. self-signed Certificate(s) for the Vault

How well did you know this?

Not at all

Perfectly

You are troubleshooting a PVWA slow response.
Which log files should you analyze first? (Choose two.)

A. ITALog.log
B. web.config
C. CyberArk.WebApplication.log
D. CyberArk.WebConsole.log

C D

How well did you know this?

Not at all

Perfectly

What is the easiest way to duplicate an existing platform?

A. From PrivateArk, copy/paste the appropriate Policy.ini file; then rename it.
B. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform.
C. From PrivateArk, copy/paste the appropriate settings in PVConfiguration.xml; then update the policyName variable.
D. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform, manually update the platform settings and click “Save as” INSTEAD of save to duplicate and rename the platform.

How well did you know this?

Not at all

Perfectly

Match each key to its recommended storage location.

Recovery private key
Recovery public key
server key
SSH keys

a. Store in physical safe
b. Store in hardware security module
c. Store on the vault server disk drive
d. store in the vault

Recovery Private Key: Store in a Physical Safe

Recovery Public Key: Store on the Vault Server Disk Drive

Server Key: Store in a Hardware Security Module

SSH Keys: Store in the Vault.

How well did you know this?

Not at all

Perfectly

If a user is a member of more than one group that has authorizations on a safe, by default that user is granted____________________.

A. the vault will not allow this situation to occur.
B. only those permissions that exist on the group added to the safe first.
C. only those permissions that exist in all groups to which the user belongs.
D. the cumulative permissions of all the groups to which that user belongs.

B. only those permissions that exist on the group added to the safe first.

How well did you know this?

Not at all

Perfectly

It is possible to control the hours of the day during which a user may log into the vault.

A. TRUE
B. FALSE

True

How well did you know this?

Not at all

Perfectly

VAULT authorizations may be granted to ____________________. (Choose all that apply.)

A. Vault Users
B. Vault Groups
C. LDAP Users
D. LDAP Groups

C. LDAP Users

How well did you know this?

Not at all

Perfectly

What is the purpose of the Interval setting in a CPM policy?

A. To control how often the CPM looks for System Initiated CPM work.
B. To control how often the CPM looks for User Initiated CPM work.
C. To control how long the CPM rests between password changes.
D. To control the maximum amount of time the CPM will wait for a password change to complete.

A. To control how often the CPM looks for System Initiated CPM work.

How well did you know this?

Not at all

Perfectly

All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group
UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group
OperationsStaff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of OperationsManagers. The members of OperationsManagers never need to be able to use the show, copy or connect buttons themselves.
Which safe permissions do you need to grant to OperationsStaff? (Choose all that apply.)

A. Use Accounts
B. Retrieve Accounts
C. List Accounts
D. Authorize Password Requests
E. Access Safe without Authorization

A. Use Accounts

How well did you know this?

Not at all

Perfectly

What is the purpose of the Immediate Interval setting in a CPM policy?

C. To control how long the CPM rests between password changes.

How well did you know this?

Not at all

Perfectly

Which utilities could you use to change debugging levels on the vault without having to restart the vault? (Choose all that apply.)

A. PAR Agent
B. PrivateArk Server Central Administration
C. Edit DBParm.ini in a text editor.
D. Setup.exe

A. PAR Agent

How well did you know this?

Not at all

Perfectly

A Logon Account can be specified in the Master Policy.

A. TRUE
B. FALSE

B. FALSE

How well did you know this?

Not at all

Perfectly

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval?

A. Create an exception to the Master Policy to exclude the group from the workflow process.
B. Edit the master policy rule and modify the advanced ‘Access safe without approval’ rule to include the group.
C. On the safe in which the account is stored grant the group the ‘Access safe without audit’ authorization.
D. On the safe in which the account is stored grant the group the ‘Access safe without confirmation’ authorization.

A. Create an exception to the Master Policy to exclude the group from the workflow process.

How well did you know this?

Not at all

Perfectly

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

A. TRUE
B. FALSE

B. FALSE

How well did you know this?

Not at all

Perfectly

Which report provides a list of accounts stored in the vault?

A. Privileged Accounts Inventory
B. Privileged Accounts Compliance Status
C. Entitlement Report
D. Activity Log

A. Privileged Accounts Inventory

How well did you know this?

Not at all

Perfectly

When on-boarding account using Accounts Feed, which of the following is true?

A. You must specify an existing Safe where the account will be stored when it is on-boarded to the Vault.
B. You can specify the name of a new safe that will be created where the account will be stored when it is on-boarded to the Vault.
C. You can specify the name of a new Platform that will be created and associated with the account.
D. Any account that is on-boarded can be automatically reconciled regardless of the platform it is associated with.

C. You can specify the name of a new Platform that will be created and associated with the account.

How well did you know this?

Not at all

Perfectly

Target account platforms can be restricted to accounts that are stored in specific Safes using the AllowedSafes property.

A. TRUE
B. FALSE

B. FALSE

How well did you know this?

Not at all

Perfectly

Which one of the following reports is NOT generated by using the PVWA?

A. Account Inventory
B. Application Inventory
C. Safes List
D. Compliance Status

C. Safes List

How well did you know this?

Not at all

Perfectly

PSM captures a record of each command that was executed in Unix.

A. TRUE
B. FALSE

A. TRUE

How well did you know this?

Not at all

Perfectly

Platform settings are applied to______________.

A. The entire vault.
B. Network Areas
C. Safes
D. Individual Accounts

C. Safes

How well did you know this?

Not at all

Perfectly

Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.

A. TRUE
B. FALSE

B. FALSE

How well did you know this?

Not at all

Perfectly

What is the name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?

A. MinValidityPeriod
B. Interval
C. ImmediateInterval
D. Timeout

D. Timeout

How well did you know this?

Not at all

Perfectly

It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

A. TRUE
B. FALSE

A. TRUE

How well did you know this?

Not at all

Perfectly

Which of the following files must be created or configured in order to run Password Upload Utility? (Choose all that apply.)

A. PACli.ini
B. Vault.ini
C. conf.ini
D. A comma delimited upload file

C. conf.ini

How well did you know this?

Not at all

Perfectly

Users can be restricted through certain CyberArk interfaces (e.g. PVWA or PACLI). A. TRUE B. FALSE

A. TRUE

What is the purpose of the HeadStartInterval setting in a platform? A. It determines how far in advance audit data is collected for reports. B. It instructs the CPM to initiate the password change process X number of days before expiration. C. It instructs the AIM Provider to 'skip the cache' during the defined time period. D. It alerts users of upcoming password changes x number of days before expiration.

B. It instructs the CPM to initiate the password change process X number of days before expiration.

It is possible to restrict the time of day, or day of week that a reconcile process can occur. A. TRUE B. FALSE

B. FALSE

Which of the following options is not set in the Master Policy? A. Password Expiration Time B. Enabling and Disabling of the Connection Through the PSM C. Password Complexity D. The use of 'One-Time-Passwords'

C. Password Complexity

The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability). A. TRUE B. FALSE

A. TRUE

The System safe allows access to the Vault configuration files. A. TRUE B. FALSE

B. FALSE

You have associated a logon account to one of your UNIX root accounts in the vault. When attempting to change the root account's password the CPM will A. Log in to the system as root, then change root's password. B. Log in to the system as the logon account, then change root's password C. Log in to the system as the logon account, run the su command to log in as root, and then change root's password. D. None of these.

A. Log in to the system as root, then change root's password.

It is possible to restrict the time of day, or day of week that a verify process can occur. A. TRUE B. FALSE

B. FALSE

Which of the Following can be configured in the Master Policy? (Choose all that apply.) A. Dual Control B. One Time Passwords C. Exclusive Passwords D. Password Reconciliation E. Ticketing Integration F. Required Properties G. Custom Connection Components H. Password Aging Rules

A. Dual Control B. One Time Passwords D. Password Reconciliation H. Password Aging Rules

If a password is changed manually on a server, bypassing the CPM, how would you configure the account so that the CPM could resume management automatically? A. Configure the Provider to change the password to match the Vault's Password B. Associate a reconcile account and configure the platform to reconcile automatically. C. Associate a logon account and configure the platform to reconcile automatically. D. Run the correct auto detection process to rediscover the password.

B. Associate a reconcile account and configure the platform to reconcile automatically.

What is the maximum number of levels of authorizations you can set up in Dual Control? A. 1 B. 2 C. 3 D. 4

B. 2

As long as you are a member of the Vault Admins group you can grant any permission on any safe. A. TRUE B. FALSE

B. FALSE

In accordance with best practice, SSH access is denied for root accounts on UNIXLINUX system. What is the BEST way to allow CPM to manage root accounts? A. Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account of the target server's root account. B. Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server's root account. C. Configure the Unix system to allow SSH logins. D. Configure the CPM to allow SSH logins.

B. Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server's root account.

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply.) A. The PSM software must be installed on the target server. B. PSM must be enabled in the Master Policy (either directly, or through exception). C. PSMConnect must be added as a local user on the target server. D. RDP must be enabled on the target server.

C. PSMConnect must be added as a local user on the target server.

The Password upload utility can be used to create safes. A. TRUE B. FALSE

A. TRUE

Which CyberArk components products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? (Choose all that apply.) A. Discovery and Audit (DNA) B. Auto Detection (AD) C. Export Vault Data (EVD) D. On Demand Privileges manager (OPM) E. Accounts Discovery

A. Discovery and Audit (DNA) E. Accounts Discovery

A Reconcile Account can be specified in the Master Policy. A. TRUE B. FALSE

B. FALSE

In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault? A. True. B. False. Because the user can also enter credentials manually using Secure Connect. C. False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSMConnect. D. False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

B. False. Because the user can also enter credentials manually using Secure Connect.

SAFE Authorizations may be granted to _________________. (Choose all that apply.) A. Vault Users B. Vault Groups C. LDAP Users D. LDAP Groups

A. Vault Users

Secure Connect provides the following features. (Choose all that apply.) A. PSM connections to target devices that are not managed by CyberArk. B. Session Recording. C. real-time live session monitoring. D. PSM connections from a terminal without the need to login to the PVWA.

A. PSM connections to target devices that are not managed by CyberArk. B. Session Recording. C. real-time live session monitoring.

Which onboarding method would you use to integrate CyberArk with your accounts provisioning process? A. Accounts Discovery B. Auto Detection C. Onboarding RestAPI functions D. PTA Rules

B. Auto Detection

What is the purpose of a linked account? A. To ensure that a particular collection of accounts all have the same password. B. To ensure a particular set of accounts all change at the same time. C. To connect the CPNI to a target system. D. To allow more than one account to work together as part of a password management process.

D. To allow more than one account to work together as part of a password management process.

Which of the following PTA detections are included in the Core PAS offering? A. Suspected Credential Theft B. Over-Pass-The Hash C. Golden Ticket D. Unmanaged Privileged Access

D. Unmanaged Privileged Access

One can create exceptions to the Master Policy based on ____________________. A. Safes B. Platforms C. Policies D. Accounts

D. Accounts

The vault supports Role Based Access Control. A. TRUE B. FALSE

B. FALSE

Due to corporate storage constraints, you have been asked to disable session monitoring and recording for 500 testing accounts used for your lab environment. How do you accomplish this? A. Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session Monitoring and Recording policies B. Administration>Platform Management>select the platform(s)>disable Session Monitoring and Recording C. Polices>Access Control (Safes)>select the safe(s)>disable Session Monitoring and Recording policies D. Administration>Configuration Options>Options>select Privilege Session Management>disable Session Monitoring and Recording policies

B. Administration>Platform Management>select the platform(s)>disable Session Monitoring and Recording

A user requested access to view a password secured by dual-control and is unsure who to contact to expedite the approval process. The Vault Admin has been asked to look at the account and identify who can approve their request. What is the correct location to identify users or groups who can approve? A. PVWA > Administration > Platform Configuration > Edit Platform > UI & Workflow > Dual Control > Approvers B. PVWA > Policies > Access Control (Safes) > Select the safe > Safe Members > Workflow > Authorize Password Requests C. PVWA > Account List > Edit > Show Advanced Settings > Dual Control > Direct Managers D. PrivateArk > Admin Tools > Users and Groups > Auditors (Group Membership)

B. PVWA > Policies > Access Control (Safes) > Select the safe > Safe Members > Workflow > Authorize Password Requests

What must you specify when configuring a discovery scan for UNIX? (Choose two.) A. Vault Administrator B. CPM Scanner C. root password for each machine D. list of machines to scan E. safe for discovered accounts

C. root password for each machine D. list of machines to scan

To change the safe where recordings are kept for a specific platform, which setting must you update in the platform configuration? A. SessionRecorderSafe B. SessionSafe C. RecordingsPath D. RecordingLocation

C. RecordingsPath

Which processes reduce the risk of credential theft? (Choose two.) A. require dual control password access approval B. require password change every X days C. enforce check-in/check-out exclusive access D. enforce one-time password access

A. require dual control password access approval B. require password change every X days

You are onboarding 5,000 UNIX root accounts for rotation by the CPM. You discover that the CPM is unable to log in directly with the root account and will need to use a secondary account. How can this be configured to allow for password management using least privilege? A. Configure each CPM to use the correct logon account. B. Configure each CPM to use the correct reconcile account. C. Configure the UNIX platform to use the correct logon account. D. Configure the UNIX platform to use the correct reconcile account.

D. Configure the UNIX platform to use the correct reconcile account.

ADR Vault became active due to a failure of the primary Vault. Service on the primary Vault has now been restored. Arrange the steps to return the DR vault to its normal standby mode in the correct sequence. start the privateark disaster recover service In the PADR.ini file, set failover mode = no and remove the last two lines Shutdown the privateark server service on the DR vault

1. Shut down the PrivateArk Server Service on the DR Vault. 2. In the PADR.ini file, set Failover Mode = No and remove the last two lines. 3. Start the PrivateArk Disaster Recovery Service.

Which methods can you use to add a user directly to the Vault Admin Group? (Choose three.) A. REST API B. PrivateArk Client C. PACLI D. PVWA E. Active Directory F. Sailpoint

A. REST API B. PrivateArk Client E. Active Directory

Which Automatic Remediation is configurable for a PTA detection of a "Suspected Credential Theft"? A. Add to Pending B. Rotate Credentials C. Reconcile Credentials D. Disable Account

B. Rotate Credentials

Which item is an option for PSM recording customization? A. Windows events text recorder with automatic play-back B. Windows events text recorder and universal keystrokes recording simultaneously C. Universal keystrokes text recorder with windows events text recorder disabled D. Custom audio recording for windows events

B. Windows events text recorder and universal keystrokes recording simultaneously

match the built-in vault user with the correct definition this user appears on the highest level of the user hierarchy and has all the possible permissions. as such, it can create and manage other users on any level on the users' hierarchy this user appears at the top of the user hierarchy, enabling it to view all the users and accounts in the safes. the user can produce reports of safe activities and user activities, which enables it to keep track of activity in the safe and user requirements this user is an internal user that cannot be logged onto and carries out internal tasks, such as automatically clearing expired user and safe history this user has all available safe member authorizations except for authorize password requests. this user has complete system control, manages a full recover when necessary and cannot be removed from any safe auditor administrator batch master

administrator = this user appears on the highest level of the user hierarchy and has all the possible permissions. as such, it can create and manage others on any level on the users' hierarchy auditor = this user has all available safe member authorizations except for authorize password requests. this user has complete system control, manages a full recover when necessary and cannot be removed from any safe batch = this user appears on the highest level of the user hierarchy and has all the possible permissions. as such, it can create and manage other users on any level on the users' hierarchy master = this user is an internal user that cannot be logged onto and carries out internal tasks, such as automatically clearing expired user and safe history

You want to create a new onboarding rule. Where do you accomplish this? A. In PVWA, click Reports > Unmanaged Accounts > Rules B. In PVWA, click Options > Platform Management > Onboarding Rules C. In PrivateArk, click Tools > Onboarding Rules D. In PVWA, click Accounts > Onboarding Rules

B. In PVWA, click Options > Platform Management > Onboarding Rules

What does the Export Vault Data (EVD) utility do? A. exports data from the Vault to TXT or CSV files, or to MSSQL databases B. generates a backup file that can be used as a cold backup C. exports all passwords and imports them into another instance of CyberArk D. keeps two active vaults in sync

A. exports data from the Vault to TXT or CSV files, or to MSSQL databases

When are external vault users and groups synchronized by default? A. They are synchronized once every 24 hours between 1 AM and 5 AM. B. They are synchronized once every 24 hours between 7 PM and 12 AM. C. They are synchronized every 2 hours. D. They are not synchronized according to a specific schedule.

D. They are not synchronized according to a specific schedule.

You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM. Which safe permissions must you grant to the group? (Choose two.) A. List Accounts B. Use Accounts C. Access Safe without Confirmation D. Retrieve Files E. Confirm Request

B. Use Accounts D. Retrieve Files

During a High Availability node switch you notice an error and the Cluster Vault Manager Utility fails back to the original node. Which log files should you check to investigate the cause of the issue? (Choose three.) A. CyberArk Webconsole.log B. VaultDB.log C. PM_Error.log D. ITALog.log E. ClusterVault.console.log F. logiccontainer.log

B. VaultDB.log C. PM_Error.log E. ClusterVault.console.log

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.) A. OS Username B. Current machine IP C. Current machine hostname D. Operating System Type (Linux/Windows/HP-UX) E. Vault IP Address F. Time Frame

A. OS Username D. Operating System Type (Linux/Windows/HP-UX) E. Vault IP Address

Where can a user with the appropriate permissions generate a report? (Choose two.) A. PVWA > Reports B. PrivateArk Client C. Cluster Vault Manager D. PrivateArk Server Monitor E. PARClient

A. PVWA > Reports E. PARClient

Users are unable to launch Web Type Connection components from the PSM server. Your manager asked you to open the case with CyberArk Support. Which logs will be most useful for the CyberArk Support Team to debug the issue? (Choose three.) A. PSMConsole.log B. PSMDebug.log C. PSMTrace.log D. .Component.log E. PMconsole.log F. ITALog.log

A. PSMConsole.log B. PSMDebug.log D. .Component.log

You have been asked to identify the up or down status of Vault Services. Which CyberArk utility can you use to accomplish this task? A. PrivateArk Central Administration Console B. PAS Reporter C. PrivateArk Remote Control Agent D. Syslog

B. PAS Reporter

A new colleague created a directory mapping between the Active Directory groups and the Vault. Where can the newly Configured directory mapping be tested? A. Connect to the Active Directory and ensure the organizational unit exists. B. Connect to Sailpoint (or similar tool) to ensure the organizational unit is correctly named; log in to the PVWA with "Administrator" and confirm authentication succeeds. C. Search for members that exist only in the mapping group to grant them safe permissions through the PVWA. D. Connect to the PrivateArk Client with the Administrator Account to see if there is a user in the Vault Admin Group.

C. Search for members that exist only in the mapping group to grant them safe permissions through the PVWA.

A user needs to view recorded sessions through the PVWA. Without giving auditor access, which safes does a user need access to view PSM recordings? (Choose two.) A. Recordings safe B. Safe the account is in C. System safe D. PVWAConfiguration safe E. VaultInternal safe

A. Recordings safe B. Safe the account is in

Which file must be edited on the Vault to configure it to send data to PTA? A. dbparm.ini B. PARAgent.ini C. my.ini D. padr.ini

B. PARAgent.ini

You want to build a connector that connects to a website through the Web applications for PSM framework. Which default connector do you duplicate and modify? A. PSM-ChromeSample B. PSM-WebForm C. PSM-WebApp D. PSM-WebAppSample

C. PSM-WebApp

A new HTML5 Gateway has been deployed in your organization. From the PVWA, arrange the steps to configure a PSM host to use the HTML5 Gateway in the correct sequence. administration> options privileged session management configured PSM servers and select existing PSM host connection details add PSM gateway

Privileged Session Management -> Configured PSM Servers and select existing PSM host -> Connection Details -> Add PSM gateway -> Administration>Options

When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change? A. Set the parameter RCAllowManualReconciliation to Yes. B. Set the parameter ChangePasswordinResetMade to Yes. C. Set the parameter IgnoreReconcileOnMissingAccount to No. D. Set the UnlockUserOnReconcile to Yes.

D. Set the UnlockUserOnReconcile to Yes.

In a default CyberArk installation, which group must a user be a member of to view the "reports" page in PVWA? A. PVWAMonitor B. ReportUsers C. PVWAReports D. Operators

C. PVWAReports

Your organization requires all passwords be rotated every 90 days. Where can you set this requirement? A. Master Policy B. Safe Templates C. PVWAConfig.xml D. Platform Configuration

A. Master Policy

According to CyberArk, which issues most commonly cause installed components to display as disconnected in the System Health Dashboard? (Choose two.) A. network instabilities/outages B. vault license expiry C. credential de-sync D. browser compatibility issues E. installed location file corruption

A. network instabilities/outages B. vault license expiry

Where can reconcile and/or logon accounts be linked to an account? (Choose two.) A. account settings B. platform settings C. master policy D. safe settings E. service account settings

A. account settings E. service account settings

You are running a "Privileged Accounts Inventory" Report through the Reports page in PVWA on a specific safe. To show complete account inventory information, which permission/s are needed on that safe? A. List Accounts, View Safe Members B. Manage Safe Owners C. List Accounts, Access Safe without confirmation D. Manage Safe, View Audit

A. List Accounts, View Safe Members

Which dependent accounts does the CPM support out-of-the-box? (Choose three.) A. Solaris Configuration file B. Windows Services C. Windows Scheduled Tasks D. Windows DCOM Applications E. Windows Registry F. Key Tab file

C. Windows Scheduled Tasks E. Windows Registry F. Key Tab file

A password compliance audit found: 1) One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced. 2) All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM. What should you do to address these findings? A. Edit the Master Policy and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". B. Edit safe properties and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". C. Edit CPM Settings and add two policy exceptions: enable "Enforce one-time password access", enable "Record and save session activity". D. Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable "Enforce one-time password access", enable "Record and save session activity".

D. Contact the Windows Administrators and request them to add two policy exceptions at Active Directory Level: enable "Enforce one-time password access", enable "Record and save session activity".

If PTA is integrated with a supported SIEM solution, which detection becomes available? A. unmanaged privileged account B. privileged access to the Vault during irregular days C. riskySPN D. exposed credentials

C. riskySPN

Which change could CyberArk make to the REST API that could cause existing scripts to fail? A. adding optional parameters in the request B. adding additional REST methods C. removing parameters D. returning additional values in the response

C. removing parameters

You created a new platform by duplicating the out-of-box Linux through the SSH platform. Without any change, which Text Recorder Type(s) will the new platform support? (Choose two.) A. SSH Text Recorder B. Universal Keystrokes Text Recorder C. Events Text Recorder D. SQL Text Recorder E. Telnet Commands Text Recorder

A. SSH Text Recorder B. Universal Keystrokes Text Recorder

You are creating a Dual Control workflow for a team's safe. Which safe permissions must you grant to the Approvers group? A. List accounts, Authorize account request B. Retrieve accounts, Access Safe without confirmation C. Retrieve accounts, Authorize account request D. List accounts, Unlock accounts

C. Retrieve accounts, Authorize account request

In addition to add accounts and update account contents, which additional permission on the safe is required to add a single account? A. Upload Accounts Properties B. Rename Accounts C. Update Account Properties D. Manage Safe

C. Update Account Properties

You want to give a newly-created group rights to review security events under the Security pane. You also want to be able to update the status of these events. Where must you update the group to allow this? A. in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA B. in the PTAAuthorizationGroups parameter, found in Administration > Options > General C. in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options D. in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General

C. in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options

What is required to manage loosely connected devices? A. PSM for SSH B. EPM C. PSM D. PTA

B. EPM

Your organization has a requirement to allow only one user to "check out passwords" and connect through the PSM securely. What needs to be configured in the Master policy to ensure this will happen? A. Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active B. Enforce check-in/check-out exclusive access = inactive; Require privileged session monitoring and isolation = inactive C. Enforce check-in/check-out exclusive access = inactive; Record and save session activity = active D. Enforce check-in/check-out exclusive access = active; Record and save session activity = inactive

A. Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active

When should vault keys be rotated? A. when it is copied to file systems outside the vault B. annually C. whenever a CyberArk user leaves the organization D. when migrating to a new data center

B. annually

Where can PTA be configured to send alerts? (Choose two.) A. SIEM B. Email C. Google Analytics D. EVD E. PAReplicate

A. SIEM B. Email

In your organization the "click to connect" button is not active by default. How can this feature be activated? A. Policies > Master Policy > Allow EPV transparent connections > Inactive B. Policies > Master Policy > Session Management > Require privileged session monitoring and isolation > Add Exception C. Policies > Master Policy > Allow EPV transparent connections > Active D. Policies > Master Policy > Password Management

C. Policies > Master Policy > Allow EPV transparent connections > Active

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.) A. Address B. Safe C. Account Description D. Platform E. CPM

A. Address D. Platform

Match each permission to where it can be found. add accounts initiate CPM account management operations add/update users add safes --------------------------------------- vault safe

add accounts = vault initiate CPM account management operations = vault add/update users = safe add safes = safe

Which accounts can be selected for use in the Windows discovery process? (Choose two.) A. an account stored in the Vault B. an account specified by the user C. the Vault Administrator D. any user with Auditor membership E. the PasswordManager user

B. an account specified by the user D. any user with Auditor membership

You are concerned about the Windows Domain password changes occurring during business hours. Which settings must be updated to ensure passwords are only rotated outside of business hours? A. In the platform policy Automatic Password Management > Password Change > ToHour & FromHour B. in the Master Policy Account Change Window > ToHour & From Hour C. Administration Settings CPM Settings > ToHour & FromHour D. On each individual account Edit > Advanced > ToHour & FromHour

A. In the platform policy Automatic Password Management > Password Change > ToHour & FromHour

The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys. How are these keys managed? A. CyberArk stores Private keys in the Vault and updates Public keys on target systems. B. CyberArk stores Public keys in the Vault and updates Private keys on target systems. C. CyberArk does not store Public or Private keys and instead uses a reconcile account to create keys on demand. D. CyberArk stores both Private and Public keys and can update target systems with either key.

D. CyberArk stores both Private and Public keys and can update target systems with either key.

The Active Directory User configured for Windows Discovery needs which permission(s) or membership? A. Member of Domain Admin Group B. Member of LDAP Admin Group C. Read and Write Permissions D. Read Only Permissions

C. Read and Write Permissions

Which command generates a full backup of the Vault? A. PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup B. PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full C. PARestore.exe PADR ini /LogonFromFile vault.ini /FullBackup D. CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1

A. PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup

You have been asked to create an account group and assign three accounts which belong to a cluster. When you try to create a new group, you receive an unauthorized error; however, you are able to edit other aspects of the account properties. Which safe permission do you need to manage account groups? A. create folders B. specify next account content C. rename accounts D. manage safe

D. manage safe

You receive this error: "Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied." Which could be the cause? A. The account does not have sufficient permissions to change its own password. B. The domain controller is unreachable. C. The password has been changed recently and minimum password age is preventing the change. D. The CPM service is disabled and will need to be restarted.

C. The password has been changed recently and minimum password age is preventing the change.

How do you create a cold storage backup? A. On the DR Vault, install PAReplicate according to the Installation guide, configure the logon ini file, and define the Schedule tasks for full and incremental backups. B. Install the Vault Backup utility on a different machine from the Enterprise Password Vault server and trigger the full backup. C. Configure the backup options in the PVWA. D. On the DR Vault, configure the cold storage backup path in TSParm.ini file.

D. On the DR Vault, configure the cold storage backup path in TSParm.ini file.

Where can you assign a Reconcile account? (Choose two.) A. in PVWA at the account level B. in PVWA in the platform configuration C. in the Master policy of the PVWA D. at the Safe level E. in the CPM settings

A. in PVWA at the account level D. at the Safe level

You notice an authentication failure entry for the DR user in the ITALog. What is the correct process to fix this error? (Choose two.) A. PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password. B. Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set password. С. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the newly set password. D. PVWA > User Provisioning > Users and Groups > DR User > Update Password. E. PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update > Authentication > Update Password.

A. PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update > Authentication > Update Password. D. PVWA > User Provisioning > Users and Groups > DR User > Update Password.

Match each component to its respective Log File location. PTA system PSM for SSH (PSMP) Disaster recovery /var/opt/CARKpsmp/logs/ /opt/tomcat/logs c:\program files (x86)\privateark\server\PADR

PTA system = /opt/tomcat/logs PSM for SSH (PSMP) = /var/opt/CARKpsmp/logs/ Disaster recovery = c:\program files (x86)\privateark\server\PADR

What is required to enable access over SSH to a Unix account through both PSM and PSMP? A. The platform must contain connection components for PSM-SSH and PSMP-SSH. B. PSM and PSMP must already have stored the SSH Fingerprint for the Unix host. C. The 'Enable PSMP' setting in the Unix platform must be set to Yes. D. A duplicate platform (Called ) with the PSMP settings must be created.

A. The platform must contain connection components for PSM-SSH and PSMP-SSH.

In the Private Ark client, how do you add an LDAP group to a CyberArk group? A. Select Update on the CyberArk group, and then click Add > LDAP Group. B. Select Update on the LDAP Group, and then click Add > LDAP Group. C. Select Member Of on the CyberArk group, and then click Add > LDAP Group. D. Select Member Of on the LDAP group, and then click Add > LDAP Group.

C. Select Member Of on the CyberArk group, and then click Add > LDAP Group.

What are the minimum permissions to add multiple accounts from a file when using PVWA bulk-upload? (Choose three.) A. add accounts B. rename accounts C. update account content D. update account properties E. view safe members F. add safes

A. add accounts C. update account content F. add safes

What is the correct process to install a custom platform from the CyberArk Marketplace? A. Locate the custom platform in the Marketplace and click Import. B. Download the platform from the Marketplace and import it using the PVWA. C. Contact CyberArk Support for guidance on how to import the platform. D. Duplicate an existing platform and align the setting to match the platform from the Marketplace.

B. Download the platform from the Marketplace and import it using the PVWA.

In a rule using "Privileged Session Analysis and Response" in PTA, which session options are available to configure as responses to activities? A. Suspend, Terminate, None B. Suspend, Terminate, Lock Account C. Pause, Terminate, None D. Suspend, Terminate

B. Suspend, Terminate, Lock Account

You are configuring a Vault HA cluster. Which file should you check to confirm the correct drives have been assigned for the location of the Quorum and Safes data disks? A. ClusterVault.ini B. my.ini C. vault.ini D. DBParm.ini

C. vault.ini

In the Private Ark client under the Tools menu > Administrative Tools > Users and Groups, which option do you use to update users’ Vault group memberships? A. Update > General tab B. Update > Authorizations tab C. Update > Member Of tab D. Update > Group tab

C. Update > Member Of tab

Where can you check that the LDAP binding is using TCP/636? A. in Active Directory under "Users OU" => "User Properties" => "External Bindings" => "Port" B. in PVWA, under "LDAP Integration" => "LDAP" => "Directories" => "" => "Hosts" => "Host" C. in PrivateArk Client, under "Tools" => "Administrative Tools" => "Directory Mapping" => "" D. From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.

D. From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.