Topics Map > Office of Cybersecurity > Tools and Software > CyberArk

CyberArk - Safe Members

Users who have access to Safes are called Safe members. Each Safe member is given permissions in the Safe that enable them to perform tasks on accounts and files in the Safe. These permissions are given to each Safe member individually and give you flexibility to grant different permissions to different Users. Each Safe member can be given a unique set of permissions that is explicitly for their tasks and is not relevant for any other Safe member.

Permissions

Access

These permissions enable users to access accounts in the Safe, including the following tasks:

Permission

Enables Safe Members to …

Use Accounts

Use accounts in the Safe. Users who have this authorization and the List accounts authorization can do the following:

■

Log on to a remote machine through a PSM connection from the Accounts List by clicking the Connect with account icon.

■

Log on to a remote machine through a PSM connection from the Account Details page or from the Versions tab by clicking the Connect button.

To log onto remote machines through a non-PSM connection, users require the ‘Retrieve accounts authorization as well.

Retrieve accounts

Retrieve and view accounts in the Safe. Users who have this authorization can do the following:

■

View the account in the Account Details page and the Versions tab by clicking the Show button in the account content panel. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.

■

Copy the account in the Account Details page by clicking the Copy button. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.

■

Display the account in the Accounts list by clicking the Show/Copy password icons. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.

■

Log on to a remote machine through the PVWA. Platforms can be configured not to display the account value to end users, but only allow the connection.

■

Save files by clicking the Save As button in the Files List, File Details and File Versions pages.

■

Open files that are stored in the Vault through the Files List, File Details and File Versions pages.

List accounts

View Account lists. Users who have this authorization can do the following:

■

View the Accounts or Files list.

Account Management

These permissions enable users to perform account management tasks, including the following tasks:

Permission

Enables Safe Members to …

Add accounts

Add accounts in the Safe.
Users who are given this authorization in PVWA automatically receive Update account properties as well.

■

Add accounts in the Accounts List and Account Details page by clicking Add Account.

■

Manage account groups and platforms in the CPM tab of the Account Details page by clicking Add, New or Change.

Update account content

Change account values as well as the contents of files. Users who have this authorization can do the following:

■

Change account values manually in the Account Details page by clicking the Edit button.

■

Undelete accounts in the Account Details page of the deleted account by clicking the Undelete button. This is only relevant during the file retention period.

■

Manage account copies that are linked to accounts and are stored in the same Safe by clicking Add or Edit in the account usage tab.

■

Upload files to the Vault by clicking the Upload button in the Files Details page.

Update account properties

Update existing account properties. This does not include adding new accounts or updating account values. Users who have this authorization can do the following:

■

Update a selected account’s properties in the Account Details page by clicking the Edit button.

■

Manage logon and reconcile accounts in the CPM tab of the Account Details page with the Associate, Add New, and Clear buttons.

■

Manage account groups and platforms in the CPM tab of the Account Details page.

■

Save any account property values that are specified in the Remote connection details window for connections when the user connects to a remote machine from the Accounts List, Account Details page, or the Versions tab.

Initiate CPM account management operations

Initiate account management operations through the CPM, such as changing, verifying, and reconciling account values. Users who have this authorization can initiate CPM account management operations in the Accounts List and the Search results page, as well as the Account Details page by clicking Change, Verify, or Reconcile on the toolbar. In the Change Password window, the ‘Manually selected password’ option will be enabled if the user has the ‘Specify next account content’ authorization.

Specify next account content

Specify the content that will be used when the CPM changes the account value. Users who have this authorization can do the following:

■

Specify the next content that will be used as the account value in the Change Password and Immediate Password Change pages.

If the user does not have this authorization, the ‘Manually selected password’ option will be disabled and the CPM will set a new randomly generated account value.

This authorization can only be given to users to have the Initiate CPM account management operations authorization.

Rename accounts

Rename existing accounts in the Safe in the Advanced section of the Edit Account page.

Delete accounts

Delete existing accounts in the Safe. Users who have this authorization can do the following:

■

Delete the account in the Account Details page by clicking the Delete button.

■

Delete account copies that are linked to Windows accounts and are stored in the same Safe by clicking Delete in the account usage tab.

Unlock accounts

Unlock accounts that are locked by other users. Users who have this authorization can do the following:

Unlock accounts that are locked by other users in the Account Details page by clicking Release on the toolbar, This is only relevant when the Enforce check-in/check-out exclusive access policy rule is configured.
Unlock accounts that are locked by other users in the Advanced section of the Edit Account page by clicking Release. This is only relevant when the Enforce check-in/check-out exclusive access policy rule is configured.
Unlock files that are locked by other users in the File Details page by clicking Unlock on the toolbar.

Workflow

These permissions enable users to control account workflows in the Safe.

Permission	Enables Safe Members to …
Authorize account request	Give “confirmation” to a Safe members requesting permission to enter a Safe. Users also require the ‘List accounts’ authorization to see the Request details of the account requests waiting for their confirmation.
Access Safe without confirmation	Access the Safe without confirmation from authorized users. This overrides the Safe properties that specify that Safe members require confirmation to access the Safe.

Advanced

These permissions enable users to perform folder related activities in the Safe, including the following tasks:

Permission	Enables Safe Members to …
Create folders	Create folders in the Safe.
Delete folders	Delete folders from the Safe.
Move accounts/ folders	Move accounts and folders in the Safe to different folders and subfolders.

Add Safe members

Users who are authorized to Manage Safe Members in a Safe can add existing Vault users and groups, as well as users in external LDAP directories, as Safe members in the PVWA and specify Safe authorizations.

Add Safe members

In the Policies page, select the Safe where you will add a Safe member, then click Members; the Safe Details page appears.
In the Members tab, click Add Member; the Add Safe Member window appears.
The default authorizations that will be given to the new Safe Member are selected. These authorizations can be configured in the Default Safe Authorizations in the Web Access Options in the System Configuration page. For more information, refer to Configure the system through PVWA.
In the Search edit box, enter either part of the name of the user or group to add as a Safe member or the whole name. You can also leave the Search edit box empty to search for all users.
In the Search In drop-down box, select Vault, then click Search; a list of users and groups in the Vault whose names match the specified keyword is displayed.
Select the user or group to add as a Safe member, then select the authorizations that they will have in the Safe. Select the checkbox next to the title of the authorizations group to select all the authorizations in that group.
Click Add; the selected user or group is added and confirmation appears at the bottom of the screen.
Click Close; the Safe Details page appears and displays the new Safe member in the Members list.

Add Safe members from LDAP

If the Vault is configured to support transparent user management, users that are configured in an LDAP directory can be added through the PVWA.

For more information about managing users in external directories, refer to External user accounts.

Manage Safe members

Keywords:

CyberArk, PAM, vault, safe, members

Doc ID:

110939

Owned by:

Peter V. in Cybersecurity

Created:

2021-05-20

Updated:

2021-05-20

Sites:

Office of Cybersecurity

2 0 Comment Suggest new doc