CyberArk 03-PAS-ADMIN User Management [PDF]

Zitiervorschau

PAS ADMINISTRATION User Management

CyberArk Training 1

OBJECTIVES By the end of this lesson you will be able to: • Describe the difference between users and accounts

• Describe the difference between different types of users and groups • Manage internal users and groups in CyberArk • Manage Externally provisioned users and groups

2

OVERVIEW

3

USERS VS. ACCOUNTS (1) • Throughout this course we will be using the terms Users and Accounts. • It is very important to understand the difference between the two.

Users People* who have been granted access to the system

Accounts The actual privileged account ids and passwords

• Access passwords • Manage policies • Typically defined by their Domain credentials

• Stored in Safes • Examples include domain administrators, local administrators, root accounts, service accounts and more

* Applications and CyberArk components are also users who access accounts

4

USERS VS. ACCOUNTS (2)

User

Account

5

USERS AND GROUPS • There are two main categories of users and groups in the system:

Locally Managed (CyberArk)

• Users that are created automatically in the Vault (Built-in). • Users that are added manually to the Vault.

Transparently Managed (LDAP)

• Users that are automatically provisioned from an external directory.

6

VAULT AUTHORIZATIONS • Can be assigned only at the user level. • Cannot be inherited via group membership.

• Defined only via the PrivateArk Client.

7

PRIVATEARK CLIENT/PVWA SAFE PERMISSIONS Safe Permissions • There are some differences in terminology between the PrivateArk Client and the PVWA • Key Differences • PrivateArk Client • Owners List • Files

• PVWA • Members List • Accounts

8

SAFE AUTHORIZATIONS • Assigned to users and/or groups. • Can be inherited via group membership. • Can be defined in the PrivateArk Client or PVWA (typically defined via PVWA).

9

LOCAL USER MANAGEMENT (BUILT-IN)

10

BUILT-IN USERS AND GROUPS (VAULT) • After the Vault has been installed a set of predefined users and groups are created in the system .

11

BUILT-IN USERS AND GROUPS (COMPONENTS) • When a new component is installed, dedicated users and groups are created automatically with relevant permissions.

12

BUILT-IN VAULT AUTHORIZATIONS Built-in users are assigned different Vault Authorizations based on their role and function. • Administrator

• Auditor • Backup • Batch • DR • NotificationEngine • Operator • Master

13

BUILT-IN VAULT AUTHORIZATIONS: EXAMPLES

The built-in Administrator user has full vault authorizations (by default).

The built-in Auditor user has “Audit Users” vault authorization (by default).

14

BUILT-IN SAFE AUTHORIZATIONS • Built-in users and groups are added to all newly created safes based on their role and function. • Auditor (Auditors)

• Backup (Backup Users) • Batch • DR (DR Users) • NotificationEngine (Notification Engines)

Added by default to all safes with relevant permissions

• Operator (Operators) • Master

15

PVWA PERMISSIONS The tabs and buttons available in the PVWA depend on the logged-in user’s group membership. • Administration (Vault Admins)

• Monitoring (Auditors) • Accounts (Users) • Reporting (PVWAMonitor)

17

PVWA PERMISSIONS: EXAMPLES • Members of Vault Admins have access to the ADMINISTRATION tab. • Members of Auditors have access to the MONITORING tab.

18

LOCAL USER MANAGEMENT (MASTER USER)

19

MASTER USER The Master User is the most powerful user in the system, with full Vault and Safe authorizations (which cannot be removed).

20

LOGIN WITH MASTER • Access to the Master CD (RecPrvKey) • Master user Password (defined during installation) • Access only through the PrivateArk Client • Access only from the Vault console and one additional IP address (EmergencyStationIP)

21

CHANGE MASTER PASSWORD To change the Master user password, login with the Master user and click on “User > Set Password”

22

LOCAL USER MANAGEMENT (MANUALLY ADDED)

23

MANAGING USERS AND GROUPS USING PRIVATEARK • Users of the system are configured in the PrivateArk Client.

• No user configuration is available in the PVWA

24

GENERAL TAB – MANUALLY ADDING A USER You can manually add new users through the PrivateArk Client interface.

25

AUTHORIZED INTERFACES Select which interfaces this user can log in from.

26

AUTHENTICATION • Select the Authentication method for this user.

27

VAULT AUTHORIZATIONS • Configure the vault Authorizations for this user.

28

GROUP MEMBERSHIP • Select which Groups you want this user to be a member of.

29

OTHER USER TABS Configure the Business e-mail field for this user to receive e-mail notifications.

30

TRANSPARENT USER MANAGEMENT

31

DIRECTORY MAPPING A Directory Map determines whether a User Account or Group will be created in the Vault, and the roles they will have. • User Mapping – allows for authentication and defines user’s attributes, such as Vault Authorizations and Location. • Group Mapping – makes LDAP groups searchable from within CyberArk, allowing mapped groups to be granted safe authorizations and to be nested within built-in CyberArk groups.

Active Directory

Vault

Vault Authorizations Authorization

User Mapping

• Add user • Add Safe • Etc…

Safe Authorizations Group Mapping

CyberArk Groups • Vault Admins • Auditors

32

LDAP SETUP WIZARD • The LDAP Wizard is used to map Active Directory Groups to three predefined CyberArk role based groups: • Vault Admin Group • Auditors Group • Users Group • Each predefined group has permissions associated with that role

33

VAULT ADMIN GROUP – MAPPED TO AD GROUP • You can use these directory maps immediately, modify the relevant mapping rules, or create new directory maps using the PrivateArk Client.

33

35

VAULT ADMINS – USER MAPPING, DEFAULT VAULT AUTHORIZATIONS • The Default Authorizations can be viewed using the PrivateArk Client

36

VAULT ADMINS – USER MAPPING, AUTOMATIC NESTING • The AD group CyberArk Vault Admins is now nested under the internal Vault Admins group.

37

TRANSPARENT USER MANAGEMENT • When users authenticate via LDAP for the first time, they are provisioned automatically in the Vault based on Directory Mapping.

• LDAP Users and Groups that have been created in the Vault are marked with a white LDAP User or Groups icon. • If you delete a user within CyberArk, it will be automatically re-created upon login if it still exists within AD. • A daily process checks which users map to the various queries

• To block an LDAP User or Group from CyberArk, remove them from all LDAP groups with an associated directory mapping, or disable/delete them in the external directory. 38

LDAP SYNCHRONIZATION The following parameter determines if and when the Vault’s External users and groups will be synchronized with the External Directory. In the DBParm.ini file:

AutoSyncExternalObjects=Yes,24,1,5

Whether or not to sync with the External Directory

The number of hours in one period cycle

The hours during which the sync will take place

39

CUSTOM DIRECTORY MAPS • Requirement: A subset of Vault Admins (CyberArk PVWA Admins) should only have the ‘Manage Server File Categories’ Vault authorization.

42

CUSTOM DIRECTORY MAPS CONFIGURATION STEPS There are a number of steps that must be completed in order to create a custom user map.

1 • Create a New Directory Map for CyberArk PVWA Admin Users.

2 • Update the user template so that CyberArk PVWA Admin Users will be granted only the “Manage Server File Categories” authorization.

3 • Add an LDAP query to identify which LDAP users will receive the attributes defined in the User Template.

4 • Manually nest CyberArk PVWA Admins under the builtin Vault Admins group.

43

CUSTOM DIRECTORY MAPS (1) • Create a New Directory Map for CyberArk PVWA Admin Users.

44

CUSTOM DIRECTORY MAPS (2) Update the user template so that CyberArk PVWA Admin Users will be granted only the “Manage Server File Categories” authorization.

45

CUSTOM DIRECTORY MAPS (3) Add an LDAP query to identify which LDAP users will receive the attributes defined in the User Template.

46

CUSTOM DIRECTORY MAPS (4) • Manually nest CyberArk PVWA Admins under the built-in Vault Admins group.

47

CUSTOM DIRECTORY MAPS - RESULT As a member of the Vault Admins group in CyberArk, the pvwaadmin01 user can see the ADMINISTRATION Tab, but does not have the full set of vault permissions.

48

SUMMARY

49

SUMMARY In this session we covered: • The difference between users and accounts

• The difference between different types of users and groups • Managing internal users and groups in CyberArk • Managing Externally provisioned users and groups

50

THANK YOU CyberArk Training 51