If a user is a member of more than one group that has authorizations on a safe, by default that user is
granted________.
D
Explanation:
When a user is a member of more than one group that has authorizations on a safe, by default that
user is granted the cumulative permissions of all groups to which that user belongs. This means that
the user will have the highest level of access that any of the groups have on the safe. For example, if
one group has View and Retrieve permissions, and another group has Add and Delete permissions,
the user will have View, Retrieve, Add, and Delete permissions on the safe. This is the default
behavior of the vault, unless the Exclusive option is enabled on the safe. The Exclusive option
restricts the user’s permissions to only those of the group added to the safe first. Reference:
[Defender PAM eLearning Course], Module 3: Safes and Permissions, Lesson 3.2: Safe Permissions,
Slide 8: Cumulative Permissions
[Defender PAM Sample Items Study Guide], Question 1: Safe Permissions
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 3: Managing Safes, Section: Safe Properties, Subsection: Exclusive
It is possible to control the hours of the day during which a user may log into the vault.
A
Explanation:
It is possible to control the hours of the day during which a user may log into the vault by using
the Time Restrictions feature. This feature allows administrators to define the days and times that
users can access the vault. Users who try to log in outside the permitted hours will be denied access
and receive a message informing them of the restriction. Time restrictions can be applied to
individual users or groups of users. Reference:
[Defender PAM eLearning Course], Module 3: Safes and Permissions, Lesson 3.3: User Management,
Slide 7: Time Restrictions
[Defender PAM Sample Items Study Guide], Question 2: Time Restrictions
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 4: Managing Users and Groups, Section: Time Restrictions
VAULT authorizations may be granted to_____.
AC
Explanation:
Vault Authorizations
• Can be assigned only to users (not groups).
• Cannot be inherited via group membership.
• Defined only via the Private Ark Client.
Safe Auth
• Assigned to users and/or groups.
• Can be inherited via group membership.
• Can be defined in the Private Ark Client or PVWA
What is the purpose of the Interval setting in a CPM policy?
A
Explanation:
The Interval setting in a CPM policy is used to control how often the CPM looks for System Initiated
CPM work, such as password changes, verifications, and reconciliations. The Interval setting defines
the frequency, in minutes, that the CPM will check the accounts that are associated with the policy
and perform the required actions. For example, if the Interval is set to 60, the CPM will check the
accounts every hour and change, verify, or reconcile the passwords according to the policy settings.
The Interval setting does not affect User Initiated CPM work, such as manual password changes or
retrievals, which are performed immediately upon request. The Interval setting also does not control
how long the CPM rests between password changes or the maximum amount of time the CPM will
wait for a password change to complete. These parameters are configured in the CPM.ini file, which
is stored in the root folder of the <CPM username> Safe. Reference:
[Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM Policies, Slide
9: CPM Policy Settings
[Defender PAM Sample Items Study Guide], Question 4: CPM Policy Settings
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Interval
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of
the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the
show, copy, and connect buttons on those passwords at any time without confirmation. The
members of the AD group Operations Staff need to be able to use the show, copy and connect
buttons on those passwords on an emergency basis, but only with the approval of a member of
Operations Managers never need to be able to use the show, copy or connect buttons themselves.
Which safe permission do you need to grant Operations Staff? Check all that apply.
A, B
Explanation:
To use the show, copy, and connect buttons on the accounts in the safe UnixRoot, the Operations
Staff need to have the Use Accounts permission, which allows them to request access to the
accounts and perform actions on them. However, since dual control is enabled for some of the
accounts, they also need to have the Retrieve Accounts permission, which allows them to view the
password of the account after it is authorized by another user. The Authorize Password
Requests permission is not needed, as it is only required for the users who can approve the requests,
not the ones who make them. The Access Safe without Authorization permission is not needed, as it
would bypass the dual control mechanism and allow the Operations Staff to access the accounts
without approval. Reference:
[Defender PAM Sample Items Study Guide], page 10, question 5
[CyberArk Privileged Access Security Implementation Guide], page 30, table 2-1
[CyberArk Privileged Access Security Administration Guide], page 43, section 3.2.2.1
What is the purpose of the Immediate Interval setting in a CPM policy?
B
Explanation:
The Immediate Interval setting in a CPM policy is used to control how often the CPM looks for User
Initiated CPM work, such as manual password changes, retrievals, or requests. The Immediate
Interval setting defines the frequency, in minutes, that the CPM will check the accounts that are
associated with the policy and perform the actions that were initiated by the users. For example, if
the Immediate Interval is set to 2, the CPM will check the accounts every 2 minutes and change,
retrieve, or authorize the passwords according to the user requests. The Immediate Interval setting
does not affect System Initiated CPM work, such as password changes, verifications, or
reconciliations that are triggered by the policy settings, such as Expiration Period or One Time
Password. These actions are controlled by the Interval setting in the CPM policy. The Immediate
Interval setting also does not control how often the CPM rests between password changes or the
maximum amount of time the CPM will wait for a password change to complete. These parameters
are configured in the CPM.ini file, which is stored in the root folder of the <CPM username>
Safe. Reference:
[Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM Policies, Slide
9: CPM Policy Settings
[Defender PAM Sample Items Study Guide], Question 6: CPM Policy Settings
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Immediate Interval
Which utilities could you use to change debugging levels on the vault without having to restart the
vault. Select all that apply.
A, B
Explanation:
To change debugging levels on the vault without having to restart the vault, you can use the following
utilities:
PAR Agent: This is a utility that runs on the vault server and allows you to change the debug level of
the vault by editing the PARAgent.ini file. You can set the EnableTrace parameter to yes and specify
the debug level in the DebugLevel parameter. The changes will take effect immediately without
restarting the vault.
The log file is located in the PARAgent.log file1
.
PrivateArk Server Central Administration: This is a graphical user interface that runs on the vault
server and allows you to change the debug level of the vault by selecting the vault server and clicking
the Debug button. You can choose the debug level from a list of predefined options or enter a custom
value. The changes will take effect immediately without restarting the vault.
The log files are located
in the Trace.dX files, where X is a number from 0 to 42
.
You cannot use the following utilities to change debugging levels on the vault without having to
restart the vault:
Edit DBParm.ini in a text editor: This is a configuration file that stores the vault parameters, such as
the database name, port, and password.
Editing this file does not affect the debug level of the vault,
and requires restarting the vault for the changes to take effect3
.
Setup.exe: This is an installation program that runs on the vault server and allows you to install,
upgrade, or uninstall the vault.
It does not allow you to change the debug level of the vault, and
requires restarting the vault for any changes to take effect4
. Reference:
:
Configure Debug Levels
, Vault section, PARAgent subsection
:
Configure Debug Levels
, Vault section, PrivateArk Server Central Administration subsection
:
CyberArk Privileged Access Security Implementation Guide
, Chapter 2: Installing the Vault,
Section: Configuring the Vault, Subsection: DBParm.ini
:
CyberArk Privileged Access Security Implementation Guide
, Chapter 2: Installing the Vault,
Section: Installing the Vault
A Logon Account can be specified in the Master Policy.
B
Explanation:
A Logon Account cannot be specified in the Master Policy.
The Master Policy is a set of rules that
define the security and compliance policy of privileged accounts in the organization, such as access
workflows, password management, session monitoring, and auditing1
.
The Master Policy does not
include any technical settings that determine how the system manages accounts on various
platforms1
.
A Logon Account is a technical setting that defines the account that the CPM uses to log
on to a target system and perform password management tasks, such as changing, verifying, or
reconciling passwords2
.
A Logon Account can be specified in the Platform Management settings,
which are configured by the IT administrator for each platform2
.
The Platform Management settings
are independent of the Master Policy and can be customized according to the organization’s
environment and security policies1
. Reference:
The Master Policy
[Platform Management]
For an account attached to a platform that requires Dual Control based on a Master Policy exception,
how would you configure a group of users to access a password without approval.
D
Explanation:
Dual Control is a feature that requires the approval of another user before accessing a password. It is
based on a Master Policy rule that applies to all accounts attached to platforms that have this rule
enabled. However, there may be situations where a group of users needs to access a password
without approval, such as in an emergency or for troubleshooting purposes. In this case, an
exception can be made by granting the group the ‘Access safe without confirmation’ authorization on
the safe in which the account is stored. This authorization bypasses the Dual Control workflow and
allows the group to retrieve the password without waiting for approval. However, the password
retrieval will still be audited and recorded in the Vault.
As long as you are a member of the Vault Admins group, you can grant any permission on any safe
that you have access to.
B
Explanation:
Being a member of the Vault Admins group does not automatically grant you any permission on any
safe that you have access to. The Vault Admins group is a predefined group that is created during the
installation or upgrade of the vault.
This group has the Vault Admin authorization, which allows its
members to perform administrative tasks on the vault, such as managing users, groups, platforms,
policies, and safes1
.
However, this authorization does not include any safe member authorizations,
such as View, Retrieve, Use, or Manage Safe2
. Therefore, to grant any permission on a safe, you need
to be added as a safe member with the appropriate authorizations, either directly or through
another group. The Vault Admins group can be added to safes with all safe member authorizations,
but this is not done automatically for all safes.
By default, this group is only added to a number of
system safes, such as the Password Manager Safe, the PVWAConfig Safe, and the Notification
Methods Safe3
.
For other safes, the Vault Admins group can be added manually by the safe owner or
another user with the Manage Safe authorization4
. Reference:
:
Predefined users and groups
, Predefined groups subsection
: [CyberArk Privileged Access Security Implementation Guide], Chapter 3: Managing Safes, Section:
Safe Authorizations, Table 2-1: Safe Authorizations
:
What default groups can be automatically added to Safes when they are created?
: [CyberArk Privileged Access Security Administration Guide], Chapter 3: Managing Safes, Section:
Adding Safe Members
Which report provides a list of account stored in the vault.
A
Explanation:
The report that provides a list of accounts stored in the vault is the Privileged Accounts Inventory
report.
This report can be generated in the Reports page in the PVWA by users who belong to the
group that is specified in the ManageReportsGroup parameter in the Reports section of the Web
Access Options in the System Configuration page1
.
The Privileged Accounts Inventory report contains
information such as the safe, folder, name, platform ID, username, address, group, last accessed
date, last accessed by, last modified date, last modified by, verification date, checkout date, checked
out by, age, change failure, verification failure, master pass folder, master pass name, disabled by,
and disabled reason of each account stored in the vault2
. Reference:
:
Reports in PVWA
:
Users List Report
When on-boarding account using Accounts Feed, Which of the following is true?
B
Explanation:
When on-boarding accounts using Accounts Feed, you can either select an existing safe or create a
new one to store the accounts. You can also specify the platform, policy, and owner for each account.
However, you cannot create a new platform using Accounts Feed, and not all platforms support
automatic reconciliation. Reference:
Accounts Feed - CyberArk
CyberArk University
[Defender-PAM Sample Items Study Guide]
Target account platforms can be restricted to accounts that are stored m specific Safes using the
Allowed Safes property.
A
Explanation:
Target account platforms can be restricted to accounts that are stored in specific Safes using the
Allowed Safes property. This property is a parameter that can be configured in the Platform
Management settings for each platform. The Allowed Safes property specifies the name or names of
the Safes where the platform can be applied. The default value is .*, which means that the platform
can be used in any Safe. However, if you want to limit the platform to certain Safes, you can enter the
name or names of the Safes, separated by a pipe (|) character. For example, if you want to restrict
the platform to Safes called WindowsPasswords and LinuxPasswords, you can
enter AllowedSafes=(WindowsPasswords)|(LinuxPasswords). This feature is useful for preventing
unauthorized users from accessing passwords, especially if you implement the reconciliation
functionality.
It also helps the CPM to focus its search operations on specific Safes, instead of
scanning all Safes it can see in the Vault1
. Reference:
:
Limit Platforms to Specific Safes
Which one the following reports is NOT generated by using the PVWA?
C
Explanation:
The PVWA can generate various reports on the privileged accounts and applications in the system,
based on different filters and criteria. However, the Safes List report is not one of them. The Safes List
report is generated by using the PrivateArk Client, and it provides a list of Safes and their properties
according to location. Reference:
Defender-PAM Study Guide
,
Reports and Audits
PSM captures a record of each command that was executed in Unix.
A
Explanation:
PSM captures a record of each command that was executed in Unix by using the SSH text recorder.
This is a feature that enables PSM to record all the keystrokes that are typed during privileged
sessions on SSH connections, including Unix systems. The SSH text recorder can be configured in the
Platform Management settings for each platform that uses the SSH protocol. The text recordings are
stored and protected in the Vault server and are accessible to authorized auditors.
The text
recordings can also be used for auditing and compliance purposes, as they provide a detailed trace of
the actions performed by the users on the target systems1
. Reference:
:
Introduction to PSM for SSH
, How it works subsection, Text recordings paragraph