https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.htm#HardenInDomaindeployments

4- > 1- > 2- > 3

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-standard.htm

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members , enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

CyberArk defines MaxConcurrentConnections as: “The maximum number of connections that can be opened between the Central Policy Manager and the remote machine where the passwords are replaced.”

That is exactly option A .

CyberArk states that LDAP users are provisioned using directory maps , and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A .

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C .

Why the others are incorrect:

B : No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D : A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E : The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

In Privilege Cloud, each Safe controls its own retention policy for account/password objects. CyberArk documentation states that when retention is set by Number of days , the default retention is 7 days .

The default authentication profile to access CyberArk Identity is typically the Default New Device Login Profile . This profile is used to manage the authentication settings and security measures for devices accessing CyberArk services for the first time. It includes configurations such as authentication methods, security checks, and compliance requirements, ensuring that new devices meet the organization’s security standards before gaining access.

In the Privilege Cloud Installer (Standard) procedure, the Connector installer explicitly prompts you to select which components you want to install: “CPM/PSM/Both.”

That means the installation package supports installing:

PSM (Windows connector)

CPM

Why the other options are not correct for this installer package :

C (Secure Tunnel) is treated as a separate component (downloaded as a Secure Tunnel Client Installer package), not one of the “CPM/PSM/Both” choices in the Connector installer step.

D (CCP) is not listed as an installable component in the Privilege Cloud Connector installer flow shown in the official procedure.

E (PSM for SSH) is selected/downloaded as a separate component to support UNIX/Linux, not installed via the Connector installer’s “CPM/PSM/Both” selection.

For large implementations of CyberArk Privilege Cloud Connectors in AWS and Azure environments, each connector can handle between 31-60 concurrent RDP/SSH sessions. This capacity is specified in the CyberArk documentation concerning Privilege Cloud Connectors and their scalability options. It is designed to support a higher volume of concurrent sessions to meet the needs of larger enterprise environments, ensuring that multiple users can securely access resources without significant performance degradation.

CyberArk’s Privilege Cloud network requirements state that, to secure the service, CyberArk permits inbound traffic only from specific IP addresses and you must provide CyberArk Support with the public-facing IP addresses for communication between the Privilege Cloud service and the Connectors, including Secrets Manager —so they can add them to the CyberArk allowlist.

That statement maps directly to A .