https://docs.cyberark.com/privilege-cloud-shared-services/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

The  sshd_config  file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the  AllowGroups  parameter within the  sshd_config  file to grant them the necessary permissions.

1-Run the Connector Management Connector installer

2-Install the CPM and PSM

3-When you are prompted to select the components to install, select CPM.

4-When you are prompted to select the CPM mode, select Passive.

https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-config.htm

Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy. If the user account is removed, sign-in is blocked and the end-user experience is the standard “unable to sign in / contact administrator” style message, consistent with CyberArk’s end-user troubleshooting guidance when sign-in is blocked by policy/account state.

(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)

For PSM Web Connectors developed using the CyberArk Plugin Generator Utility (PGU), the supported browser is Google Chrome. This is because the PGU is designed to create plugins that are most compatible with Chrome ' s web technologies and security frameworks. Chrome is generally recommended by CyberArk for its up-to-date security features and extensive support for web applications. This is further supported by the CyberArk documentation on the Plugin Generator Utility, which specifies browser compatibility and the optimal environment for deploying web connectors.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task-descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings

CyberArk’s Safe permission definitions state:

List accounts allows the user to view the Accounts/Files list (so they can see the account to connect to).

Use Accounts explicitly enables the user to log on through PSM by clicking the “Connect” / “Connect with account” button from the Accounts List or Account Details.

Therefore, the minimum Safe rights to allow “Connect only” are List accounts (C) + Use Accounts (A) .

To allow a PSM Universal Connector executable to run on the PSM after the hardening process, you should update the PSMConfigureAppLocker.xml file. This file configures AppLocker, which is a feature that controls which apps and files users can run on a system. Including the necessary executable in the PSMConfigureAppLocker.xml ensures it is whitelisted by AppLocker policies, thus permitted to execute even under the hardened security settings of the PSM environment. References to this configuration can be found in the CyberArk Privilege Session Manager implementation documentation, specifically in sections detailing customization and security hardening of environment configurations.