Dual control is a feature of CyberArk Defender PAM that enables authorized Safe owners to either grant or deny requests to access accounts. This feature adds an additional measure of protection, in that it enables you to see who wants to access the information in the Safe, when, and for what purpose. The Master Policy enables organizations to ensure that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner (s). This is known as Dual Control. The primary purpose of dual control is to prevent a single user from accessing a sensitive account without authorization, which could lead to fraud or misuse of privileges. By requiring confirmation from another authorized user, dual control ensures that there is a ‘collusion to commit’ fraud, meaning that at least two users are involved in the malicious activity and are accountable for it.  References :

Dual Control - CyberArk

Dual Control - CyberArk

Dual control in V10 Interface - docs.cyberark.com

Security Admins are the built-in group that can view and configure Automatic Remediation and Session Analysis and Response in the PVWA. These features are part of the Privileged Threat Analytics (PTA) module, which is designed to detect and respond to anomalous activities and risky behaviors in the privileged environment. Security Admins have the permissions to access the PTA settings and configure the policies and actions for Automatic Remediation and Session Analysis and Response.  References:

Defender PAM Sample Items Study Guide, page 18, question 49

Privileged Threat Analytics Implementation Guide, page 9, section “Security Admins”

dbparm.ini is  not  the main configuration file for the Vault. It is one of the several configuration files that control the initial settings and method of operation of the Server.  The main configuration file for the Vault is DBParm.ini, which contains the general parameters of the database, such as the Vault name, the Vault IP address, the Vault port, the encryption algorithm, the log retention, and the debug mode 1 .  References :

DBParm.ini - CyberArk , section “Main parameters”

The user that is automatically added to all Safes and cannot be removed is the Master user. The Master user is a predefined user that is created during the Vault installation and has full permissions on all Safes and accounts. The Master user is the only user that can perform certain tasks, such as creating other predefined users, managing the Vault configuration, and restoring the Vault from a backup.  The Master user cannot be deleted or modified by any other user, and is always a member of every Safe 1 2 .  References :

Predefined users and groups - CyberArk , section “Master”

Safes and Safe members - CyberArk , section “Safe members overview”

 When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online, if the AllowFailback setting is set to “yes” in the padr.ini file. The padr.ini file is the configuration file for the Disaster Recovery application, which enables the DR Vault to replicate data from the Primary Vault and take over its role in case of a failure. The AllowFailback setting determines whether the DR Vault will automatically switch back to the passive mode when the Primary Vault is restored.  The default value of this setting is “no”, which means that the DR Vault will remain active until a manual failback is performed 1 .  To enable the automatic failback, the setting must be changed to “yes” and the padr service must be restarted 1 .  The dbparm.ini file is not relevant to this setting, as it is the main configuration file for the Vault database 2 .  References :

Configure the DR Vault - CyberArk , section “AllowFailback”

DBParm.ini - CyberArk , section “Main parameters”

CyberArk does not recommend implementing object level access control on all Safes.  According to the CyberArk documentation 1 , enabling object level access control impacts Vault performance. Therefore, it should be used only when necessary and with caution. Object level access control is useful when you need to give granular permissions to specific passwords or files in a Safe, regardless of the Safe level member authorizations. For example, you can use it to grant access to an external vendor or technician for a specific password only, without exposing any other passwords or files in the Safe. However, if you do not need this level of granularity, you can use the regular Safe member authorizations to control user access to the Safe and its contents.

When troubleshooting a slow response in the Privileged Vault Web Access (PVWA), the first log files to analyze are the  CyberArk.WebApplication.log  and  CyberArk.WebConsole.log . These logs contain detailed information about the activities carried out by the PVWA and can help identify any problems that may occur.  The log files are created by the PVWA and stored on the Web server in the location specified in the LogFolder parameter in the web.config file 1 . By examining these logs, you can track business flows and troubleshoot failures without having to enable debug mode.

References :

CyberArk Docs - PVWA Logging 1

The CyberArk marketplace is a platform that simplifies delivery of privileged access security solutions, such as CyberArk Privileged Account Security Solution. It features the industry’s broadest and deepest portfolio of technology integrations, including platforms for various types of accounts. Customers can find and deploy integrations with CyberArk Marketplace in as little as four clicks. If there is no platform that meets the customer’s needs, they can request a custom platform from CyberArk or create their own using the Platform Development Kit (PDK).  References :  CyberArk Marketplace ,  Platform Development Kit

According to the web search results, within the Vault each password is encrypted by its own unique key. This key is generated by the Vault when the password is added to the Vault and is stored in the Vault’s database. The password key is encrypted by the safe key, which is the key of the safe that contains the password. The safe key is encrypted by the server key, which is the key that opens the Vault. The server key is encrypted by the public recovery key, which is part of the asymmetric recovery key that enables the Master User to log on to the Vault in case of a disaster.  This layered encryption scheme ensures that each password is protected by multiple keys and that no single key can compromise the security of the Vault