According to the web search results, a Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control. SMTP is a protocol that enables the sending and receiving of email messages.  By integrating SMTP with CyberArk Defender PAM, the Event Notification Engine (ENE) can automatically send email notifications about PAM activities to predefined users 1 .  For example, the ENE can notify users about password requests, password confirmations, password changes, password verifications, password reconciliations, password access, password usage, password expiration, and password violations 1 .  The ENE can also notify users about system events, such as Vault backup, Vault restore, Vault shutdown, Vault startup, and Vault license expiration 1 . These notifications help to monitor the Vault activity and ensure compliance with the security policies.

SMTP integration is also essential for facilitating workflow processes, such as Dual Control. Dual Control is a feature that enables authorized Safe owners to either grant or deny requests to access accounts. This feature adds an additional measure of protection, in that it enables you to see who wants to access the information in the Safe, when, and for what purpose. The Master Policy enables organizations to ensure that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner(s).  This is known as Dual Control 2 . SMTP integration enables the ENE to send email notifications to the requesters and the confirmers about the status of the password requests.  The ENE can also send reminders to the confirmers if they have not responded to the requests within a specified time period 2 . These notifications help to streamline the workflow process and ensure timely and secure access to the accounts.

References :

Email notifications - CyberArk

Dual Control - CyberArk

To create a new onboarding rule, you accomplish this in the Privileged Vault Web Access (PVWA) by navigating to  Accounts > Onboarding Rules . Once there, you can click on  Create rule  to start the New onboarding rule wizard and proceed with the configuration of the rule.  This process allows you to set up rules that automatically onboard newly discovered accounts, minimizing manual effort and reducing the chance of human error 1 .

References :

CyberArk Docs - Onboarding rules

 The name of the Platform parameter that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy is Min Validity Period. This parameter defines the number of minutes to wait from the last retrieval of the account until it is replaced. This gives the user a minimum period to be able to use the password before it is changed by the CPM. The Min Validity Period parameter can be configured in the Platform Management settings for each platform that supports One Time Passwords.  The default value is 60 minutes, but it can be modified according to the organization’s security policy 1 .  The Min Validity Period parameter is also used to release exclusive accounts automatically 1 .  References :

1 :  Privileged Account Management , Min Validity Period subsection

 The newly configured directory mapping can be tested by searching for members that exist only in the mapping group to grant them safe permissions through the PVWA (Privileged Vault Web Ac cess).  This process allows you to verify that the directory mapping is functioning correctly by ensuring that only the intended users, who are part of the specific Active Directory group, are granted access to the safes in the CyberArk Vault 1 2 .

References :

CyberArk Docs - Create directory mapping 1

CyberArk Docs - Edit directory mapping 3

CyberArk Docs - LDAP Integration in PVWA

 One Time Passwords (OTPs) are passwords that are valid for only one use or a limited time period. The primary purpose of OTPs is to reduce the risk of credential theft, which is a common attack vector for hackers and malicious insiders. By using OTPs, the exposure of the credentials is minimized, and the attacker cannot reuse the stolen password to access the target system. OTPs also enhance the security of the authentication process, as they add an extra layer of verification to the user’s identity.  OTPs can be generated by various methods, such as SMS, email, hardware tokens, software tokens, etc 1 .

The other options are not the primary purpose of OTPs, because:

B. More frequent password changes. This is not the primary purpose of OTPs, but a consequence of using them. OTPs require more frequent password changes, as they expire after one use or a limited time period. However, this is not the main goal of using OTPs, but rather a means to achieve the goal of reducing the risk of credential theft.

C. Non-repudiation (individual accountability). This is not the primary purpose of OTPs, but a benefit of using them. Non-repudiation means that the user cannot deny performing an action or accessing a resource, as there is sufficient evidence to prove their identity and activity. OTPs can help achieve non-repudiation, as they are unique and personal to each user, and can be traced back to the user’s device or account. However, this is not the main goal of using OTPs, but rather an advantage of using them.

D. To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization. This is not the primary purpose of OTPs, but a feature of using them. OTPs can help prevent unauthorized access to privileged accounts, as they require the user to have both the OTP and the regular password to access the target system. This means that no single actor can use the password without authorization, as they would need the cooperation of another actor who has the OTP. However, this is not the main goal of using OTPs, but rather a capability of using them.

References :

1 :  One-time password

 A user with administrative privileges to the vault can grant other users privileges that he himself does not have, as long as he has the Authorize Users authorization on the Vault. The Authorize Users authorization enables a user to add or remove other users or groups as Vault members, and assign or revoke their authorizations. A user with this authorization can grant any privilege to any other user or group, regardless of his own privileges.  However, this authorization does not allow a user to change his own privileges or the privileges of other users who have the same authorization 1 .

References :

1 :  Vault Member Authorizations

 To change the safe where recordings are kept for a specific platform, you must update the  SessionRecorderSafe  setting in the platform configuration. This setting specifies the name of the safe where the Privileged Session Manager (PSM) recordings will be stored. After updating the SessionRecorderSafe setting, you need to restart the PSM service or wait for the new settings to be applied, which typically takes about 10 minutes.  Once the new settings are in effect, any new PSM sessions initiated will have their recordings stored in the newly specified safe 1 .

References :

CyberArk Docs - How to Create/Change/Configure PSM Recording Safes

The Master Policy is a set of rules that apply to all accounts in the Vault. However, one can create exceptions to the Master Policy based on platforms, which are logical groupings of accounts that share common characteristics, such as operating system, device type, or application. By creating platform-specific policies, one can override the Master Policy settings for certain accounts and customize the security and management options for different platforms.  References :

Defender PAM Sample Items Study Guide, page 9

CyberArk Core Privileged Access Security Documentation, Master Policy Overview and Platform-Specific Policies

 When onboarding a large number of UNIX root accounts for password rotation by the Central Policy Manager (CPM), and the CPM cannot log in directly with the root account, it is necessary to configure the UNIX platform to use a secondary logon account that has the appropriate privileges.  This secondary account should have the minimum necessary permissions to perform password management tasks, adhering to the principle of least privilege 1 . By configuring the UNIX platform with the correct logon account, the CPM can use this account to manage the root accounts securely and efficiently.

References :

CyberArk’s official documentation on Least Privileges and Privileged Access Manager provides guidance on configuring on-demand privileges for UNIX environments, which includes setting up the correct logon account for tasks that require elevated privileges 1 .

Additional information on managing UNIX and Linux accounts, including the configuration of logon and reconcile accounts, can be found in the Unix plugin documentation for CyberArk

 In the PrivateArk client, to update users’ Vault group memberships, you use the  Member Of  tab. After logging in as an administrative user and navigating to the Users and Groups window, you select a user and click  Update .  In the  Member Of  tab, you can manage the user’s group memberships by adding or removing them from groups within the Vault 1 .

References :

CyberArk Docs - Manage users in PrivateArk client 1