Provisioning Accounts in CyberArk Safes

This section describes how to add applications and provider users as Safe Members of a Safe.

CyberArk grants permissions to applications (such as Policy Manager, Event Broker, Teams in Policy Manager) to access Accounts that are stored in Safes by making the application a Safe Member of that Safe.

For each Safe you have created, you need to provision the privileged accounts that will be required to access that Safe. You can do this in either of the following ways:

Manually – Add accounts manually one at a time, and specify all the account details.
Automatically – Add multiple accounts automatically using the Password Upload feature. (For this step, you require the Add accounts authorization in the Password Safe.)

Once the accounts are managed by CyberArk, you need to set up access to the accounts for:

Each of the Privitar Applications.
CyberArk Application Password Provider users serving the platform applications.

Add the provider user (where the CyberArk CCP is installed) and application users as members of the Safes where the application passwords are stored. This can either be done manually in the Safes tab, or by specifying the Safe names in a CSV file for adding multiple applications.

If the Safe is configured for object level access, make sure that both the provider user and the application have access to the password(s) to retrieve.

Adding the application

Each platform application needs to be added as a member to the Safe it uses, with the following authorization:

Retrieve accounts

The name to be added for the application is shown in the following table:

Safe	Name
Policy Manager	The Application ID that is defined in the application properties file for Policy Manager: `agrotera.cyberark.application_id` For example, `POLICY_MANAGER`
Event Broker	The Application ID that is defined in the application properties file for the Event Broker: `agrotera.cyberark.application_id` For example, `EVENT_BROKER`
JDBC Token Vault	The descriptor that is defined in the the application properties file for each Team in Policy Manager that uses a JDBC Token Vault: `agrotera.cyberark.application_id.team_format` For example, `POLICY_MANAGER_Team_12345` For more information, see Defining Policy Manager Teams in the Vault.

Safe

Name

Policy Manager

The Application ID that is defined in the application properties file for Policy Manager:

agrotera.cyberark.application_id

For example, POLICY_MANAGER

Event Broker

The Application ID that is defined in the application properties file for the Event Broker:

agrotera.cyberark.application_id

For example, EVENT_BROKER

JDBC Token Vault

The descriptor that is defined in the the application properties file for each Team in Policy Manager that uses a JDBC Token Vault:

agrotera.cyberark.application_id.team_format

For example, POLICY_MANAGER_Team_12345

For more information, see Defining Policy Manager Teams in the Vault.

For more information, refer to CyberArk Application Properties.

For example, the following Add Safe Member dialog box shows the authorization settings that need to be applied for a Policy Manager with the Application ID set to PRIVITAR_POLICY_MANAGER:

Adding Provider users

Provider users need to be added as Safe Members with the following authorizations:

List accounts
Retrieve accounts
View Safe Members

If you are installing multiple providers, it is recommended that the users are created as a group. The users can then be added to the Safe as a single group, rather than creating separate entries for each user.

The following Add Safe Member dialog box shows the authorization settings that need to be applied for Provider users:

For more information about adding and managing privileged accounts, refer to the CyberArk Privileged Access Security Implementation Guide.

In this section:

CyberArk CCP Reference Guide