Skip to main content

Skillber v1.0 is here!

Learn more

CyberArk First Steps & Configuration

Checking access...

Your CyberArk lab is deployed. Now it is time to bring it to life. This guide walks through your first configuration session — from the initial PVWA login to a fully configured PAM platform ready to manage privileged accounts.

Prerequisites

You must have completed the CyberArk Lab Deployment guide and have all four VMs running. If you are using an existing CyberArk environment, the concepts still apply but some steps may differ.

What You Will Accomplish

By the end of this guide, you will have:

  1. Logged into PVWA as the Vault Administrator
  2. Created your first Safe for credential storage
  3. Created administrative users with appropriate roles
  4. Created a CPM policy for automated password management
  5. Configured LDAP directory integration
  6. Verified CPM is operational and communicating with the vault
  7. Verified PSM is operational

First PVWA Login

Accessing PVWA

  1. From your host machine (or any machine that can reach 192.168.100.30), open a browser
  2. Navigate to: https://192.168.100.30

HTTPS Certificate Warning

You will see a certificate warning because the lab uses a self-signed certificate. This is normal and safe in a lab environment. Click AdvancedProceed to 192.168.100.30 (unsafe) to continue.

  1. You should see the CyberArk PVWA login page:
┌─────────────────────────────────────────────────────────────┐
│ │
│ CyberArk │
│ Password Vault Web Access │
│ │
│ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Username: ____________________ │ │
│ │ │ │
│ │ Password: ____________________ │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────┐ │ │
│ │ │ SIGN IN │ │ │
│ │ └─────────────────────────────────────────┘ │ │
│ │ │ │
│ │ [x] Authentication: CyberArk │ │
│ └─────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
  1. Log in with the Vault Administrator credentials created during Vault installation:
    • Username: Administrator
    • Password: V@ultAdmin!2026 (or whatever you set during vault installation)
    • Authentication: CyberArk

PVWA Interface Overview

After successful login, you will see the PVWA main dashboard:

┌──────────────────────────────────────────────────────────────────────────┐
│ CyberArk PVWA │ ☰ Menu │ Administrator │ ⚙ Settings │ 👤 Logout │
├──────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─── SIDEBAR ────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ ◆ Dashboard │ │
│ │ ◆ Accounts │ │
│ │ ◆ Safes │ │
│ │ ◆ Policies │ │
│ │ ◆ Users │ │
│ │ ◆ Platforms │ │
│ │ ◆ Audit │ │
│ │ ◆ Applications │ │
│ │ ◆ Reports │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │
│ Main Content Area: Welcome Dashboard │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Welcome to CyberArk Privileged Access Security │ │
│ │ │ │
│ │ [Quick Start] [Documentation] [Support] │ │
│ │ │ │
│ │ Summary: │ │
│ │ ┌──────────────┬──────────────┬──────────────┬──────────────┐ │ │
│ │ │ 0 Safes │ 0 Accounts │ 0 CPM Users │ 0 Platforms │ │ │
│ │ └──────────────┴──────────────┴──────────────┴──────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────┘

Key navigation areas:

Menu ItemPurposeFirst Use
DashboardOverview of vault health, recent activity, alertsCheck after each configuration change
AccountsSearch, view, and manage privileged accountsAfter onboarding accounts
SafesCreate and manage safes (logical credential containers)Immediately — first task
PoliciesDefine CPM password management policiesAfter safe creation
UsersCreate and manage vault users and groupsAfter safe creation
PlatformsDefine target system connection profilesDefault platforms are pre-installed
AuditView all vault activity logsContinuous — check periodically
ReportsGenerate compliance and operational reportsAfter accounts are onboarded

Creating Your First Safe

A Safe is a logical container within the CyberArk Vault that stores and manages privileged credentials. Every credential in CyberArk belongs to exactly one safe. Safes are the primary mechanism for organising access control — users and groups are granted permissions at the safe level.

Safe Naming Convention

In production, you must establish a consistent safe naming convention before creating safes. Common conventions include:

Pattern: [Environment]-[SystemType]-[AccessLevel]
Examples:
PROD-Win-LocalAdmins # Production Windows local admin accounts
PROD-Linux-Root # Production Linux root accounts
DEV-SQL-ServiceAccounts # Development SQL service accounts
CORP-Domain-Admins # Corporate domain admin accounts
SHARED-BreakGlass # Emergency break-glass accounts
INFRA-Network-Devices # Network device credentials

For your lab, you will create four safes covering typical use cases:

Safe NamePurposeCPM PolicyAccess Level
LAB-Win-LocalAdminsWindows local admin passwordsRotate every 30 daysPAM Admins only
LAB-Linux-RootLinux root passwordsRotate every 30 daysPAM Admins only
LAB-Service-AccountsDomain service accountsRotate every 90 daysPAM Admins + Operators
LAB-BreakGlassEmergency access accountsManual rotation, no auto-expireVault Admin only

Create a Safe — Step by Step

In PVWA, click the ☰ MenuSafesAdd Safe.

Configure Safe Properties

Fill in the safe creation form:

FieldValueExplanation
Safe NameLAB-Win-LocalAdminsFollow the naming convention
DescriptionLab Windows local administrator accountsClear documentation of purpose
Location\ (Root)Keep all lab safes at root level
Safe TypeGeneralDefault safe type for credential storage

Configure Safe Settings

SettingValueReason
Allow retrieval of passwords✅ EnabledUsers must be able to check out passwords
Allow listing of content✅ EnabledUsers must be able to see accounts in the safe
Allow administrative access❌ DisabledRestrict to Vault Admin only
Allow automatic password management✅ EnabledCPM must manage passwords in this safe
Require dual approval for password retrieval❌ Disabled (lab)Enable in production for high-risk safes
Require reason for access✅ EnabledEvery access must be justified
Enable session isolation❌ Disabled (lab)Enable in production for sensitive systems
Password complexityDefaultWill use CPM policy settings
Lock after days of inactivity0 (no lock)Lab setting only

Add Members (Safe Permissions)

CyberArk permissions are granular — you grant specific capabilities to users or groups on each safe. For this lab safe, grant yourself full access:

Click Add Member → Select Administrator → Assign these permissions:

Permission CategoryPermissionDescription
AccessList accountsView accounts in the safe
AccessRetrieve accountsCheck out passwords
AccessAdd accountsOnboard new accounts
AccessUpdate account propertiesModify account settings
AccessDelete accountsRemove accounts from safe
ManagementInitiate CPM password managementTrigger manual password rotation
ManagementSpecify next passwordManually set the next password value
ManagementAccess without confirmationBypass dual control (if enabled)
AuditView audit logSee all actions on this safe

Click OK to create the safe.

Safe Permissions Best Practice

In production, follow the principle of least privilege — grant only the permissions each role needs:

  • Vault Admins: Full access to all safes (limited number of people)
  • PAM Operators: Retrieve and list accounts in assigned safes
  • Application Identities: Add/update accounts via API only (no retrieve)
  • Auditors: View audit log only

For your lab, granting yourself everything is fine — you are learning.

Create Remaining Safes

Repeat the process for the remaining three safes:

Safe NameDistinct Settings
LAB-Linux-RootSame as above, add note in description
LAB-Service-AccountsEnable “Allow automatic password management”
LAB-BreakGlassDisable “Allow automatic password management” (manual rotation only)

Verify safes are created:

Go to ☰ MenuSafes. You should see all four safes listed:

Name │ Type │ Accounts │ CPM Policy
─────────────────────────┼─────────┼──────────┼─────────────
LAB-Win-LocalAdmins │ General │ 0 │ None
LAB-Linux-Root │ General │ 0 │ None
LAB-Service-Accounts │ General │ 0 │ None
LAB-BreakGlass │ General │ 0 │ None

Creating Vault Users and Groups

Now you need to create vault users so that different personas can interact with CyberArk. You will create three user categories:

UserRolePurpose
pamadminSafe AdminDay-to-day PAM administration
pamauditorAuditorReview access logs and generate reports
helpdesk_userOperatorCheck out passwords for support tasks

Create a Vault User

In PVWA, go to ☰ MenuUsersAdd User.

Configure User Properties

For the pamadmin user:

FieldValueExplanation
UsernamepamadminMatches the AD user created earlier
Full NamePAM AdministratorDisplay name
Emailpamadmin@cyberark.labFor notifications
Authentication MethodCyberArkVault-native authentication (we will add LDAP later)
PasswordP@mAdmin!2026Set a strong password
User TypeSafe AdminCan manage safes and permissions (but not vault configuration)
DisabledNoAccount is active

User Types Explained

  • Vault Admin: Full system configuration — user management, policy creation, system settings. Only 2-3 people should have this role.
  • Safe Admin: Manage safes, onboard accounts, define access permissions. Most PAM team members get this role.
  • Auditor: Read-only access to audit logs and reports. Cannot view passwords.
  • Operator: Retrieve passwords, request access, connect via PSM. No configuration access.
  • User: Request access to specific accounts, no administration.
  • Application Identity: API-based credential retrieval via AIM. No interactive login.

Configure Safe Permissions for pamadmin

Now grant pamadmin appropriate access to the safes:

  1. Go to ☰ MenuSafes → Select LAB-Win-LocalAdmins
  2. Click MembersAdd Member
  3. Select pamadmin
  4. Grant permissions:
    • Access: List accounts, Retrieve accounts, Add accounts, Update account properties, Delete accounts
    • Management: Initiate CPM password management
    • Audit: View audit log
  5. Click OK
  6. Repeat for LAB-Linux-Root and LAB-Service-Accounts
  7. For LAB-BreakGlass, grant pamadmin only List accounts and Retrieve accounts (restrictive access)

Create Auditor User

Create pamauditor with Auditor user type. Grant View audit log only on all safes.

Create Operator User

Create helpdesk_user with Operator user type. Grant List accounts and Retrieve accounts on LAB-Service-Accounts only.

Verify Users and Permissions

Terminal window
# From PVWA01, you can use the CyberArk CLI utilities to verify
cd "C:\CyberArk\Vault"
# List vault users (requires Vault Admin)
.\PACLI.exe VAULTADMIN Listusers
# Check specific user permissions
.\PACLI.exe VAULTADMIN GetUser -user pamadmin

Alternatively, log out of PVWA as Administrator and log back in as pamadmin to verify permissions are working.

Configuring CPM (Password Policy)

The Central Policy Manager automates password management — verification, rotation, and reconciliation. Before CPM can manage any accounts, you must define a CPM Policy.

What is a CPM Policy?

A CPM Policy defines how passwords are managed for accounts assigned to that policy:

Policy ElementWhat It Controls
Rotation FrequencyHow often the password is changed (1-365 days)
Password ComplexityCharacter types, length, rules for generated passwords
Verification FrequencyHow often CPM checks that the password in the vault matches the target system
ReconciliationWhat CPM does if the vault password does not match the target (auto-fix)
Post-Rotation ActionsWhat happens after rotation (verify only, full verification, notify)

Create a CPM Policy

In PVWA, go to ☰ MenuPoliciesAdd Policy.

Configure Policy — General Settings

FieldValueExplanation
Policy NameLAB-Standard-Rotation-30Descriptive name reflecting purpose
DescriptionStandard 30-day rotation for lab Windows/Linux accounts
Policy TypeCPM Password Management
EnabledPolicy is active

Configure Password Complexity

SettingValueRationale
Minimum Password Length2525+ characters for privileged accounts
Maximum Password Length30Keep within manageable range
Uppercase (A-Z)✅ EnabledMandatory character type
Lowercase (a-z)✅ EnabledMandatory character type
Digits (0-9)✅ EnabledMandatory character type
Special Characters (!@#$%…)✅ EnabledMandatory character type — essential for complexity
Restrict Consecutive Characters3No more than 3 identical consecutive characters
Exclude Characters(leave empty)Optionally exclude ambiguous characters like l, 1, O, 0

Configure Rotation Settings

SettingValueRationale
Rotation Frequency30 daysStandard for interactive privileged accounts
Rotation MethodAutomaticCPM rotates without manual intervention
Change Password AfterCheck-inRotate immediately after each checkout (zero-standing)
Post-Rotation ActionVerify Password ChangeCPM confirms the new password works on the target
Verify Password Frequency1 dayDaily verification — detect drift within 24 hours

Rotation Method: Automatic vs. Manual

  • Automatic: CPM rotates the password on the defined schedule without human intervention. Use for most accounts.
  • Manual: CPM generates a new password but does NOT apply it — an administrator must manually apply the change. Use for accounts where automatic rotation would break critical processes (e.g., application service accounts that cannot tolerate password changes during business hours).

Configure Reconcile Settings

SettingValueRationale
Reconcile on Verification Failure✅ EnabledIf password mismatch detected, CPM auto-fixes
Reconcile MethodSet PasswordCPM sets the vault password on the target (requires sufficient privileges)
Reconcile Frequency1 dayCheck for drift daily

Assign Policy to Safes

Click Assign Safes → Select LAB-Win-LocalAdmins, LAB-Linux-Root, and LAB-Service-Accounts.

Click Create to save the policy.

Create Additional Policies

Policy NameRotationPassword LengthTarget SafesUse Case
LAB-Service-90day90 days50 charsLAB-Service-AccountsService accounts (longer intervals reduce disruption risk)
LAB-HighSecurity-7day7 days30 charsLAB-BreakGlass (if added)High-security accounts rotated frequently
LAB-Domain-Admin-30day30 days30 charsLAB-Win-LocalAdminsDomain admin accounts

Verify CPM is Operational

Terminal window
# On PVWA01, check CPM service status
Get-Service "CyberArk CPM"
# If Status is not "Running":
Start-Service "CyberArk CPM"
# Check CPM logs for errors
Get-Content "C:\CyberArk\CPM\Logs\CPM.log" -Tail 50

In PVWA, go to ☰ MenuDashboard. The CPM status should show as Connected or Operational.

Configuring LDAP Directory Integration

LDAP integration allows users to authenticate to PVWA using their Active Directory credentials instead of separate vault credentials. This is essential for production deployments.

In PVWA, go to ☰ MenuAdministrationOptionsAuthenticationsLDAP.

Add LDAP Directory

Click Add Directory and configure:

FieldValueExplanation
Directory NameCyberArk Lab ADDisplay name for this directory
Domaincyberark.labYour AD domain
LDAP Server Addressdc01.cyberark.labDomain Controller hostname
LDAP Port389Standard LDAP (non-SSL for lab)
Use SSL❌ DisabledEnable in production with LDAPS (port 636)
Base DNDC=cyberark,DC=labRoot of the AD tree
Bind User DNCN=svc-pvwa,OU=ServiceAccounts,OU=CyberArk,DC=cyberark,DC=labService account for LDAP queries
Bind User PasswordSvc@ccount!2026Password for the bind account
Group Base DNOU=CyberArk,DC=cyberark,DC=labWhere to search for groups

Test LDAP Connection

Click Test Connection. You should see a success message.

If the test fails, check:

Terminal window
# From PVWA01, test LDAP connectivity
Test-NetConnection dc01.cyberark.lab -Port 389
# Test LDAP query using PowerShell
Get-ADUser -Filter * -Server dc01.cyberark.lab -SearchBase "DC=cyberark,DC=lab"

Map LDAP Groups to Vault Roles

LDAP GroupVault RolePurpose
CYBERARK\Domain AdminsVault AdminFull vault access
CYBERARK\CyberArkAdminsSafe AdminPAM administration
CYBERARK\Domain UsersUserBasic access

To configure:

  1. Click Group Mapping
  2. Add each group and assign the corresponding vault role
  3. Click Save

Enable LDAP Authentication

  1. Go to Authentication Methods
  2. Enable LDAP as an authentication source
  3. Set the authentication order (e.g., CyberArk first, then LDAP)
  4. Click Apply

Test LDAP Authentication

  1. Log out of PVWA
  2. On the login page, change the authentication method to LDAP
  3. Log in as CYBERARK\pamadmin with password P@mAdmin!2026
  4. You should successfully authenticate via LDAP

Verifying PSM Installation

PSM (Privileged Session Manager) provides session proxying and recording. Verify it is installed correctly.

Terminal window
# On PVWA01, check PSM service
Get-Service "CyberArk PSM"
# Check PSM registration in vault
# In PVWA, go to ☰ Menu → Administration → PSM Management
# You should see PVWA01 listed as a PSM server
# Check PSM log
Get-Content "C:\CyberArk\PSM\Logs\PSM.log" -Tail 30

If PSM is not listed in the vault, register it:

Terminal window
# From the PSM installation directory
cd "C:\CyberArk\PSM"
.\PSMRegistrationTool.exe -Register -VaultIP 192.168.100.20 -VaultPort 1858

Initial Configuration Checklist

Use this checklist to confirm your CyberArk environment is ready:

#TaskStatusVerification Method
1PVWA accessible via HTTPSBrowse to https://192.168.100.30
2Vault Administrator can log inLogin with Administrator / V@ultAdmin!2026
3Safes created (4 minimum)Safes page shows LAB-* safes
4Users created (pamadmin, pamauditor, helpdesk_user)Users page lists all three
5Safe permissions grantedEach user sees correct safes
6CPM policy created and assignedPolicies page shows LAB-Standard-Rotation-30
7CPM service runningDashboard shows CPM connected
8LDAP directory configuredLDAP test connection succeeds
9LDAP authentication worksLogin as CYBERARK\pamadmin via LDAP
10PSM registered and runningPSM Management shows PVWA01

Common First-Configuration Issues

ProblemSymptomSolution
Cannot log in as Administrator”Invalid credentials”Use the vault Administrator password set during vault installation, NOT the AD Administrator password
LDAP test fails”Cannot connect to LDAP server”Verify DC01 is running. Check Test-NetConnection dc01.cyberark.lab -Port 389
CPM shows “Disconnected” in dashboardCPM service not runningStart-Service "CyberArk CPM". Check CPM logs at C:\CyberArk\CPM\Logs\
Cannot create safe”Insufficient permissions”Only Vault Admin and Safe Admin user types can create safes. Verify your user type
Safe shows “No CPM Policy”Policy not assignedGo to Policies → Edit Policy → Assign Safes
PSM not listed in vaultPSM not registeredRun PSMRegistrationTool.exe -Register on PVWA01
Browser shows “This site is not secure”Self-signed certificateThis is expected in lab. Proceed past the warning

Key Takeaways

  • Safe creation is the first administrative task — safes are the fundamental organisational unit for credentials and permissions in CyberArk
  • User types determine capability scope — Vault Admin (full system), Safe Admin (credential management), Auditor (read-only), Operator (credential retrieval), and User (request-based)
  • CPM policies automate password hygiene — define rotation frequency, complexity, verification, and reconciliation settings per safe or account type
  • LDAP integration enables single sign-on — users authenticate with their existing AD credentials instead of managing separate vault passwords
  • Permission assignment is granular — each safe can have unique permissions for each user, enabling precise access control following least privilege
  • Verification is continuous — CPM verifies passwords daily and reconciles mismatches automatically, ensuring vault accuracy

Next Steps

Your CyberArk environment is now configured and ready for action. Proceed to CyberArk Operations & Account Onboarding to onboard your first privileged account, test password rotation, configure PSM for session management, and learn day-to-day operational tasks.