Skip to main content

Skillber v1.0 is here!

Learn more

CyberArk Operations & Account Onboarding

Checking access...

Your CyberArk environment is deployed and configured. Now it is time to use it. This guide covers the day-to-day operational tasks every CyberArk professional must know — onboarding accounts, managing passwords, monitoring sessions, handling emergencies, and generating audit evidence.

Prerequisites

Complete the CyberArk Lab Deployment and First Steps guides first. You need a running CyberArk environment with safes, a CPM policy, and PSM configured.

What You Will Learn

  1. Onboard a Windows local admin account into the vault
  2. Test CPM password rotation
  3. Configure and test PSM session proxying
  4. Retrieve credentials via AIM (Application Identity Manager)
  5. Use PACLI for command-line vault operations
  6. Generate audit reports and evidence
  7. Handle common operational scenarios
  8. Configure break-glass emergency procedures

Onboarding a Privileged Account

Onboarding — also called platform onboarding — is the process of adding a privileged account to the CyberArk vault so that CPM can manage its password. This is the single most common operational task in CyberArk administration.

Understanding Platforms

Before onboarding, you must understand Platforms. A platform is a template that defines how CyberArk connects to and manages a specific type of target system. Each platform includes:

  • Connection parameters — protocol, port, authentication method
  • Password management commands — how CPM changes the password on that system type
  • Verification commands — how CPM verifies the current password
  • Reconciliation commands — how CPM fixes a password mismatch

CyberArk ships with dozens of pre-configured platforms. For your lab, the relevant ones are:

Platform NameTarget TypeConnection Protocol
Windows Server Local SecurityWindows local accountsWinRM / RPC
Windows Domain UserActive Directory domain accountsLDAP / PowerShell
Unix SSH KeyLinux/Unix SSH key-based authSSH
Unix RootLinux/Unix root accountsSSH password
Oracle DatabaseOracle DB accountsSQL*Net
Microsoft SQL ServerSQL Server accountsTDS

Step 1: Verify Connectivity to Target

Before onboarding, ensure the target server is reachable from the CPM:

Terminal window
# On PVWA01 (where CPM runs), test connectivity to TARGET01
Test-NetConnection 192.168.100.40 -Port 445 # SMB
Test-NetConnection 192.168.100.40 -Port 5985 # WinRM HTTP
Test-NetConnection 192.168.100.40 -Port 5986 # WinRM HTTPS

If WinRM is not enabled on TARGET01, enable it:

Terminal window
# On TARGET01, as Administrator
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "PVWA01" -Force
Restart-Service WinRM

Step 2: Navigate to Account Onboarding

In PVWA, go to ☰ MenuAccountsAdd Account.

Step 3: Select Platform and Configure

Fill in the account details:

FieldValueExplanation
SafeLAB-Win-LocalAdminsTarget safe for this account
PlatformWindows Server Local SecurityPre-configured platform for Windows local accounts
Account NameTARGET01\AdministratorDisplay name in the vault
UsernameAdministratorLocal username on TARGET01
Address192.168.100.40IP or hostname of the target server
PasswordT@rgetL0cal!2026Current password of the target account
CPM PolicyLAB-Standard-Rotation-30The CPM policy to apply

Address Resolution

CyberArk can use either IP addresses or hostnames for target systems. Hostnames require proper DNS resolution. In your lab, using IP addresses is simpler since there is no production DNS. In production, always use FQDNs for consistency.

Step 4: Configure Account Properties (Optional)

The Account Properties tab lets you add metadata that helps with management:

FieldValuePurpose
Ownerpamadmin@cyberark.labContact for this account
DescriptionBuilt-in local admin on TARGET01Documentation of purpose
DepartmentLabOrganisational grouping
LocationDatacenter/LabPhysical or logical location
FunctionInfrastructureBusiness function of the target system
Retain In Days30Keep previous passwords for this many days (rollback capability)

Step 5: Set Access Permissions

By default, the user creating the account gets full permissions. Add additional users:

  1. Click Add Member
  2. Select pamadmin → Grant Retrieve and List permissions
  3. Select helpdesk_user → Grant Retrieve only (operator access)

Step 6: Submit the Account

Click Save & Add Another or Save to complete the onboarding.

After saving, CyberArk will:

  1. Store the account credentials in the vault
  2. Immediately verify the password against TARGET01
  3. Schedule the first password rotation based on the CPM policy
  4. Log the account addition in the audit trail

Step 7: Verify the Onboarded Account

Navigate to ☰ MenuAccounts → Search for TARGET01.

You should see:

Account Name │ Safe │ Platform │ Status │ Last Verified
──────────────────────────┼───────────────────────┼─────────────────────┼─────────────┼──────────────
TARGET01\Administrator │ LAB-Win-LocalAdmins │ Win Server Local │ ✓ Verified │ Just now

The status should show Verified with a green checkmark, confirming CPM successfully validated the password.

Onboarding a Linux Root Account

To onboard a Linux target, repeat the process with:

FieldValue
SafeLAB-Linux-Root
PlatformUnix Root (SSH)
Account NameTARGET01-Linux\root
Usernameroot
Address192.168.100.50 (if you have a Linux target)
PasswordCurrent root password
CPM PolicyLAB-Standard-Rotation-30

Testing CPM Password Rotation

Once an account is onboarded, CPM will manage its password according to the assigned policy. You can trigger an immediate rotation to test the configuration.

Trigger Manual Rotation

In PVWA, go to ☰ MenuAccounts → Click on TARGET01\Administrator.

Initiate Password Change

Click the Change Password button (key icon) in the account toolbar.

Select Rotation Method

OptionDescriptionWhen to Use
Immediately change passwordCPM generates a new password and applies it nowTesting, or if password is suspected compromised
Change password at next scheduled rotationWait for the scheduled intervalRoutine operations
Specify new passwordManually provide the new passwordMigration, or when target requires a specific password

Select Immediately change password.

Monitor the Rotation

The rotation process takes 10-30 seconds. Watch the progress:

1. CPM reads current password from vault ──→ ✓ Done
2. CPM connects to TARGET01 via WinRM ──→ ✓ Connected
3. CPM verifies current password ──→ ✓ Matches
4. CPM generates new password per policy ──→ ✓ Generated (28 chars)
5. CPM changes password on TARGET01 ──→ ✓ Changed
6. CPM verifies new password on TARGET01 ──→ ✓ Works
7. CPM updates password in vault ──→ ✓ Stored
8. CPM logs successful rotation ──→ ✓ Logged

Verify the New Password

After rotation, retrieve the new password to confirm it changed:

  1. On the account page, click Copy Password
  2. The new password is copied to your clipboard
  3. Try logging into TARGET01 with this password to verify:
    Terminal window
    # On TARGET01, switch to a different admin session, or use:
    # From another machine:
    # ssh/powershell into TARGET01 with the new password

Check CPM Logs

Terminal window
# On PVWA01, check the CPM log for the rotation event
Get-Content "C:\CyberArk\CPM\Logs\CPM.log" -Tail 100 | Select-String -Pattern "TARGET01"

You should see entries confirming each step of the rotation process.

What Happens During Automatic Rotation

    sequenceDiagram
    participant Vault as CyberArk Vault
    participant CPM as CPM Service
    participant Target as TARGET01

    Note over CPM: Rotation timer fires (e.g., every 30 days)
    CPM->>Vault: Request account: TARGET01\Administrator
    Vault->>CPM: Return current password
    
    CPM->>Target: Connect via WinRM
    CPM->>Target: Verify current password
    Target->>CPM: Authentication success
    
    CPM->>CPM: Generate new password (25 chars, all types)
    
    CPM->>Target: Change password to new value
    Target->>CPM: Password changed successfully
    
    CPM->>Target: Verify new password
    Target->>CPM: New password works
    
    CPM->>Vault: Store new password
    Vault->>CPM: Stored, old password retained (version history)
    
    CPM->>CPM: Log success
  

Configuring and Testing PSM Sessions

PSM provides proxied, recorded access to target systems. Instead of connecting directly to TARGET01, users connect through PSM, which injects the credential automatically and records the entire session.

Configure PSM for Windows Connections

Verify PSM Platform

In PVWA, go to ☰ MenuPlatforms → Search for PSM_WinRemoteDesktop.

This platform defines how PSM connects to Windows targets via RDP. It is pre-configured but verify the settings:

SettingValueShould Match
PlatformPSM_WinRemoteDesktop
PSM ServerPVWA01The PSM server name
Connection ComponentPSM_RDPRDP connection component
Target ResolutionAddressConnect to account’s address field
Logon AccountPrivilegedUse the account being connected to

Connect via PSM — Web Portal Method

  1. Log into PVWA as pamadmin
  2. Go to ☰ MenuAccounts → Select TARGET01\Administrator
  3. Click the Connect button (monitor icon)
  4. A connection file (.rdp) will be downloaded
  5. Open the RDP file — PSM will:
    • Connect you through the PSM proxy
    • Inject the vault credentials automatically
    • Start session recording
    • Display a “Connected via CyberArk PSM” banner
  6. You are now logged into TARGET01 as Administrator — without ever seeing the password

PSM Connection Requirements

For PSM connections to work:

  • RDP must be enabled on TARGET01
  • TARGET01 must be reachable from PVWA01 on port 3389
  • The PSM service must be running on PVWA01
  • The target server must trust the PSM server’s certificate (in production, use proper certificates; in the lab, accept the warning)

View Session Recording

  1. In PVWA, go to ☰ MenuDashboardActive Sessions
  2. You should see your current PSM session listed
  3. After disconnecting, go to ☰ MenuAccounts → Select the account
  4. Click Session Recordings tab
  5. You will see a list of past sessions with duration, date, and user
  6. Click Play to replay the session recording

PSM SSH Connections

For Linux targets, CyberArk uses PSMP (Privileged Session Manager for SSH):

Terminal window
# From a Linux client that can reach the PSM server
# Install the SSH client if needed
ssh pamadmin@192.168.100.30 -p 2222
# When prompted, select the target:
# Target Address: 192.168.100.50
# Account: root
# PSMP will authenticate to the vault, retrieve the credential,
# and proxy the SSH session with full recording

Using AIM for Application Credentials

AIM (Application Identity Manager) provides programmatic credential retrieval for applications and automation. This is how scripts, CI/CD pipelines, and scheduled tasks get credentials without hardcoding them.

Configure AIM

Enable AIM in PVWA

  1. Log into PVWA as Administrator
  2. Go to ☰ MenuAdministrationOptions
  3. Navigate to Application Identity ManagerGeneral
  4. Enable AIM Web Service
  5. Set the AIM port (default: 8081)
  6. Click Apply

Verify AIM Service

Terminal window
# On PVWA01, check that the AIM web service is running
Get-Service "CyberArk AIM"
# If not running:
Start-Service "CyberArk AIM"
# Verify the AIM endpoint
Invoke-WebRequest -Uri "http://localhost:8081/AIMWebService/api/Accounts" -UseBasicParsing

Create an Application Identity

  1. In PVWA, go to ☰ MenuApplicationsAdd Application
  2. Configure:
FieldValueExplanation
Application IDMyLabAppUnique identifier for this application
DescriptionLab application for testing AIM access
Location\Root level
DisabledNoActive from creation
  1. Configure Authentication Methods:
MethodValueWhen to Use
Allowed Machines192.168.100.0/24Restrict to lab network
Client Certificate RequiredNoLab only — enable in production
OS User(leave empty)Optional, restricts which OS user can call AIM
  1. Click Save

Grant Safe Access to the Application

  1. Go to ☰ MenuSafesLAB-Service-Accounts
  2. Click MembersAdd Member
  3. Search for and select MyLabApp
  4. Grant permissions:
    • Access: List accounts, Retrieve accounts
    • Do NOT grant Add, Update, or Delete (applications should only read)
  5. Click OK

Test AIM Credential Retrieval

Terminal window
# On PVWA01 (or any machine in 192.168.100.0/24), test AIM
# Using PowerShell
$response = Invoke-RestMethod -Uri `
"http://localhost:8081/AIMWebService/api/Accounts?AppID=MyLabApp&Safe=LAB-Service-Accounts&Object=TARGET01%5CAdministrator"
Write-Output "Username: $($response.UserName)"
Write-Output "Password: $($response.Content)"
# Using curl
curl "http://localhost:8081/AIMWebService/api/Accounts?AppID=MyLabApp&Safe=LAB-Service-Accounts&Object=TARGET01%5CAdministrator"

The response includes the credential in JSON:

{
"Content": "G7$k2mN9#pQ4$xR8*vW1!zB6",
"UserName": "TARGET01\\Administrator",
"Address": "192.168.100.40",
"Safe": "LAB-Service-Accounts",
"Folder": "Root",
"Object": "TARGET01\\Administrator",
"PolicyID": "LAB-Standard-Rotation-30",
"PasswordChangeInProcess": "False",
"LastModified": "2026-06-15T10:30:00Z"
}

AIM Security in Production

In production, the AIM endpoint must be locked down:

  • Enable mutual TLS (client certificate authentication)
  • Use IP allow-listing to restrict which machines can call AIM
  • Never expose AIM to the internet
  • Monitor AIM access logs for anomalous retrieval patterns
  • Use short cache TTLs (300 seconds or less)
  • Audit all credential retrievals in your SIEM

Using PACLI — Command-Line Vault Operations

PACLI (Privileged Access Command Line Interface) is a command-line tool for vault operations. It is essential for automation and scripting.

Basic PACLI Commands

Terminal window
# Navigate to PACLI directory (installed with PVWA)
cd "C:\CyberArk\Vault"
# Initialize PACLI environment
.\PACLI.exe INIT
# Define vault definition
.\PACLI.exe DEFINEDVAULT -vault VAULT01 -ip 192.168.100.20 -port 1858
# Log into vault
.\PACLI.exe LOGON -vault VAULT01 -user Administrator -password V@ultAdmin!2026
# List all safes
.\PACLI.exe SAFESLIST -vault VAULT01
# List accounts in a safe
.\PACLI.exe ACCOUNTSLIST -vault VAULT01 -safe "LAB-Win-LocalAdmins"
# Get account details
.\PACLI.exe ACCOUNTDETAILS -vault VAULT01 -safe "LAB-Win-LocalAdmins" `
-account "TARGET01\Administrator"
# Retrieve a password (requires reason)
.\PACLI.exe ACCOUNTPASSWORDGET -vault VAULT01 -safe "LAB-Win-LocalAdmins" `
-account "TARGET01\Administrator" -reason "Operational test"
# Log off
.\PACLI.exe LOGOFF -vault VAULT01
# Terminate PACLI
.\PACLI.exe TERM

PACLI for Automation

PACLI is frequently used in scripts for automated operations:

Terminal window
# Automated password retrieval script
$vault = "VAULT01"
$user = "pamadmin"
$password = "P@mAdmin!2026"
$safe = "LAB-Service-Accounts"
$account = "SQLSvc_Prod"
$reason = "Scheduled backup job"
cd "C:\CyberArk\Vault"
.\PACLI.exe INIT
.\PACLI.exe DEFINEDVAULT -vault $vault -ip 192.168.100.20 -port 1858
.\PACLI.exe LOGON -vault $vault -user $user -password $password
$result = .\PACLI.exe ACCOUNTPASSWORDGET -vault $vault -safe $safe `
-account $account -reason $reason
.\PACLI.exe LOGOFF -vault $vault
.\PACLI.exe TERM
Write-Output $result

Generating Audit Reports

Audit evidence is a primary output of any PAM system. CyberArk provides built-in reports for compliance.

Built-in Reports

In PVWA, go to ☰ MenuReports to access:

ReportCompliance UseDescription
Privileged Account ActivityGeneral auditWho accessed which account, when, and why
Password ChangesSOX, PCI DSSAudit trail of all password rotations
Safe MembershipSOX, ISO 27001Who has access to which safes
Users and GroupsSOX, HIPAAComplete user inventory with roles
CPM ActivityOperationalCPM verification and rotation activity
Sessions ActivityPCI DSS, HIPAAAll PSM session recordings and metadata

Generate an Activity Report

  1. Go to ☰ MenuReportsPrivileged Account Activity
  2. Set date range (e.g., last 7 days)
  3. Select safe (or leave blank for all)
  4. Click Generate
  5. Export as PDF or CSV for audit evidence

View Audit Log

The Audit section shows every action in the vault:

  1. Go to ☰ MenuAudit
  2. Filter by:
    • Date Range: Last 24 hours
    • Action: Password retrieval
    • User: pamadmin
  3. You should see all your test retrievals logged with timestamps and reasons

Emergency Break-Glass Procedures

Despite all automation, there will be scenarios where normal CyberArk access is unavailable. Break-glass procedures ensure you can still access critical systems during emergencies.

Break-Glass Scenarios

ScenarioImpactBreak-Glass Action
Vault unavailableCannot check out credentialsUse pre-stored emergency account envelopes
CPM offlinePasswords not rotatingManual password changes, log all actions
PSM unavailableCannot connect via proxyDirect RDP/SSH (with manual approval)
PVWA unavailableNo web interfacePACLI from vault-accessible machine
Vault completely lostAll credentials inaccessibleRestore from backup, use emergency safe

Configuring a Break-Glass Safe

Break-glass accounts are stored in a safe with no automatic password management (manual rotation only). This ensures the password does not change without explicit human action.

  1. Go to ☰ MenuSafesLAB-BreakGlass
  2. Verify these settings:
    • Allow automatic password management: ❌ Disabled
    • Password rotation: Manual only
    • Members: Vault Admin only (plus maybe 1 emergency contact)
    • Dual control: ❌ Disabled (speed over control in emergencies)

Onboarding Break-Glass Accounts

Terminal window
# Onboard the vault's own Administrator account as a break-glass entry
# This is critical — if you lose the vault admin password, you lose everything

In the LAB-BreakGlass safe, add:

AccountUsernamePasswordNotes
VAULT01-VaultAdminAdministratorV@ultAdmin!2026Vault break-glass
TARGET01-Emergency.\AdministratorT@rgetL0cal!2026Server break-glass
DC01-DomainAdminCYBERARK\AdministratorL@bAdmin!2026Domain break-glass

Store the break-glass credentials in a sealed envelope or encrypted password manager outside of CyberArk.

Break-Glass Procedure

    flowchart TD
    A[Incident detected<br/>requiring privileged<br/>access] --> B[Declare emergency<br/>via ITSM ticket]
    B --> C{Is vault<br/>available?}
    C -->|Yes| D[Request access via<br/>break-glass safe<br/>with post-event approval]
    C -->|No| E[Retrieve credentials<br/>from offline<br/>emergency storage]
    D --> F{Approved?}
    F -->|Yes| G[Access target system<br/> Log everything]
    F -->|No| H[Escalate to<br/>PAM manager]
    E --> G
    G --> I[Complete task]
    I --> J[Rotate ALL <br/>used credentials<br/>immediately]
    J --> K[Document incident<br/> Post-incident review]
  

Common Operational Tasks Reference

How to: Find an Account

Terminal window
# In PVWA: ☰ Menu → Accounts → Search box
# Search by: Account name, username, address, safe, or platform
# Using PACLI:
PACLI.exe ACCOUNTSLIST -vault VAULT01 -safe "LAB-Win-LocalAdmins"

How to: Retrieve a Password

Terminal window
# In PVWA: Accounts → Select account → "Copy Password" or "Show Password"
# Both actions require a reason and are logged in the audit trail
# Using PACLI:
PACLI.exe ACCOUNTPASSWORDGET -vault VAULT01 -safe "LAB-Win-LocalAdmins" -account "TARGET01\Administrator" -reason "Routine maintenance"

How to: Add a New Safe Member

Terminal window
# In PVWA: Safes → Select safe → Members → Add Member
# Select user/group → Grant specific permissions → OK

How to: Modify a CPM Policy

Terminal window
# In PVWA: Policies → Select policy → Edit
# Change rotation frequency, complexity, or assigned safes → Save
# Changes apply at the next scheduled rotation

How to: Manually Trigger Password Verification

Terminal window
# In PVWA: Accounts → Select account → Verify Password
# CPM will immediately check the password against the target

How to: View Session Recording

Terminal window
# In PVWA: Accounts → Select account → Session Recordings tab
# Select a session → Play
# Use the player controls: pause, skip, speed control

How to: Disable an Account (without deleting)

Terminal window
# In PVWA: Accounts → Select account → Disable
# The account remains in the vault but CPM stops managing it
# No one can check out the password while disabled

How to: Delete an Account

Terminal window
# In PVWA: Accounts → Select account → Delete
# WARNING: This permanently removes the account from the vault
# Only delete when the account no longer exists on the target

Troubleshooting Common Operational Issues

CPM Password Change Fails

ErrorLikely CauseSolution
”Cannot connect to target”Network issue, target offlineVerify Test-NetConnection TARGET01 -Port 5985
”Access denied”CPM account lacks permissions on targetEnsure svc-cpm is in target’s Administrators group (or add CPM account explicitly)
“Password complexity not met”Target enforces different rulesEither adjust CPM policy or modify target’s password policy
”Account locked”Too many failed attemptsUnlock the account on the target, then verify in CPM
”Time out”Network latency or target overloadedIncrease CPM connection timeout setting in the platform

PSM Connection Fails

ErrorLikely CauseSolution
”PSM server not available”PSM service not runningStart-Service "CyberArk PSM" on PVWA01
”Cannot connect to target”Target RDP port not reachableEnable RDP on TARGET01: Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
”Authentication failed”PSM cannot retrieve credentialVerify account exists in vault and user has retrieve permission
”PSM not registered”PSM not registered with vaultRun PSMRegistrationTool.exe -Register on PVWA01

AIM Issues

ErrorLikely CauseSolution
”HTTP 401 Unauthorized”Application ID not foundVerify AppID in Applications page matches the request
”No accounts found”Safe access not grantedCheck that the Application has access to the specific safe
”AIM service not responding”AIM service not runningStart-Service "CyberArk AIM"

Operations Checklist

Use this checklist to confirm operational readiness:

#TaskStatusVerification
1Onboard Windows local admin accountAccount shows “Verified” in PVWA
2Trigger and verify manual password rotationPassword changes, CPM logs success
3Connect via PSM (RDP)Session recording available in PVWA
4Retrieve credential via AIMREST API returns valid JSON with password
5Run PACLI command to list safesSafes list returned without errors
6Generate activity reportPDF/CSV export contains expected data
7Check audit log for recent activityAll test actions visible in audit trail
8Onboard second account (different type)Second account verified and managed
9Test break-glass safe accessManual credentials accessible in emergency safe
10Verify CPM daily verification runsCPM log shows daily verification entries

Key Takeaways

  • Account onboarding is the most frequent operational task — select the correct platform, safe, and CPM policy for each account type
  • CPM automates the entire password lifecycle — verification, rotation, reconciliation — but must be tested after each configuration change
  • PSM provides zero-knowledge access — users connect through the proxy without ever seeing the password, and every keystroke is recorded
  • AIM enables secure automation — applications and scripts retrieve credentials programmatically without hardcoding secrets
  • PACLI is essential for automation and recovery — when PVWA is unavailable, PACLI is the command-line backup access method
  • Break-glass procedures must be documented and tested — emergencies will happen, and the plan must be proven before it is needed
  • Audit logs are the compliance deliverable — every action in CyberArk generates an audit record; ensure they are centralised in your SIEM

Next Steps

You have now deployed, configured, and operated CyberArk. The same operational patterns apply to onboarding additional account types — database accounts, cloud IAM users, network devices, and SSH keys. Explore the Platforms section in PVWA to see the full range of supported target systems.