user has successfully conducted a short PSM session and logged off. However, the user cannot access the Monitoring tab to view the recordings.
What is the issue?
- A . The user must login as PSMAdminConnect
- B . The PSM service is not running
- C . The user is not a member of the PVWAMonitor group
- D . The user is not a member of the Auditors group
When creating an onboarding rule, it will be executed upon .
- A . All accounts in the pending accounts list
- B . Any future accounts discovered by a discovery process
- C . Both “All accounts in the pending accounts list” and “Any future accounts discovered by a discovery process”
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.
Which safe permission do you need to grant Operations Staff? Check all that apply.
- A . Use Accounts
- B . Retrieve Accounts
- C . Authorize Password Requests
- D . Access Safe without Authorization
A user with administrative privileges to the vault can only grant other users privileges that he himself has.
- A . TRUE
- B . FALSE
As long as you are a member of the Vault Admins group you can grant any permission on any safe.
- A . TRUE
- B . FALSE
B
Explanation:
Being in Vault admins group only give you access to safes which are created during installation (safe created in installation process) -This is clearly mentioned in documents .
The System safe allows access to the Vault configuration files.
- A . TRUE
- B . FALS
When a group is granted the ‘Authorize Account Requests’ permission on a safe Dual Control requests must be approved by
- A . Any one person from that group
- B . Every person from that group
- C . The number of persons specified by the Master Policy
- D . That access cannot be granted to groups
Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.
- A . HeadStartInterval
- B . Interval
- C . ImmediateInterval
- D . The CPM does not change the password under this circumstance
Which one the following reports is NOT generated by using the PVWA?
- A . Accounts Inventory
- B . Application Inventory
- C . Sales List
- D . Convince Status
Users who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.
- A . TRUE
- B . FALSE
It is possible to restrict the time of day, or day of week that a [b]verify[/b] process can occur
- A . TRUE
- B . FALSE
A
Explanation:
Password verification can be restricted to specific days. This means that the CPM will only verify passwords on the days of the week specified in the VFExecutionDays parameter. The days of the week are represented by the first 3 letters of the name of the day. Sunday is represented by Sun, Monday by Mon, etc.
In the Private Ark client, how do you add an LDAP group to a CyberArk group?
- A . Select Update on the CyberArk group, and then click Add > LDAP Group
- B . Select Update on the LDAP Group, and then click Add > LDAP Group
- C . Select Member Of on the CyberArk group, and then click Add > LDAP Group
- D . Select Member Of on the LDAP group, and then click Add > LDAP Group
D
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Landing%20Pages/LPLDAPIntegration.htm?TocPath=Administration%7CUser%20Management%7CTransparent%20user%20management% 20using%20LDAP%7C_____2
What is the purpose of a linked account?
- A . To ensure that a particular collection of accounts all have the same password.
- B . To ensure a particular set of accounts all change at the same time.
- C . To connect the CPNI to a target system.
- D . To allow more than one account to work together as part of a password management process.
You receive this error: “Error in changepass to user domainuser on domain server(domain. (winRc=5) Access is denied.”
Which root cause should you investigate?
- A . The account does not have sufficient permissions to change its own password.
- B . The domain controller is unreachable.
- C . The password has been changed recently and minimum password age is preventing the change.
- D . The CPM service is disabled and will need to be restarted.
A
Explanation:
Reference: https://cyberark-customers.force.com/s/article/CPM-can-login-and-verify-a-password-but-can-t-change-the-password-winRc-5-Access-is-denied
You are creating a Dual Control workflow for a team’s safe.
Which safe permissions must you grant to the Approvers group?
- A . List accounts, Authorize account request
- B . Retrieve accounts, Access Safe without confirmation
- C . Retrieve accounts, Authorize account request
- D . List accounts, Unlock accounts
C
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PVWA-Dual-Control.htm (expand all and search for retrieve accounts)
DRAG DROP
Match the Status of Service on a DR Vault to what is displayed when it is operating normally in Replication mode.
Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.
- A . Discovery and Audit (DMA)
- B . Auto Detection (AD)
- C . Export Vault Data (EVD)
- D . On Demand Privileges Manager (OPM)
- E . Accounts Discovery
To ensure all sessions are being recorded, a CyberArk administrator goes to the master policy and makes configuration changes.
Which configuration is correct?
- A . Require privileged session monitoring and isolation = inactive; Record and save session activity = active.
- B . Require privileged session monitoring and isolation = inactive; Record and save session activity = inactive.
- C . Require privileged session monitoring and isolation = active; Record and save session activity = active.
- D . Require privileged session monitoring and isolation = active; Record and save session activity = inactive.
C
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Recordings-and-Audits-in-PSM.htm
You need to enable the PSM for all platforms.
Where do you perform this task?
- A . Platform Management > (Platform) > UI & Workflows
- B . Master Policy > Session Management
- C . Master Policy > Privileged Access Workflows
- D . Administration > Options > Connection Components
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Customizing-PSM-for-Specific-Platforms.htm?TocPath=Administration%7CComponents%7CPrivileged%20Session%20M anager%7CConfiguration%7C_____8
Users can be resulted to using certain CyberArk interfaces (e.g.PVWA or PACLI).
- A . TRUE
- B . FALS
A Vault administrator have associated a logon account to one of their Unix root accounts in the vault.
When attempting to verify the root account’s password the Central Policy Manager (CPM) will:
- A . ignore the logon account and attempt to log in as root
- B . prompt the end user with a dialog box asking for the login account to use
- C . log in first with the logon account, then run the SU command to log in as root using the password in the Vault
- D . none of these
Which of the following Privileged Session Management solutions provide a detailed audit log of session activities?
- A . PSM (i.e., launching connections by clicking on the "Connect" button in the PVWA)
- B . PSM for Windows (previously known as RDP Proxy)
- C . PSM for SSH (previously known as PSM SSH Proxy)
- D . All of the above
The primary purpose of exclusive accounts is to ensure non-repudiation (Individual accountability).
- A . TRUE
- B . FALS
Which Master Policy Setting must be active in order to have an account checked-out by one user for a pre-determined amount of time?
- A . Require dual control password access Approval
- B . Enforce check-in/check-out exclusive access
- C . Enforce one-time password access
- D . Enforce check-in/check-out exclusive access & Enforce one-time password access
Which report shows the accounts that are accessible to each user?
- A . Activity report
- B . Entitlement report
- C . Privileged Accounts Compliance Status report
- D . Applications Inventory report
Which Automatic Remediation is configurable for a PTA detection of a “Suspected Credential Theft”?
- A . Add to Pending
- B . Rotate Credentials
- C . Reconcile Credentials
- D . Disable Account
C
Explanation:
Reference: https://cau302.blogspot.com/2021/03/PTA.html
DRAG DROP
Match each PTA alert category with the PTA sensors that collect the data for it.
A Reconcile Account can be specified in the Master Policy.
- A . TRUE
- B . FALSE
Assuming a safe has been configured to be accessible during certain hours of the day, a Vault Admin may still access that safe outside of those hours.
- A . TRUE
- B . FALSE
Which type of automatic remediation can be performed by the PTA in case of a suspected credential theft security event?
- A . Password change
- B . Password reconciliation
- C . Session suspension
- D . Session termination
Which report could show all accounts that are past their expiration dates?
- A . Privileged Account Compliance Status report
- B . Activity log
- C . Privileged Account Inventory report
- D . Application Inventory report
What is the purpose of the PrivateArk Server service?
- A . Executes password changes
- B . Maintains Vault metadata
- C . Makes Vault data accessible to components
- D . Sends email alerts from the Vault
To enable the Automatic response “Add to Pending” within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?
- A . List Accounts, View Safe members, Add accounts (includes update properties), Update Account content, Update Account properties
- B . List Accounts, Add accounts (includes update properties), Delete Accounts, Manage Safe
- C . Add accounts (includes update properties), Update Account content, Update Account properties, View Audit
- D . View Accounts, Update Account content, Update Account properties, Access Safe without confirmation, Manage Safe, View Audit
You have associated a logon account to one your UNIX cool accounts in the vault. When attempting to [b]change [/b] the root account’s password the CPM will…..
- A . Log in to the system as root, then change root’s password
- B . Log in to the system as the logon account, then change roofs password
- C . Log in to the system as the logon account, run the su command to log in as root, and then change root’s password.
- D . None of these
A newly created platform allows users to access a Linux endpoint. When users click to connect, nothing happens.
Which piece of the platform is missing?
- A . PSM-SSH Connection Component
- B . UnixPrompts.ini
- C . UnixProcess.ini
- D . PSM-RDP Connection Component
For a safe with Object Level Access enabled you can turn off Object Level Access Control when it no longer needed on the safe.
- A . TRUE
- B . FALSE
To manage automated onboarding rules, a CyberArk user must be a member of which group?
- A . Vault Admins
- B . CPM User
- C . Auditors
- D . Administrators
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.2/en/Content/PASIMP/automatic_onboarding_rules.htm#:~:text=T o%20manage%20onboarding%20rules%2C%20users,to%20the%20Vault%20admins%20 group
What is the purpose of the Interval setting in a CPM policy?
- A . To control how often the CPM looks for System Initiated CPM work.
- B . To control how often the CPM looks for User Initiated CPM work.
- C . To control how long the CPM rests between password changes.
- D . To control the maximum amount of time the CPM will wait for a password change to complete.
What is the name of the Platform parameters that controls how long a password will stay valid when One Time Passwords are enabled via the Master Policy?
- A . Min Validity Period
- B . Interval
- C . Immediate Interval
- D . Timeout
A
Explanation:
Min Validity Period -The number of minutes to wait from the last retrieval of the password until it is replaced. This gives the user a minimum period to be able to use the password before it is replaced. Use -1 to ignore this property. This parameter is also used to release exclusive accounts automatically
Interval C“ The number of minutes that the Central Policy Manager waits between running periodic searches for the platform. Note: It is recommended to leave the default value of 1440. If a change/verify policy has been configured, the Central Policy Manager will automatically align the periodic searches with the start of the defined timeframes.”
Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)
- A . The PSM software must be instated on the target server
- B . PSM must be enabled in the Master Policy (either directly, or through exception)
- C . PSMConnect must be added as a local user on the target server
- D . RDP must be enabled on the target server
When managing SSH keys, the CPM stores the Public Key
- A . In the Vault
- B . On the target server
- C . A & B
- D . Nowhere because the public key can always be generated from the private key.
In the screenshot displayed, you just configured the usage in CyberArk and want to update its password.
What is the least intrusive way to accomplish this?
- A . Use the “change” button on the usage’s details page.
- B . Use the “change” button on the parent account’s details page.
- C . Use the “sync” button on the usage’s details page.
- D . Use the “reconcile” button on the parent account’s details page.
What is the maximum number of levels of authorization you can set up in Dual Control?
- A . 1
- B . 2
- C . 3
- D . 4
You have been asked to secure a set of shared accounts in CyberArk whose passwords will need to be used by end users. The account owner wants to be able to track who was using an account at any given moment.
Which security configuration should you recommend?
- A . Configure one-time passwords for the appropriate platform in Master Policy.
- B . Configure shared account mode on the appropriate safe.
- C . Configure both one-time passwords and exclusive access for the appropriate platform in Master Policy.
- D . Configure object level access control on the appropriate safe.
You have been asked to identify the up or down status of Vault services.
Which CyberArk utility can you use to accomplish this task?
- A . Vault Replicator
- B . PAS Reporter
- C . Remote Control Agent
- D . Syslog
C
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Remote-Administration-for-the-Vault-DR-Vault.htm?tocpath=Administrator%7CComponents%7CDigital%20Vault%7COperate%20th e%20CyberArk%20Vault%7CMonitor%20the%20Vault%7C_____1
Which utilities could you use to change debugging levels on the vault without having to restart the vault. Select all that apply.
- A . PAR Agent
- B . PrivateArk Server Central Administration
- C . Edit DBParm.ini in a text editor.
- D . Setup.exe
A,B
Explanation:
PAR-Private Ark Remote Control Agent allows you to perform several Vault admin tasks (without restarting the Vault) and view machine statistics.
CyberArk recommends implementing object level access control on all Safes.
- A . True
- B . False
Within the Vault each password is encrypted by:
- A . the server key
- B . the recovery public key
- C . the recovery private key
- D . its own unique key
VAULT authorizations may be granted to_____.
- A . Vault Users
- B . Vault Groups
- C . LDAP Users
- D . LDAP Groups
tsparm.ini is the main configuration file for the Vault.
- A . True
- B . False
What is the purpose of the PrivateArk Database service?
- A . Communicates with components
- B . Sends email alerts from the Vault
- C . Executes password changes
- D . Maintains Vault metadata
The password upload utility must run from the CPM server
- A . TRUE
- B . FALSE
A Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control.
- A . True
- B . False
Which option in the Private Ark client is used to update users’ Vault group memberships?
- A . Update > General tab
- B . Update > Authorizations tab
- C . Update > Member Of tab
- D . Update > Group tab
A
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Predefined-Users-and-Groups.htm?TocPath=Administration%7CUser%20Management%7C_____7
A user is receiving the error message “ITATS006E Station is suspended for User jsmith” when attempting to sign into the Password Vault Web Access (PVWA) .
Which utility would a Vault administrator use to correct this problem?
- A . createcredfile.exe
- B . cavaultmanager.exe
- C . PrivateArk
- D . PVWA
DRAG DROP
Arrange the steps to restore a Vault using PARestore for a Backup in the correct sequence.
You are logging into CyberArk as the Master user to recover an orphaned safe.
Which items are required to log in as Master?
- A . Master CD, Master Password, console access to the Vault server, Private Ark Client
- B . Operator CD, Master Password, console access to the PVWA server, PVWA access
- C . Operator CD, Master Password, console access to the Vault server, Recover.exe
- D . Master CD, Master Password, console access to the PVWA server, Recover.exe
A
Explanation:
Reference: https://cyberark-customers.force.com/s/article/How-to-log-in-as-the-Master-user
In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system .
What is the BEST way to allow CPM to manage root accounts?
- A . Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Reconcile account of the target server’s root account.
- B . Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server’s root account.
- C . Configure the Unix system to allow SSH logins.
- D . Configure the CPM to allow SSH logins.
To use PSM connections while in the PVWA, what are the minimum safe permissions a user or group will need?
- A . List Accounts, Use Accounts
- B . List Accounts, Use Accounts, Retrieve Accounts
- C . Use Accounts
- D . List Accounts, Use Accounts, Retrieve Accounts, Access Safe without confirmation
C
Explanation:
Reference: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-PSMConnecPVWA.htm?TocPath=End%20User%7CConnect%20to%20Accounts%7CPrivileged%20Single%20Sign-On%7C_____2
Via Password Vault Web Access (PVWA), a user initiates a PSM connection to the target Linux machine using RemoteApp.
When the client’s machine makes an RDP connection to the PSM server, which user will be utilized?
- A . Credentials stored in the Vault for the target machine
- B . Shadowuser
- C . PSMConnect
- D . PSMAdminConnect