Where can you assign a Reconcile account? (Choose two.)

1. A. in PVWA at the account level
2. B. in PVWA in the platform configuration
3. C. in the Master policy of the PVWA
4. D. at the Safe level
5. E. in the CPM settings

Correct Answer: AB
A Reconcile account can be assigned in the Privileged Vault Web Access (PVWA) at both the account level and within the platform configuration. At the account level, a Reconcile account password can be defined which will override the account specified in the platform1. In the platform configuration, you can navigate to Platform Management, select the platform, edit it, and then expand Automatic Password Management to enter the values in the ‘ReconcileAccountSafe’ and ‘ReconcileAccountName’ fields, which will apply to all accounts attached to that specific platform2.
References:
✑ CyberArk Docs - Reconcile Password1
✑ CyberArk Community - Associate reconcile account with a specific platform

A Vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault Admin rights.
Where can you check to verify that the Vault Admins directory mapping points to the correct AD group?

1. A. PVWA > User Provisioning > LDAP Integration > Mapping Criteria
2. B. PVWA > User Provisioning > LDAP Integration > Map Name
3. C. PVWA > Administration > LDAP Integration > Mappings
4. D. PVWA > Administration > LDAP Integration > AD Groups

Correct Answer: C
The directory mappings are the rules that define how users and groups from an external directory, such as Active Directory (AD), are mapped to roles and authorizations in CyberArk. To verify that the Vault Admins directory mapping points to the correct AD group, you need to check the Mappings page in the PVWA. This page displays the list of existing directory mappings in the Vault and their properties, such as mapping name, LDAP branch, domain groups, and mapping authorizations. You can edit or delete a directory mapping from this page, or create a new one using the Create Directory Mapping
button. References: Directory Maps, Create directory mapping, Get directory mapping list

Which item is an option for PSM recording customization?

1. A. Windows events text recorder with automatic play-back
2. B. Windows events text recorder and universal keystrokes recording simultaneously
3. C. Universal keystrokes text recorder with windows events text recorder disabled
4. D. Custom audio recording for windows events

Correct Answer: C
For PSM recording customization, one of the options is to use the Universal keystrokes text recorder with theWindows events text recorder disabled. This configuration allows for the recording of all keystrokes that are typed during privileged sessions on all supported connections. However, it is important to note that Universal keystroke recording andWindows events recordings cannot be configured for the same PSM-RDP connection. By default, Windows events text recording is enabled for PSM-RDP connections, so to enable universal keystrokes text recording, the Windows events text recording must first be disabled1.
References:
✑ CyberArk’s official documentation on configuring recordings and audits in PSM, which includes details on how to customize text recorders and the limitations of configuring multiple recorders for the same connection1

DRAG DROP
Match each permission to where it can be found.

Solution:
✑ Add Accounts: This permission is associated with the ability to add new accounts to the CyberArk Vault. It is typically found in the Vault’s administrative settings where account management is handled.
✑ Initiate CPM account management operations: This permission allows users to initiate operations related to the Central Policy Manager (CPM) for account management within a Safe. It is found in the Safe’s permissions settings.
✑ Add/Update Users: This permission enables the addition or updating of user information in the Vault. It is found in the Vault’s user management settings.
✑ Add Safes: This permission is related to the creation of new Safes in the Vault. It is found in the Vault’s administrative settings where Safe management is conducted.
References:
✑ The permissions and their locations can be referenced in the CyberArk Defender PAM course materials and official documentation, which provide detailed information on the management of permissions within the CyberArk solution.

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

DRAG DROP
You have been asked to delegate the rights to unlock users to Tier 1 support. The Tier 1 support team already has an LDAP group for its members.
Arrange the steps to do this in the correct sequence.

Solution:
The correct sequence to delegate the rights to unlock users to Tier 1 support with an existing LDAP group is as follows:
✑ Sign into the PWA (V10) as a local user with the “Manage Directory Mapping”
privilege.
✑ Open LDAP Integration view.
✑ Add Mapping to the existing LDAP integration.
✑ Name the new mapping and set the mapping order.
✑ Select required LDAP group and assign authorization “Activate Users”. Comprehensive Explanation: To delegate the rights to unlock users, you must first access the Privileged Web Access (PWA) with the appropriate privileges to manage directory mappings. Then, navigate to the LDAP Integration view to add a new mapping to the existing LDAP integration. This mapping should be named and ordered correctly. Finally, select the LDAP group that represents Tier 1 support and assign the specific authorization needed to unlock users, which is “Activate Users” in this context12. References:
✑ CyberArk Docs: LDAP Integration in V102
✑ CyberArk Knowledge Article: How to delegate permissions to unlock Active Directory accounts1

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A