A Vault administrator have associated a logon account to one of their Unix root accounts in
the vault. When attempting to verify the root account’s password the Central Policy Manager (CPM) will:

1. A. ignore the logon account and attempt to log in as root
2. B. prompt the end user with a dialog box asking for the login account to use
3. C. log in first with the logon account, then run the SU command to log in as root using the password in the Vault
4. D. none of these

Correct Answer: C
According to the web search results, when a Vault administrator has associated a logon account to one of their Unix root accounts in the vault, the CPM will log in first with the logon account, then run the SU command to log in as root using the password in the Vault1. This is a common use case for using a logon account, as the best practice for Unix systems is to disallow the root user from logging in using SSH, which is what the CPM uses to sign in to a system to manage the password2. The logon account can be defined on the target account level or on the platform level, making it available to all
accounts associated with the platform2. The CPM can also use the logon account to initiate PSM sessions to the target machine3.

A recently-hired colleague onboarded five new Local Accounts that are used for five standalone Windows Servers. After attempting to connect to the servers from PVWA, the colleague noticed that the "Connect" button was greyed out for all five new accounts.
What can you do to help your colleague resolve this issue? (Choose two.)

1. A. Verify that the address field is populated with an IP or FQDN of each server.
2. B. Verify that the correct PSM connection component appears within account platform settings.
3. C. Verify that the address field is blank and that the correct PSM connection component appears within account platform settings.
4. D. Notify the Windows Team that created the new accounts that the CyberArk PAM solution is not designed to manage local accounts on Windows Servers.
5. E. Verify that the "Disable automatic management for this account" setting for each account is not enabled.

Correct Answer: ABE
✑ Verify Server Address: Ensure that the address field is populated with the correct IP or FQDN for each server (Option A).
✑ Check PSM Settings: Confirm that the correct PSM connection component is specified within the account platform settings (Option B).
✑ Automatic Management: Check if the “Disable automatic management for this account” setting is not enabled (Option E).
These steps should help in troubleshooting the connection issue in the CyberArk Privileged Access Management (PAM) solution.

Vault admins must manually add the auditors’ group to newly created safes so auditors will have sufficient access to run reports.

1. A. TRUE
2. B. FALSE

Correct Answer: B
Vault admins do not need to manually add the auditors’ group to newly created safes, because the auditors’ group is automatically added to every safe in the vault by default. The auditors’ group has the View Audit authorization, which allows its members to view the safe’s activity and run reports. However, vault admins can remove the auditors’ group from specific safes if they want to restrict the access of the auditors. References: Predefined users and groups - CyberArk

Which Master Policy Setting must be active in order to have an account checked-out by one user for a pre-determined amount of time?

1. A. Require dual control password access Approval
2. B. Enforce check-in/check-out exclusive access
3. C. Enforce one-time password access
4. D. Enforce check-in/check-out exclusive access & enforce one-time password access

Correct Answer: B
According to the CyberArk Defender PAM documentation, the Master Policy setting that must be active in order to have an account checked-out by one user for a pre- determined amount of time is Enforce check-in/check-out exclusive access. This setting enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password. The duration of the check-out period can be configured in the platform settings for each account. References:
✑ Account check-out and check-in - CyberArk
✑ Master Policy - CyberArk

A user needs to view recorded sessions through the PVWA.
Without giving auditor access, which safes does a user need access to view PSM recordings? (Choose two.)

1. A. Recordings safe
2. B. Safe the account is in
3. C. System safe
4. D. PVWAConfiguration safe
5. E. VaultInternal safe

Correct Answer: AB
To view recorded sessions through the PVWA without having auditor access, a user needs access to two specific safes: the Recordings safe and thesafe the account is in. The Recordings safe is where the PSM session recordings are stored, and users need permission to access this safe to view the recordings. Additionally, users need access to the safe where the account associated with the recorded session is stored, as this is where the session details and permissions are managed12.
References:
✑ CyberArk Docs - Configure video and text recordings3
✑ CyberArk Community - Viewing PSM recorded sessions1