Question 1

The Active Directory User configured for Windows Discovery needs which permission(s) or membership?

Accepted Answer

D

Explanation: The user account configured for Windows Discovery in CyberArk performs a scan of the Active Directory environment to identify computer objects. This is a read-only operation that queries the directory service. To adhere to the principle of least privilege, the discovery user only requires permissions to read the directory. Standard "Domain User" accounts in Active Directory possess sufficient read permissions by default to enumerate objects within the domain, making them suitable for this task without granting excessive privileges.

Question 2

What is required to enable access over SSH to a Unix account through both PSM and PSMP?

Accepted Answer

A

Explanation: In CyberArk, platforms define the management policies and connection methods for accounts. To enable a specific connection method, the corresponding Connection Component must be associated with the platform. For SSH connections initiated from the PVWA (web interface), the PSM-SSH component is required. For direct SSH connections from a native client, the PSMP-SSH component is necessary. To allow a user to connect to the same Unix account using either method, the platform managing that account must have both the PSM-SSH and PSMP-SSH connection components configured and active.

Question 3

When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change?

Accepted Answer

B

Explanation: The question asks how to configure the CPM to use a reconcile account for a password change when the target account itself lacks the permissions to change its own password. The parameter ChangePasswordInResetMode (option B contains a common typo, "Made" instead of "Mode") directly addresses this scenario. When ChangePasswordInResetMode is set to Yes, it instructs the CPM to perform the standard 'Change' operation by using the associated reconcile account to log in and reset the password, rather than logging in as the target account. This effectively replaces the 'change' action with a 'reset' action, fulfilling the requirement.

Question 4

DRAG DROP Match each component to its respective Log File location. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CyberArk_PAM-DEF/page_88_img_1.jpg

Accepted Answer

Explanation: The component log file locations are based on their default installation directories and operational frameworks. The PTA (Privileged Threat Analytics) System runs as a web application on an Apache Tomcat server, which stores its primary log files in the /opt/tomcat/logs directory. PSM for SSH (PSMP) is a dedicated Linux component, and its log files are stored in a specific directory created during installation, /var/opt/CARKpsmp/logs/ . The Disaster Recovery component on the Vault server uses the PrivateArk Disaster Recovery (PADR) utility. The logs for this service, such as padr.log , are located by default in its installation folder, C:\Program Files (x86)\PrivateArk\Server\PADR .

Question 5

DRAG DROP Match the built-in Vault User with the correct definition. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CyberArk_PAM-DEF/page_68_img_1.jpg

Accepted Answer

Explanation: The question requires matching predefined CyberArk Vault users to their specific roles and permissions. The Master user is the ultimate superuser with all possible permissions, including the management of all other users, aligning with the first description. The Auditor user has system-wide, non-intrusive monitoring and reporting capabilities, matching the description of a user who views all activities to produce reports. The Batch user is a non-interactive internal account used for automated, background system tasks like clearing history, as described. The Administrator user holds high-level system control and recovery responsibilities and cannot be removed from Safes, fitting the final description. This user has extensive permissions but not the absolute power of the Master user.

Question 6

You are creating a Dual Control workflow for a team’s safe. Which safe permissions must you grant to the Approvers group?

Accepted Answer

A

Explanation: For a user or group to act as an approver in a Dual Control workflow, they require two specific permissions. First, they need the "List accounts" permission to see the accounts within the Safe and view pending requests associated with them. Second, they must have the "Authorize account request" permission, which explicitly grants them the ability to approve or deny those requests. The approver's role is strictly to authorize access for another user; they do not need the ability to retrieve the credentials themselves.

Question 7

Which Vault authorization does a user need to have assigned to able to generate the "Entitlement Report" from the reports page in PVWA? (Choose two.)

Accepted Answer

B, D

Explanation: Generating the "Entitlement Report" in PVWA requires two distinct Vault-level authorizations. First, to access the main "Reports" page, a user needs the View Audit authorization. Second, to specifically generate the "Entitlement Report" from that page, the user requires the Audit Users authorization. Option (B) Audit Users is explicitly required per official documentation. Option (D) View Entitlements, while not an official authorization name, serves as the most logical proxy for the required View Audit permission, which is not listed as an option. The report's purpose is to view entitlements, making this the best-fitting choice for the prerequisite viewing permission.

Question 8

Where can you check that the LDAP binding is using TCP/636?

Accepted Answer

B

Explanation: The configuration for LDAP integration, including the directory hosts and the specific port used for communication, is managed within the PVWA interface. An administrator can verify that the binding is configured to use TCP/636 (LDAPS) by navigating to the LDAP Integration settings, selecting the relevant directory, and inspecting the "Host" details. This section explicitly contains the IP/hostname and the port number for the connection to the domain controller.

Question 9

A newly created platform allows users to access a Linux endpoint. When users click to connect, nothing happens. Which piece of the platform is missing?

Accepted Answer

A

Explanation: A CyberArk platform dictates how the Privileged Session Manager (PSM) connects to a target system. For a Linux endpoint, the standard connection protocol is SSH. The PSM-SSH Connection Component is the specific module that the PSM uses to initiate and manage this type of session. If this component is not associated with the platform, the PSM does not know how to handle the connection request from the PVWA. As a result, when a user clicks the "Connect" button, the action fails without initiating a session, which manifests as "nothing happens."

Question 10

A Logon Account can be specified in the Master Policy.

Accepted Answer

[FALSE]

Explanation: The Master Policy in CyberArk Privileged Access Manager (PAM) is designed to enforce high-level, global security and compliance rules across the entire environment. It governs principles such as session recording, dual control, and exclusive access. It does not manage operational or platform-specific configurations. A Logon Account is an operational component used by the Central Policy Manager (CPM) to connect to a target machine to perform password management tasks (e.g., change, verify). The specification of which Logon Account to use is a configuration detail defined at the Platform level, not within the Master Policy. Each platform is configured with the specific technical details required to manage accounts on that type of target system, including the assignment of Logon and Reconcile accounts.

Question 11

The Accounts Feed contains:

Accepted Answer

B

Explanation: The Accounts Feed, accessible within the PVWA interface, serves as a centralized queue for privileged accounts that have been identified by a discovery scan but have not yet been onboarded into a Safe for management. Its primary purpose is to provide administrators with a clear view of pending accounts that require action, streamlining the process of bringing unmanaged privileged accounts under the control of the CyberArk PAM solution. This feed is not time-restricted; it displays all discovered accounts that remain in a pending state, regardless of when they were found.

Question 12

The password upload utility must run from the CPM server

Accepted Answer

TRUE

Explanation: The Password Upload Utility uses the CPM’s (Central Policy Manager) local encryption keys to encrypt each password in the bulk-upload file before the data are transferred to the Digital Vault. Because those keys exist only on the CPM host, the utility must be launched from that same CPM server; running it from any other workstation would leave the utility without the required keys and the upload would fail. Why the “False” option is wrong: Selecting “False” would imply the utility can be run from any workstation that merely has network access to the Vault. This is incorrect because those machines do not hold the CPM-specific encryption keys, so the Password Upload Utility cannot function there.

Question 13

As long as you are a member of the Vault Admins group you can grant any permission on any safe.

Accepted Answer

TRUE

Explanation: The statement is correct. The Vault Admins group is a built-in, highly privileged administrative group in the CyberArk Vault. By default, members of this group are granted the Manage Safes authorization at the Vault level. This specific authorization empowers them to perform all administrative actions on any safe, which includes adding or removing safe members and modifying their specific permissions within that safe. Therefore, a Vault Admin has the inherent capability to grant any permission on any safe.

Question 14

The primary purpose of exclusive accounts is to ensure non-repudiation (Individual accountability).

Accepted Answer

TRUE

Explanation: The primary security purpose of configuring an account for exclusive use is to enforce individual accountability, which is a cornerstone of non-repudiation. When a shared, highly privileged account (e.g., 'Administrator', 'root') is used, it is critical to be able to trace every action back to a specific individual. By enforcing exclusive access, the CyberArk Vault ensures that only one user can retrieve and use the credential at any given time. This creates a direct, auditable link between the individual Vault user and all activities performed during that privileged session, making it impossible for the user to deny their actions.

Question 15

You want to create a new onboarding rule. Where do you accomplish this?

Accepted Answer

D

Explanation: Onboarding rules are configured within the Password Vault Web Access (PVWA) interface. This feature allows administrators to define criteria for automatically onboarding privileged accounts that have been discovered by a CPM scanner. The correct navigation path in the modern PVWA user interface is to go to the "Accounts" page, where the "Onboarding Rules" option is available. This centralized location is used to create, view, and manage the rules that govern the automated account management lifecycle, from discovery to secure vaulting.

Free CyberArk PAM-DEF Actual Exam Questions