CyberArk License Management, Monitoring, User Types & PSM RDS Licensing (Complete 2026 Guide)

• June 30 2026

CyberArk License Management, Monitoring, User Types & PSM RDS Licensing (Complete 2026 Guide)

CyberArk License Management Guide 2026: Vault Licensing, Monitoring, User Types & PSM RDS CAL Explained

Description

Complete CyberArk licensing guide covering Vault license management, DBParm.ini monitoring, license usage reports, user types, License.xml deployment, and Microsoft RDS licensing for PSM with enterprise best practices.

Introduction

CyberArk Privileged Access Management (PAM) is built around a tightly controlled licensing model that governs how organizations secure privileged accounts, sessions, applications, and secrets within the Digital Vault. Unlike traditional software licensing, CyberArk licensing is deeply integrated into Vault architecture, user types, session components, and even external dependencies such as Microsoft Remote Desktop Services (RDS) for Privileged Session Manager (PSM).

In enterprise environments, improper license planning can lead to service disruption, failed user onboarding, or compliance risks. Therefore, understanding how CyberArk licensing works is not optional—it is a core administrative responsibility.

This guide provides a complete, production-grade explanation of CyberArk licensing, including monitoring, configuration, API-based tracking, user types, license installation, and RDS requirements for PSM sessions.

---

CyberArk Licensing Overview

CyberArk Vault licensing defines how many entities can exist and operate inside the Vault environment. These entities include:

▣ Number of privileged users
▣ Number of safes and stored credentials
▣ Number of applications and CPM-managed accounts
▣ Component usage like PSM, CPM, PVWA, and AIM

Each license file (License.xml) is bound to the Vault environment and controls operational limits.

The license is enforced at Vault level and cannot be bypassed without administrative intervention.

---

Key Concept of CyberArk Licensing Model

CyberArk licensing is not just about users—it is a multi-dimensional consumption model.

It governs:

▣ User types (EPVUser, PSMUser, CPM, etc.)
▣ Component usage (PSM sessions, CPM rotations)
▣ Application connections (AIM, AppProvider)
▣ Session-based consumption
▣ Safe membership and access roles

Each user type consumes license differently depending on activity and interface usage.

---

CyberArk License Types and Usage Model

CyberArk defines multiple user license categories. Each category corresponds to a functional role within the PAM ecosystem.

Privileged User Types

EPVUser

Represents end users accessing Vault via PVWA or PrivateArk Client.

PSMUser

Users who initiate privileged sessions through PSM components.

CPM

Used by Central Policy Manager for password rotation and reconciliation.

PVWA User

Web-based interface users accessing CyberArk through browser.

AppProvider

Used for Application Identity Manager (AIM) integrations.

ENE

Event Notification Engine user type.

OPMProvider

One-Time Password management component users.

---

License Consumption Behavior

License consumption occurs when:

▣ A user logs into PVWA or PrivateArk Client
▣ A session is initiated via PSM
▣ A user is added to a Safe
▣ A component authenticates to Vault

This means licensing is both session-based and identity-based.

---

License Capacity and Consumption Model

CyberArk provides strict limits per license file.

A typical license includes:

▣ Maximum number of users per type
▣ Maximum applications allowed
▣ Maximum concurrent sessions
▣ Component-specific quotas

Once the limit is reached, new user creation or session initiation may fail.

---

License Consumption Example

If your license includes:

▣ EPVUser = 50
▣ PSMUser = 30

Then:

• Adding the 51st EPV user will trigger alerts or failure

• Starting a session beyond PSM limit may be blocked

---

Monitoring License Usage in CyberArk

CyberArk provides multiple mechanisms to monitor license consumption.

1. DBParm.ini Monitoring

License alert thresholds are defined using:

LicenseUsageAlertLevel=85,90,99

What this means:

▣ 85% → Warning notification
▣ 90% → Critical warning
▣ 99% → Severe alert on every new user

At 99%, every new user addition triggers continuous notifications.

These alerts are logged in ITALog and sent to configured recipients.

---

2. Vault Notifications

Vault automatically sends:

▣ Email alerts
▣ System notifications
▣ Administrative warnings

Starting one week before license expiry, daily alerts are triggered.

---

3. License Capacity Report

The License Capacity Report provides a detailed breakdown of:

▣ Used licenses per user type
▣ Total available licenses
▣ Component-wise usage

How to access:

PrivateArk Client → Tools → Reports → License Capacity Report

---

Installing a New CyberArk License

CyberArk allows license updates without reinstalling the Vault.

---

Method 1: Via PrivateArk Client

▣ Login as Vault Administrator
▣ Access System Safe
▣ Retrieve existing License.xml
▣ Upload new License.xml into System Safe root

The Vault automatically detects and applies the new license.

---

Method 2: Manual File Replacement

On Vault server:

▣ Navigate to:

:\Program Files (x86)\PrivateArk\Server\Conf

▣ Replace license.xml
▣ Restart Vault service

---

DR Vault

▣ Copy license file
▣ No restart required

---

Cluster Vault

▣ Update passive node first
▣ Then active node
▣ Perform failover if required

---

Zero Downtime Deployment

CyberArk supports license replacement without service interruption via System Safe update.

 

---

Privilege Cloud License API

CyberArk also provides REST APIs for license monitoring.

Endpoint

GET https://.privilegecloud.cyberark.cloud/PasswordVault/API/licenses/pcloud/

---

Example Response

{
  "componentName": "Privilege Cloud",
  "optionalSummary": {
    "name": "License consumption",
    "used": "1",
    "total": "170"
  }
}

---

Required Roles

▣ Privilege Cloud Administrator
▣ Basic Administrator
▣ Lite Administrator

---

Use Cases

▣ Automating license monitoring dashboards
▣ Integration with SIEM tools
▣ Compliance reporting

---

CyberArk User Types & IDs

CyberArk assigns internal IDs to system components.

User Type	ID
EPVUser	34
CPM	31
PVWA	32
PSM	36
AppProvider	33
ENE	11
AIMAccount	35

These IDs help in internal license tracking and auditing.

---

User and Group Management Impact on Licensing

User management directly impacts license consumption.

▣ Users inherit permissions from groups
▣ Safe membership affects visibility
▣ LDAP users can consume licenses dynamically

---

Group Merge Algorithm

Configured in DBParm.ini:

DenyOverrides

Combines all permissions across groups.

FirstApplicable

Uses permissions from first assigned group.

---

Important Rule

If a user belongs to multiple groups, license usage depends on:

▣ Group membership
▣ Safe ownership
▣ Individual permissions

---

Microsoft RDS Licensing for PSM

CyberArk PSM uses Microsoft Remote Desktop Services (RDS) for session brokering.

This introduces a critical licensing dependency.

---

RDS Licensing Models

Per User CAL

▣ Assigned to individual users
▣ Best for enterprise identity-based access
▣ Recommended for CyberArk EPV/EXT users

Per Device CAL

▣ Assigned to devices
▣ Better for shared workstation environments

---

How PSM Consumes RDS Licenses

When a user initiates a PSM session:

▣ User connects via mstsc.exe
▣ Session is routed through PSM server
▣ RDS CAL is consumed by initiating user

Example:

• User: j.smith

• Privileged account: root_admin

• License consumed: j.smith (not root_admin)

---

Important PSM Accounts

▣ PSMConnect
▣ PSMAdminConnect

These accounts may also consume RDS CALs depending on session type.

---

Windows Server Compatibility

Version	Supported CAL
2016	Yes
2019	Yes
2022	Yes

---

Microsoft Recommendation

CyberArk recommends:

▣ 1 Per User RDS CAL per EPV/EXT user
▣ Track licensing via RDS License Server
▣ Ensure domain-based accounts for Windows 2019/2022

---

Critical Note (Windows 2019/2022)

Local user-based RDS licensing is restricted.

▣ Use domain accounts for compliance
▣ Avoid local user dependency in PSM deployments

---

Best Practices for CyberArk Licensing

▣ Monitor license usage weekly
▣ Set DBParm.ini thresholds proactively
▣ Automate license API reporting
▣ Maintain buffer capacity (10–20%)
▣ Track RDS CALs separately for PSM

---

Common Mistakes

▣ Ignoring PSM RDS dependency
▣ Overlooking group-based license consumption
▣ Not monitoring DBParm alerts
▣ Misinterpreting EPV vs PSM licensing
▣ Using outdated License.xml

---

Troubleshooting License Issues

▣ Check ITALog for alerts
▣ Validate License.xml location
▣ Verify Vault restart after update
▣ Review License Capacity Report
▣ Confirm RDS CAL allocation

---

FAQs

Q1: Can CyberArk license be shared across environments?

No, each Vault requires a unique License.xml.

Q2: Does PSM require separate licensing?

Yes, both CyberArk and Microsoft RDS licensing apply.

Q3: Where is license usage stored?

Inside Vault metadata and ITALog system logs.

Q4: Can license be updated without downtime?

Yes, via System Safe replacement method.

---

Conclusion

CyberArk licensing is a multi-layered control system that governs users, sessions, and infrastructure components across the PAM ecosystem. Proper understanding of License.xml management, DBParm.ini monitoring, user type consumption, and RDS dependencies is essential for maintaining a stable and compliant CyberArk deployment.

Organizations that proactively monitor license usage and align RDS licensing with PSM architecture significantly reduce operational risks and avoid unexpected service interruptions.

---

Learn CyberArk in Depth

▣ CyberArk Full Training Course
▣ CyberArk Privilege Cloud Training

---

Internal CyberArk Architecture Guides

▣ CyberArk Vault Server Components Guide
▣ CyberArk Primary-DR Architecture
▣ Service Accounts in CyberArk PAM
▣ CyberArk Vault Cluster Architecture
▣ PSM HTML5 Gateway Guide
▣ PSM Connectors Complete Guide
▣ CPM Plugins Guide
▣ PVWA Complete Guide