• April 26 2026

CyberArk Operations Guide (2026): System Health, Safe Management, Platform & Master Policy Explained

Learn CyberArk Operations in detail including System Health checks, Safe Management, Platform configuration, Reports, and Master Policy. Complete guide for PAM engineers.

---

🚀 Introduction to CyberArk Operations

CyberArk CyberArk Operations is the day-to-day activity performed by L1, L2, and L3 engineers to ensure the PAM environment runs smoothly.

👉 It includes:

• Monitoring system health
• Managing safes and access
• Configuring platforms
• Generating reports
• Enforcing security policies etc...

💡 Strong operations knowledge = strong real-time project performance

---

🎯 Why CyberArk Operations is Important

Without proper operations:
❌ Components may go down unnoticed
❌ Password rotation may fail
❌ Users may lose access
❌ Security risks increase

👉 With proper operations:
✔ System stability
✔ Secure access control
✔ Compliance & auditing
✔ Smooth password management

---

🧩 1. System Health (L1 Engineer Task)

---

📌 What is System Health?

Monitoring the status of all CyberArk components.

---

🔍 What You Check Daily

✔ Components status (Connected / Disconnected)
✔ Vault, PVWA, CPM, PSM availability
✔ Installed versions
✔ Number of onboarded accounts
✔ Accounts managed by CPM
✔ Active user sessions in PVWA
✔ Number of PSM connections
✔ Internal users used by components

---

🎯 Why It Matters

👉 Early detection of issues prevents downtime

---

📊 2. CyberArk Reports

---

📌 Key Reports in PVWA

---

1️⃣ Privileged Account Inventory

• Lists all accounts in CyberArk
• Includes:
  • Account Name
  • Address
  • Last Accessed
  • Last Modified

---

2️⃣ Privileged Account Compliance

✔ Compliant:

• CPM successfully rotates password

❌ Non-Compliant:

• CPM fails to rotate password

---

3️⃣ Application Inventory

• Applications onboarded for:
  • Secret Manager

---

4️⃣ Entitlement Report

• The Entitlement Report in the Privileged Identity Management (PIM) suite provides a comprehensive overview of user access and permissions. It details each user’s effective access control, authorization level, and privileges for every account stored within the vault or specific safe. This report ensures complete visibility into which users have access to which accounts, making it a critical tool for access governance, compliance auditing, and security management in CyberArk environments.

---

5️⃣ Activity Logs

• Tracks user actions:
  • Login
  • Account changes
  • Deletion and much more...

---

🆕 New Reports (Version 14+)

✔ License Capacity
✔ User List
✔ Safe Owners
✔ Active vs Non-Active Safes

---

🗂️ 3. Safe Management

---

📌 What is a Safe?

👉 A Safe is a secure container used to store:

• Accounts
• Passwords
• Certificates
• Files

💡 Without Safe → No storage possible

---

🧭 Safe Creation Steps

1. Login to PVWA
2. Navigate to Policies → Safes
3. Create Safe with:

• Safe Name (Max 28 characters)
• Description
• OLAC (Object Level Access Control)
• Password history settings
• Assign CPM

---

⚠️ Important Rule

👉 If CPM is NOT assigned:
❌ Password rotation will NOT work

---

👥 Default Safe Members

When a Safe is created:

✔ Master
✔ DR Users
✔ Backup Users
✔ Operators
✔ Batch
✔ PasswordManager
✔ Notification Engine
✔ Auditors ✔ PSMAppUsers

❗ Administrator is NOT added by default

---

🔐 Safe Permissions

---

👤 End Users

✔ List Account
✔ Use Account

---

👨‍💼 Managers / Leads

✔ List
✔ Use
✔ Retrieve
✔ Authorize Request

---

🔑 Important Permissions

• Retrieve → View password
• Use → Connect via PSM
• Add/Update/Delete → Manage accounts
• Move → Transfer account between safes
• Access Without Confirmation → Bypass approval

---

⚙️ 4. Platform Management

---

📌 What is a Platform?

👉 A Platform defines:

• Password policies
• CPM settings
• PSM connection settings

---

🧱 Platform Types

• Windows
• Unix/Linux
• Database (Oracle, SQL, MySQL)
• Cloud (AWS, Azure, GCP) etc..

---

⚠️ Critical Rule

👉 Wrong Platform =
❌ CPM password rotation fails
❌ PSM session connection fails

---

💡 Best Practice

✔ Always duplicate and customize platform
✔ Use correct platform per account type

---

🔐 5. Master Policy (Vault Settings)

---

📌 What is Master Policy?

👉 Global security rules applied across CyberArk

---

🔑 Important Policies

---

1️⃣ Dual Control (Approval)

• User must request access
• Manager approves

✔ Supports:

• Single approval
• Multi-level approval

---

🔓 Bypass Approval

Permission:
👉 Access Safe Without Confirmation

---

2️⃣ Check-in / Check-out

• Locks account to one user
• Prevents concurrent usage

---

3️⃣ One-Time Password (OTP)

• Password changes after every use

---

4️⃣ Specify Reason

• User must provide reason before access
• Used for auditing

---

5️⃣ Click-to-Connect

• Enable/Disable PSM connection & View Password

---

🔄 CPM Policies (Password Management)

---

✔ Password Change: Default 90 days
✔ Password Verify: Default 7 days

👉 CPM ensures:

• Password rotation
• Password validation

---

🖥️ PSM Policies (Session Management)

---

✔ Session Recording: Enabled
✔ Session Monitoring: Optional

👉 Ensures:

• Secure access
• Full session audit

---

🧾 Audit Retention Policy

---

✔ Default: 90 Days

👉 Stores:

• Logs
• User activities
• Session details

🧠 Key Takeaways

✔ CyberArk Operations is daily activity
✔ System Health ensures uptime
✔ Safes control access
✔ Platforms control behavior
✔ Master Policy enforces security

---

 

🎯 Final Thoughts

CyberArk Operations is where real engineering happens.

👉 Anyone can learn theory…
👉 But operations define your real expertise