TTechclickAll lessons
CYBERARK · PAM MASTERY ACCESS CONTROL Who can REALLYsee your rootpassword? 03 / 10 ai.techclick.in · Techclick Infosec Read lesson
CyberArk · Access Control · Safes, Permissions & Master PolicyInteractive · L1 / L2

CyberArk Safes, Permissions & Master Policy — Access Control Done Right

Your Vault holds the keys to 3,000 servers. But which 40 people can actually retrieve the domain-admin password right now — and who approved each one? If you can't answer that in 30 seconds, your Safe design is the audit finding waiting to happen. UseAccounts vs RetrieveAccounts, the Master Policy nobody draws, dual control + OTP, least-privilege safe layout — pick a path below and master it in 13 minutes.

📅 2026-05-31·⏱ 13 min · 5 SVG infographics + 1 animated dual-control trace·🏷 10-Q Bloom-tiered assessment + AI Tutor

⚡ Quick Answer

CyberArk Safes, permissions and Master Policy done right — UseAccounts vs RetrieveAccounts, the 21 permission flags, Master Policy rule areas, dual control + OTP, least-privilege safe design and AD group mapping. Real audit scenarios, 5 SVGs, AI tutor, 10 Bloom-tiered MCQs in 13 minutes.

Pick where you're weakest — jump straight to it

1

Safe Permissions

The 21 flags. Use vs Retrieve. The one that fails audits.

 2

Master Policy

4 rule areas + per-platform and per-safe exceptions.

 3

Dual Control + OTP

Request → approve → checkout. ServiceNow ticket on root.

 4

Safe Design

Least-privilege layout, naming, AD group mapping.

The interview question that trips up 70% of PAM candidates

Senior interview: "A user needs to RDP into a production Windows server through CyberArk, but must never see the password. Which single permission do you grant?"
Wrong answers: "Retrieve Accounts", "Manage Safe", "all of them". Right answer: UseAccounts only. It lets PSM broker the session so the credential never lands on the user's machine. RetrieveAccounts would additionally expose the plaintext password — a much bigger blast radius. Confusing these two is the single most common reason a CyberArk safe fails its access review. Get this one distinction right and you're already ahead of most "PAM admins" three years into the job.

💡 The SBI bank-locker analogy

Think of the Vault as the SBI locker room. The building holds hundreds of individual lockers — each locker is a Safe. Your access depends on exactly what the manager wrote against your name. Some people can only read the locker register (List Accounts). Some can open the locker and look inside but take nothing (Retrieve). Some can use what's inside without ever touching it themselves — the bank's agent handles it for them (Use, via PSM). And only the locker manager can add or remove other keyholders (Manage Safe Members). The Master Policy is RBI's uniform rulebook that applies to every branch — but one branch can file an exception for a special-purpose locker. Same family, same building, separate keys. That separation is the whole game.

4 things you'll be tested on before we begin

👁
Use vs Retrieve
tap to flip

UseAccounts = PSM-proxied connect, password never shown. RetrieveAccounts = view + copy the plaintext. So what: default to Use; grant Retrieve only for break-glass or programmatic needs.

🧱
Cumulative perms
tap to flip

In two groups on the same safe? You get the most permissive union of both. So what: one over-scoped group silently grants Retrieve to everyone in it.

🚪
Without Confirmation
tap to flip

accessWithoutConfirmation bypasses dual control even when the Master Policy enforces it. So what: a single over-grant nullifies your two-person rule — keep it to named break-glass only.

🔒
OLAC
tap to flip

Object Level Access Control adds per-account permission checks inside one safe. Cannot be disabled once on. So what: use it for mixed-population safes without creating safe sprawl.

① Safe member permissions — the 21 flags and the 2 that matter most

A safe is just a container. What makes it secure is the permission set you grant each Safe Member. CyberArk PAM Self-Hosted exposes 21 discrete permission flags in the Gen2 REST API. You will not memorise all 21 for the job — but you must know which ones are dangerous. The two that decide everything are useAccounts and retrieveAccounts.

Scenario — Ramesh at Bharat Financial Services

Ramesh Kumar, Senior PAM Architect at a large Mumbai NBFC, maps the BFS-OraDBAs AD group onto the Oracle safe with UseAccounts + ListAccounts + ViewAuditLog — and not RetrieveAccounts. DBAs connect to SYS through PSM all day, but nobody can copy the raw password out of PVWA. Retrieve goes to just two named senior DBAs for break-glass. That single design choice is what passed his quarterly access certification.

CyberArk safe member permission matrix — roles by permission A grid mapping four safe-member roles (End User, Account Manager, Approver, Auditor) against six key permissions (List, Use, Retrieve, Manage Safe Members, Authorize requests, Access without confirmation), showing which roles get which permissions under least-privilege design. Least-privilege permission matrix (roles × permissions) Role \ Permission ListAccounts Use(PSM) Retrieve(plaintext) ManageMembers Authorizerequests Access w/oconfirm End User (DBA)e.g. BFS-OraDBAs Account Manageronboards accounts Approverconfirms requests Auditoradded to every safe Pink columns = sensitive. Retrieve, Manage Members and Access-without-confirmation belong to a small, named set — never the whole team.
Figure 1 — Safe member permission matrix. Map roles to the minimum permission set. End users get Use + List; Retrieve, Manage Members and Access-without-confirmation stay rare and named.
Colour keyuntrusted / attackertrusted / vaultedpolicy / decision pointkey insightallowed

Here is the rule that scares auditors: when a user belongs to two AD groups that are both members of the same safe, CyberArk applies the cumulative (most permissive) permission. If Group-A grants Retrieve and Group-B denies it, the user gets Retrieve. One sloppy group nesting silently hands plaintext passwords to people who were never meant to have them.

REST API — add an AD group as a least-privilege safe member (PAM Self-Hosted v14) 
curl -k -X POST \
  https://10.20.40.50/PasswordVault/API/Safes/PROD-DB-ORA-DBA/Members \
  -H 'Content-Type: application/json' \
  -H "Authorization: ${SESSION_TOKEN}" \
  -d '{ "memberName": "BFS-OraDBAs", "searchIn": "techclick.in",
        "permissions": { "useAccounts": true, "listAccounts": true,
          "retrieveAccounts": false, "manageSafeMembers": false,
          "accessWithoutConfirmation": false, "viewAuditLog": true } }'
Expected output 
{ "memberName": "BFS-OraDBAs", "memberType": "Group",
  "isPredefinedUser": false,
  "permissions": { "useAccounts": true, "listAccounts": true,
    "retrieveAccounts": false, "manageSafeMembers": false,
    "accessWithoutConfirmation": false, "viewAuditLog": true } }
Pause & Predict

Before you scroll: a help-desk analyst is added to two AD groups on the domain-admin safe. Group-A = List only. Group-B = List + Retrieve. What can the analyst do?

Predicted right? It's b. Cumulative permissions are additive, not subtractive. This is exactly how a "List only" help-desk role quietly becomes a "Retrieve domain-admin" role through a single nested group. Audit group membership, not just direct membership.

Pause & Predict A DBA team connects to SYS through PSM all day but must never be able to copy the raw password out of PVWA. Of the 21 safe-member flags, which one do you grant for the connection — and which one do you deliberately withhold?

Answer: Grant UseAccounts (PSM brokers the session, the plaintext never reaches the user) and withhold RetrieveAccounts (which exposes the password in plaintext). UseAccounts and RetrieveAccounts are the two flags that decide everything — exactly the design that let Ramesh pass his quarterly access certification.

② The Master Policy — one engine, four rule areas, surgical exceptions

The Master Policy is CyberArk's single-pane policy engine. It sets the organisation-wide baseline across four rule areas, and you carve out deviations as exceptions per platform or per safe — without touching the global default. Know the four areas cold; they map directly to PAM-DEF exam questions.

CyberArk Master Policy rule-area hierarchy with exceptions Master Policy at the top branching into four rule areas — Privileged Access Workflows, Password Management, Session Management, Audit — each listing its key rules, with platform-level and safe-level exception nodes overriding the baseline. Master Policyorg-wide baseline Privileged AccessWorkflows• Dual Control• Exclusive checkout• One-Time Password• Require Reason PasswordManagement• Change freq 90d• Verify freq 7d• Reconcile on mismatch SessionManagement• Record session (ON)• PSM-only connect• Live monitor / suspend Audit• Retain 90 days• Auditors on every safe• Tamper-evident log Platform exceptionWin-SvcAcct: rotate 30d (PCI) Safe exceptionBreak-glass safe: dual control ON Hierarchy: Master Policy > Platform exception > Safe exception. Exceptions deviate without changing the baseline. Defaults: Dual control OFF · Session recording ON · Change 90d · Verify 7d · Audit retain 90d
Figure 2 — Master Policy rule-area hierarchy. Four areas set the baseline; platform and safe exceptions override surgically. Dual control is OFF by default; session recording is ON by default.
Scenario — Priya at Technocraft Manufacturing, Pune

Priya Menon, IT Security Manager, needs one Windows service account to rotate every 30 days for PCI-DSS — but the global rule is 90 days and she will not touch it. She creates a Platform-level exception on that account's platform, sets change frequency to 30 days, and every other platform keeps the 90-day baseline. One surgical override, zero blast radius.

Common mistake — treating Master Policy as the governance document

The Master Policy is the technical how — it enforces rotation, recording and workflows. It is not the why: it captures no business justification, no ownership accountability, no certification schedule. A CISO who points to the Master Policy as "our PAM policy" will fail a SOX or ISO 27001 audit. You need both: a written governance document and the Master Policy as its implementation.

Quick check · Q1 of 10

You're at a Bengaluru fintech. A user must RDP into a production Windows server through PSM and must never see the password. Which single safe-member permission do you grant?

Correct: b. UseAccounts is the PSM-only permission — exactly what "connect but never see the password" means. RetrieveAccounts exposes plaintext (over-privilege here). ManageSafe is administrative. AccessWithoutConfirmation only bypasses dual control and is irrelevant to seeing a password.

Recreated for clarity📜 The exact screen you'll use — PVWA → Administration → Master Policy. Your console matches this layout.

https://pvwa.bank.example/PasswordVault
CyberArk · Password Vault Web Access/ Administration / Master Policy
Accounts
Policies
Reports
Administration
Master Policy — Privileged Access Workflows
RuleStatusExceptions
Require dual control password access approvalInactive2
Enforce check-in/check-out exclusive accessActive0
Enforce one-time password accessActive1
Require users to specify reason for accessActive0
Allow EPV transparent connections ("Click to connect")Active0
One engine, surgical per-Safe exceptions. Dual control here is OFF org-wide but ON via exception for the 2 most sensitive Safes.
Quick check · Master Policy exceptions

On the Master Policy grid above, "Require dual control password access approval" shows status Inactive but an Exceptions count of 2. Two named Safes still require dual-control approval. How did that happen without flipping the global rule on?

Correct: b. The Master Policy is one engine with an org-wide baseline; you carve deviations as per-platform or per-Safe exceptions without touching the global default. Status Inactive + Exceptions 2 reads as "off everywhere except the two most sensitive Safes." It is not a bug (a), exceptions are not audit-log edits (c), and an exception scopes a single rule, not all four areas (d).

③ Dual control, exclusive accounts & one-time passwords — two-person integrity

Dual control is the Master Policy rule that forces a privileged request to be approved by one or more safe owners before the password or session is released. It is OFF by default — you turn it on for your crown-jewel safes. Pair it with Exclusive Check-In/Check-Out (one user at a time) and One-Time Password (CPM rotates the password the instant it's checked back in) and a stolen credential becomes worthless seconds after use.

Scenario — Aditya enforces dual control + ServiceNow on production root

Aditya, lead engineer at a Hyderabad SaaS firm, wires CyberArk's approval workflow to ServiceNow. Now nobody touches the Linux root safe without (1) a valid CHG ticket in the right state and (2) a Level-1 then Level-2 approver sign-off. With two authorisation levels enabled, Level-1 must confirm before Level-2 is even notified — a true sequential, multi-person chain.

Dual-control request to approve to checkout flow with ServiceNow ticket Five-stage left-to-right flow: requester submits a reason and ServiceNow ticket in PVWA, Level-1 approver confirms, Level-2 approver confirms, CPM releases a one-time password for exclusive checkout, then auto-rotates the password on check-in. ① Requestin PVWA: reason +ServiceNow CHGroot@prod-lnx-01 ② Level-1approver confirmsticket state validauthLevel1 = true ③ Level-2approver confirms(only now notified)authLevel2 = true ④ Checkoutexclusive — lockedto this user onlyone-time password ⑤ Check-inCPM rotates pwdimmediatelycredential now dead Dual control → exclusive checkout → one-time password No single person completes the flow. The retrieved password is single-use. ⚠ accessWithoutConfirmation on a member would skip stages ② and ③ entirely — reserve it for break-glass only.
Figure 3 — Dual-control request → approve → checkout flow. Reason + ticket → sequential Level-1 then Level-2 approval → exclusive checkout → OTP rotation on check-in. Two-person integrity, single-use credential.

▶ Watch a dual-control checkout, step by step

Aditya needs root on a production Linux box. Dual control + ServiceNow ticket + OTP are enforced. Press Play.

① 22:04:00Aditya opens PVWA, requests root@prod-lnx-01, enters reason "P1 incident INC0049213" and links ServiceNow CHG0031882.
② 22:04:20CyberArk validates the ticket state via the ServiceNow integration. Ticket = Approved. Request enters the dual-control queue.
③ 22:06:10Level-1 approver (shift lead) confirms in PVWA. requestsAuthorizationLevel1 = true. Only now is the Level-2 approver notified.
④ 22:08:35Level-2 approver (security on-call) confirms. CyberArk releases an exclusive checkout — the account is now locked to Aditya alone.
⑤ 22:41:00Aditya checks the account back in. CPM immediately rotates the password (MinValidityPeriod). The credential he used is now dead. Full chain is in the audit log.
Press Play to watch the full request-to-rotation chain, step by step.
War story — the failsafe bypass code on a sticky note

A mid-sized e-commerce firm enabled dual control + ServiceNow on its Linux root safes — then printed the failsafe bypass code on a note by the PVWA workstation and shared it in a Slack channel. A post-incident review found it had been used 17 times with no change ticket and no approver record. The fix: regenerate the code, store it inside a separate safe that itself requires dual control, and alert via PTA on any bypass-code use. The lesson: a bypass that skips the whole workflow must be guarded harder than the workflow itself.

Pause & Predict

Dual control is enforced on the root safe via the Master Policy. But one service team also has accessWithoutConfirmation granted on that safe. When they request root, what happens?

Predicted right? It's b. This is the classic audit gap. A per-member permission beats the policy-level rule for that member. That's why accessWithoutConfirmation must be a tiny, named, PTA-monitored set — never a whole team.

Pause & Predict An attacker shoulder-surfs a DBA's root password during a legitimate one-time-password checkout, then walks away to reuse it ten minutes later. The safe has Exclusive Check-In/Check-Out and One-Time Password turned on. Why is the stolen password already worthless?

Answer: The moment the DBA checks the account back in, the CPM rotates the password immediately — the credential is single-use, so the captured value is dead. And because checkout was exclusive (locked to one user at a time), the attacker could not even have grabbed it concurrently. Dual control gates the release; OTP + exclusive checkout make the released credential disposable.

④ Least-privilege safe design — segregation, naming & AD mapping

Here is where most CyberArk deployments quietly rot. A safe boundary must line up with a job-function boundary. If your DBA team and your Windows server team share one safe, neither least privilege nor clean auditing is possible — and a single compromised help-desk account can reach credentials it has no business touching.

War story — 40 people with Retrieve on domain-admin

A global bank's quarterly certification found one Windows admin safe with 40 active members, every one holding RetrieveAccounts on domain-admin accounts — added "just in case", never cleaned up, no dual control, no OTP. In a Red Team test, an attacker who phished one help-desk account pulled a domain-admin password from PVWA in under two minutes and owned a domain controller. The remediation: strip Retrieve from 38 of 40 members and put dual control + OTP on the 2 break-glass accounts that kept it. Safe membership had been a one-way door with no attestation — that's the real bug.

Safe-design decision tree — who needs which permission A top-down decision tree starting from a new access requirement, branching on questions: does the user need plaintext or just a session, is the account a crown jewel, is the population mixed, leading to outcomes of UseAccounts only, RetrieveAccounts plus dual control plus OTP, a dedicated platform safe, or OLAC within a shared safe. New access requirement"Sneha needs server access" Need plaintext password, or just a session? session only plaintext UseAccounts onlyPSM connect · default for 90% Crown-jewel account?domain-admin / root / SYS yes no Retrieve + Dual Control + OTPnamed break-glass only · exclusivecheckout · PTA alert Retrieve to 2named seniors,audited quarterly Mixed population in one safe?e.g. Oracle SYS + read-only DBA → enable OLACper-account control, no safe sprawl (cannot undo) Default to Use. Escalate to Retrieve only with dual control + OTP. Split safes by platform; OLAC only for genuinely mixed safes.
Figure 4 — Safe-design decision tree. Start from the requirement, not the permission. Most users need Use; Retrieve is an exception gated by dual control + OTP; OLAC handles mixed-population safes without sprawl.

The fix for the DBA-vs-Windows mess is structural: one safe per platform per environment, with each AD group mapped only onto its own safe. Names are capped at 28 characters and can't contain spaces, periods, asterisks or quotes — which is exactly why the field uses an abbreviated convention: [Env]-[Location]-[AssetType]-[Platform]-[AccountType].

Least-privilege safe layout cheat card A cheat card showing the monolithic anti-pattern PROD-DB-SVR with both Windows admins and Oracle DBAs on one safe, contrasted with four platform-aligned safes each mapped to a single AD group with least-privilege permissions, plus the 28-character naming convention. Least-privilege safe layout — cheat card ✗ Anti-pattern: one monolithic safe PROD-DB-SVR • 12 Windows admins can Retrieve Oracle SYS • DBAs can see Windows local-admin creds → SoD fail ✓ Platform-aligned safes PROD-WIN-SVR-LADM PROD-WIN-DOM-SVC PROD-DB-ORA-DBA PROD-DB-SQL-SA one AD group per safe · Use not Retrieve · clean SoD Naming: [Env]-[Location]-[AssetType]-[Platform]-[AccountType] · max 28 chars · no spaces/periods/*/" P-TOR-SRV-WIN-LADM · D-AWS-DB-ORA-LSVC-HR · PROD-DB-ORA-DBA AD mapping: add the GROUP, not 40 individuals LDAP-authenticated Vault users → AD account disable instantly revokes Vault access. Local Vault accounts do NOT. Keep one local break-glass user.
Figure 5 — Least-privilege safe layout cheat card. Split monolithic safes by platform, name within 28 chars, map AD groups (not individuals), and authenticate Vault users via LDAP so leaver-offboarding propagates.

One more design trap worth naming: map AD groups as safe members, and make Vault users LDAP-authenticated. At Technocraft, an exited junior admin pulled the Azure root password three hours after his AD account was disabled — because his local Vault account still worked. LDAP-backed users would have lost access the instant AD disabled him. Keep exactly one local break-glass user for the day AD itself is down.

REST API — audit a safe: list every member who still holds Retrieve 
curl -k -s \
  https://10.20.40.50/PasswordVault/API/Safes/PROD-WIN-DOM-ADM/Members \
  -H "Authorization: ${SESSION_TOKEN}" | \
jq '.value[] | select(.permissions.retrieveAccounts == true)
     | {member: .memberName, type: .memberType}'
Expected output 
{ "member": "BFS-WinBreakGlass", "type": "Group" }
{ "member": "ramesh.kumar",      "type": "User"  }
# Only 2 entities hold Retrieve — exactly what least-privilege expects.
# 40 entries here would be your audit finding.
Quick check · Q2 of 10

You're designing safes for a Pune NBFC. The Oracle DBA team and the Windows server team currently share one safe. What's the cleanest least-privilege fix?

Correct: a. Platform-aligned safes align the boundary with job function — the core of least privilege. (b) and (c) widen access. (d) is unmanageable safe sprawl; one safe per team+platform is the CyberArk best practice, with OLAC for any genuinely mixed safe.

Recreated for clarity🔐 The exact screen you'll use — PVWA → Safes → Add Safe. Your console matches this layout.

https://pvwa.bank.example/PasswordVault
CyberArk · Password Vault Web Access/ Safes / Add Safe
Add Safe
Safe NamePROD-Linux-DBA1
DescriptionProduction Linux DBA accounts
Assign a CPMPasswordManager2
Number of versions retained7
Enable Object Level Access Control☑ Enabled
SaveCancel
The Safe name is the access boundary — name it by team+environment, never by person. No CPM assigned = no automatic rotation; this is the #1 audit miss.

Pause & Predict A colleague creates a safe called Rajesh-Personal, adds three teammates, and leaves the Assign a CPM field blank. Name the two least-privilege design failures baked into that one dialog.

Answer: (1) The safe is named after a person, not a team+environment — the safe name is the access boundary, so a personal name breaks segregation and clean auditing (it should be platform-aligned, e.g. PROD-Linux-DBA). (2) No CPM assigned means no automatic rotation — the #1 audit miss; passwords in that safe will never change unless someone notices. Fix the name and assign PasswordManager.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer.

Deeper questions → chat.techclick.in.

The 5 findings that fail a CyberArk safe audit

Finding 1 — RetrieveAccounts handed out like ListAccounts

Whole teams with Retrieve on domain-admin. Strip to named break-glass; default everyone to UseAccounts.

Finding 2 — Manage Safe Members on an end user

A junior DBA who can add their own account with full rights, or remove the Auditors group. Restrict to PAM admins / safe owners only.

Finding 3 — accessWithoutConfirmation on a broad group

Silently nullifies dual control. Reduce to a small, named, PTA-monitored set.

Finding 4 — Local Vault accounts not tied to AD

Leavers keep Vault access after AD disable. Migrate users to LDAP authentication; keep one local break-glass user.

Finding 5 — Monolithic mixed-platform safe

DBA and Windows teams in one safe = no SoD. Split by platform per environment; use OLAC only for genuinely mixed safes.

Verify — keep PVWA patched

CVE-2024-54840 (CVSS 6.1, Host Header injection) affects PVWA in PAM Self-Hosted before 14.4. Since every safe-management and dual-control workflow flows through PVWA, upgrade to 14.4+ and align your patch cadence to the CISA KEV list. Open-source tools like HuntCyberArk can scan for permission sprawl and known CVEs as part of your quarterly attestation.

📝 Check your understanding — 10 questions, 70% to pass

Q1–Q2 above already count. Below are Q3 to Q10. One correct answer each; read the reasoning even when you're right.

Q3 of 10 · Remember

What is the maximum number of characters allowed in a CyberArk Safe name?

Correct: a. The hard 28-character limit (no spaces or special characters) is exactly what forces the abbreviated naming convention used in enterprise CyberArk deployments. The structured name itself enforces least-privilege boundaries by environment, platform and account type.
Q4 of 10 · Apply

A platform's Master Policy exception enforces dual control, but the on-call senior admin at a Mumbai bank needs break-glass access without waiting for approval. How do you configure this at the safe-member level?

Correct: c. AccessWithoutConfirmation exempts a specific member from confirmation even under enforced dual control. (a) removes the control for the whole org. (b) ManageSafe is administrative, not a confirmation bypass. (d) the bypass code skips the entire workflow with no record — a known war-story disaster.
Q5 of 10 · Apply

You want production root credentials to be single-use — the password must change every time someone checks it out. Which two Master Policy rules must you enable together?

Correct: c. Exclusive checkout locks the account to one user; OTP triggers CPM to rotate it the moment it's checked back in. Together they make every checkout single-use. (a), (b) and (d) are real features but none of them rotate the password on check-in.
Q6 of 10 · Analyze

A security audit at an NBFC finds a junior DBA has Manage Safe Members on a production Oracle safe. What is the precise attack surface this creates?

Correct: b. Manage Safe Members is full membership control — self-escalation, owner removal, and removing the Auditors group to blind the audit trail. It must never sit with an end user. (a), (c), (d) all understate a permission that effectively lets the DBA take over the safe.
Q7 of 10 · Analyze

A user at a Chennai enterprise is in two AD groups, both members of the same safe. Group-A has RetrieveAccounts = true; Group-B has RetrieveAccounts = false. What effective permission does the user have?

Correct: a. Cumulative permissions are additive — the union of all group grants. This is the trap behind nested AD groups: one over-scoped group silently grants Retrieve. (b), (c), (d) all misread the rule; CyberArk never takes the restrictive setting or the order of addition.
Q8 of 10 · Analyze

A global rule sets password rotation every 90 days. One Windows service account must rotate every 30 days for PCI-DSS, without changing the global rule. How do you achieve this?

Correct: c. Platform-level exceptions are exactly for "this account type must deviate". They override Master Policy for accounts on that platform without touching the global default. (a) changes it for everyone, (b) defeats automation, (d) is absurd over-engineering.
Q9 of 10 · Evaluate

One architect at a 3,000-server NBFC proposes one safe per server (500+ safes); another proposes one safe per team/platform (a handful). Evaluate and recommend.

Correct: c. Per-server safes mean 500+ containers — admin overhead, CPM complexity, unreadable reporting. Team+platform aligns with least privilege and scales via AD groups; OLAC supplements it for mixed populations. (a) ignores operability, (b) overuses an irreversible feature, (d) dodges the engineering judgement the question asks for.
Q10 of 10 · Evaluate

Your CISO asks whether the CyberArk Master Policy can replace a separate written PAM governance document. Evaluate the claim.

Correct: d. Enforcement and governance are different artefacts. The Master Policy implements rules; a governance document defines roles, ownership, review cycles and accountability that SOX, PCI-DSS and ISO 27001 require. (a) and (b) confuse the two; (c) is true but irrelevant to the real reason.
Lesson complete — score saved to your profile.
Score below 70%. Re-read the section you got wrong, then retake.
Before you go — teach it, then test it

Self-explain (say it out loud): in one sentence, why is UseAccounts safer than RetrieveAccounts, and when would you still grant Retrieve?
Teach a friend: "A CyberArk Safe is the wall, the permission is the door, and the Master Policy decides if you also need a second person to open it."
Spaced recall: set a 3-day reminder to re-run the jq Retrieve-audit query mentally against any safe — if you can list the 6 dangerous permissions from memory, it stuck.

Next up — CyberArk CPM: Automatic Credential Rotation

Now your safes know WHO can do WHAT. Next: the Central Policy Manager — how CyberArk changes, verifies and reconciles passwords automatically, why reconcile accounts exist, and what breaks rotation in production.

Next lesson →Practice PAM-DEF MCQs

Sources cited inline

  1. CyberArk PAM Self-Hosted 14.0 — Add and manage Safes and Safe members
  2. CyberArk Privilege Cloud — Assign Safe member permissions
  3. CyberArk — Understand the Master Policy Framework
  4. CyberArk Community — Safe Naming Convention Best Practices
  5. CVE-2024-54840 — CyberArk PVWA Host Header Injection
  6. psPAS — Add-PASSafeMember (21 permission flags reference)
  7. HuntCyberArk — CyberArk security audit tool