Granting access to CyberArk Application Identity Manager (AIM)

NOTE: The step are different depending on whether CyberArk Central Credential Provider or Window AIM/AAM Agent are used.

Granting access when using AIM/AAM agent to retrieve secrets

NOTE: The credential provider of the Windows AIM/AAM Agent should also be installed on all TPP engines and should be added as a member of the Safe.

  1. Add the credential provider of the AIM/AAM as a Safe Member.

    For example: Prov_<hostname of the machine where AIM/AAM is installed>.

    These provider objects MUST have these permissions to the CyberArk Safe:

    • Service Account: Select View Safe Members permission and access to the PVWA interface

    • End user account: Select Retrieve accounts or Use accounts.

    • TPP Application ID: Select Retrieve accounts

    • Windows AIM/AAM Agent credential provider (Prov_<hostname> one): Select Retrieve accounts, List accounts and View Safe Members

  2. Click Save after setting permissions for each object.

Granting access when using Central Credential Provider to retrieve secrets

  1. Add the credential provider of the AIM/AAM as a Safe Member.

    For example: Prov_<hostname of the machine where AIM/AAM is installed>.

    These provider objects MUST have these permissions to the CyberArk Safe:

    • Service Account: Select View Safe Members permission and access to the PVWA interface

    • End user account: Select Retrieve accounts or Use accounts.

    • TPP Application ID: Select Retrieve accounts

    • CCP credential provider (Prov_<hostname> one): Select Retrieve accounts, List accounts and View Safe Members

  2. Click Save after setting permissions for each object.
If you want to retrieve account secrets in other Safes through the CCP, the same four provider objects must be added as members to the Safes with these same permissions.

  1. Add the IP address or FQDN of the machine where you installed the CCP in the Allowed Machines tab of the AIMWebService application.

  1. The machine where TPP will retrieve CyberArk accounts (secrets) should be allowed to use the TPPApp application in the CyberArk PVWA.

This can be done by adding the address or hostname of the TPP machine to the Allowed Machines tab of the TPPApp created in step 3.

  1. On the TPP server the following URL can be used in any web browser in order to test the account (secret) retrieval from the CyberArk Vault (TPP server should be added to the Allowed Machines on the TPPApp application)

https://<CCP Web Sevice URL> /api/Accounts?AppID=<application id>&Safe=<safe name>&Object=<account name to be retrieved>

For example:

https://webservices.example.com /AIMWebService/api/Accounts?AppID=TPPApp&Safe=TestSafe&Object=test_account

Response:

You should retrieve the account's secret in the response's 'Content’ parameter:

{
"Content": "retrieved_password",
"CreationMethod": "PVWA",
"DeviceType": "Network Device",
"Safe": "TestSafe",
"Name": "test_account",
"Folder": "Root",
"PasswordChangeInProcess": "False"
}