Management Trees in Policy Tree

CyberArk Trust Protection Foundation manages all encryption system objects in a hierarchical tree structure. The management trees provide an intuitive, centralized point of administration for encryption resources.

There are multiple management trees in the Trust Protection Foundation interface. To view a management tree, click the Tree drop-down menu, then select the tree you want to view.

Management Trees

Management Tree	Description
Credentials Tree	Credential objects are created and managed in the Credentials tree. Credential objects store the credentials CyberArk Trust Protection Foundation uses to authenticate with devices, applications, and CAs. Credentials can also be created and managed in the Policy tree. In the Policy tree hierarchy, Credential objects may be contained by Policy, Device, or Application objects. The ability to create Credential objects under different objects in the Policy tree facilitates the distribution of Credential object permissions assignments. For example, if you assign permissions at the policy level, then create the Credential objects under the same policy where their associated applications or certificates are located, the credentials automatically inherit the same permissions as their associated objects. In this way, you can ensure that administrators have permissions to only those credentials required to manage the applications or certificates for which they are responsible. For more information on managing your system credentials, see Working with system credentials.
Discoveries Tree	The Discoveries tree lists the configured Discovery and Discovery Exclusion objects for network and agent-based discovery. A discovery allows you to regularly scan a device, a range of IP addresses, a file system, or a local keystore for SSL certificates, client certificates, SSH server keys, and SSH trusted host keys. Each Discovery object in the tree defines the discovery parameters and lists the discovery results. Each Exclusion object in the tree defines ranges of IP addresses and ports that you do not want the Discovery engine to scan. You can also exclude certificates already being managed in the Policy tree from discovery or exclude certificates from discovery based on the certificate’s Issuer or Subject DN. For more information on configuring and managing discoveries in the Discovery tree, see Discovering certificates and keys.
Encryption Tree	The Encryption tree contains your system’s Encryption drivers. Encryption drivers provide access to the keys used to secure your system’s encryption assets—that is, certificates, private keys, SSH keys, Credential objects, administrator user names and passwords, and all other information stored in the Secret Store database. Trust Protection Foundation uses either a software key or a hardware key on a supported HSM device (or both) to secure encryption assets within the Secret Store. For more information on managing system encryption, see Protecting server platforms and keystores.
Identity Tree	In CyberArk Trust Protection Foundation, all users, groups, and user data stores are managed in the Identity tree. For more information on managing objects in the Identity tree, see Working with identities, permissions, and teams.
Logging Tree	The Logging tree provides a comprehensive view of the Trust Protection Foundation notification system and is the control center for all system logging and notification activities. The Logging tree lists every application that can log events to CyberArk Trust Protection Foundation. Each Logging Application object, in turn, stores the definitions for its associated events. This is a valuable reference when you are configuring your system notifications. The Logging tree also provides a view of all configured Notification and Channel objects. Notification objects define which types of events you want to monitor and under what conditions. Channel objects define the event output target. For more information on managing logging and system notifications, see Understanding system logging and notifications.
Platforms Tree	The Platforms tree displays the CyberArk Trust Protection Foundation servers and modules. For example, if you have your central Director server and a dedicated Discovery Server, this tree displays the two Server objects and their associated modules. From this tree, you can define global module settings like Certificate Renewal and Notification monitoring cycles, the time the Director server runs its daily tasks, and the Discovery schedule.
Policy Tree	The Policy tree provides a hierarchical view of your encryption deployment model. Policy, Jump Server, Device, Application, CA Template, Credential, Certificate, SSH Key, and Workflow objects display in context of other system objects so you can intuitively design your object hierarchy and policy inheritance paths. For information on managing folder, see Using policies to manage encryption assets.
Reports Tree	The Reports tree allows you to create and manage system reports. The individual Report objects—Licensing, Entitlement, Expiration and SSH Key reports—determine report format, how often the report is generated, and report delivery options. For more information, see Managing system reports.
Roots Tree	The Roots tree lists all archived root and intermediate root certificates in context of their signature chain. From this tree, you can download root certificates to other servers. For more information on managing objects in the Roots tree, see Managing root certificates.
Workflow Tree	In the Workflow tree, you create the reason codes you want to associate with Certificate Approval Requests. Reason codes provide customized explanations or instructions for certificate approvers. In Policy Tree, the Workflow tree also allows you to view and manage approval requests. For more information on implementing and managing your corporate workflow procedures, see Implementing certificate workflow management.