Check CyberArk permissions on safe members

Verify all necessary permissions are added to the safe members

  1. Log in CyberArk PVWA and go to Policies > Safes.

  2. Find the safe for which you want to check the permissions and click Members .

  3. Add or check the members from section CyberArk AIM/AAM Agent configuration or CyberArk Central Credential Provider configuration depending on the account (secret) retrieval method you are using.

This example illustrates the correct members and their permissions:

  • bob is the end user provided in the CyberArk Username field on the create/edit CyberArk credential window in Trust Protection Platform

  • TppApp is the application provided in the Application ID field on the create/edit CyberArk credential window in Trust Protection Platform

  • VenafiPVWAUser is the service account provided in the Web Service User field on the CyberArk connector in Venafi Configuration Console

  • Prov_WIN-PVWA is the Central Credential provider (this member is not needed when using the Windows AIM/AAM Agent retrieval method)

  • Prov_PAN-TEST153 is the credential provider of the TPP engine where the AIM/AAM Agent was installed (this member is not needed when using CCP retrieval method)