hydden.docs

# For on premises deployments, Hydden recommend the following configuration to establish a least privilege collection model.

CyberArk Service Account

1. In your on-prem CyberArk instance, navigate to User Provisioning and select Users.
2. Click Create CyberArk User.
3. Enter the account details.
   1. Under User Type, select EPVUser.
   2. From the Authorized interface - EPVUser list, only keep PVWA as an authorized interface and deselect all others.
   3. Click Apply.
   4. Under Role, select Custom Role.
   5. Set checkmarks for Audit users and Manage directory mapping.
4. Under Disable user account, select Never and click Next.
5. Fill out the personal details page with the appropriate details for the service account, click Next.
6. Under Select authentication method, select Internal.
   1. Create a Password.
   2. Deselect User must change passord at next logon.

   3. For Password expiration, select Never.

      [!note] Use never only for testing purposes, for a production system proper password security with rotation rules must be established.

7. On the Assign to groups page, add the account to the Vault Admins group.
8. Click Create.

Refer to Creating the Credential in Hydden to create a credential based on the service account created above. That credential will be used when configuring the data source in Hydden.

Vaulting and Discovery Requirements

To ensure that the Add to Vault and Add to Discovery functionality works from within the Hydden platform, the following settings should be in place when creating or modifying safe permissions for any safe used to store accounts.

• For the Access tab configure:
  • List accounts
  • Use Accounts
  • Retrieve Accounts
• For Account management configure:
  • Add accounts
  • Update account properties
  • Update account content
  • Initiate CPM account management operations