Create locker

Create a locker to group similar credentials to share with other users.

Prerequisites

You must either have the AAE_Locker Admin role or Manage my credentials and lockers permission and the necessary permission to View Users and Roles.
Note:
  • You must have the View Users and Roles basic information permission to view information about other users to add them as locker owners/Managers/participants. Without this permission, an "Access denied" error will occur.

    See RBAC for Credential Vault credentials management

  • Ensure that you do not use a locker name starting with oauth_ (case insensitive, for example, OAuth_, oAuth_, and so on) as it is a reserved namespace.
There is no limit on the number of credentials that can be stored in a locker. A credential can only belong to one locker. See Create credential. Credentials are further divided in logical groups called lockers.

Procedure

To create a locker, follow these steps:

  1. Navigate to Manage > Credentials, and then click the Lockers tab.
  2. Click Create locker.
  3. Enter the Name.
  4. Optional: Enter a description.
  5. Select the Credentials to add to the locker or select External key vault.
  6. Enter External key vault credentials.
    If integrating with an external key vault, such as AWS, Azure, CyberArk, or HashiCorp, enter the required credentials for the specified external locker:
    AWS
    Enter the prefix of secrets stored in the locker.
    CyberArk
    Enter the safe name where the credential lockers are stored and optionally enter the property set to your CyberArk username. The $attribute$ property is used to retrieve information from the CyberArk object property. You can create a property set by combining multiple CyberArk object properties.

    The following examples show how to create property sets in different scenarios:

    • If you want to use a username in the format domain\username where the domain is stored in the CyberArk property called Address, and the username is stored in the CyberArk property called UserName, then enter the property set in the format $Address$\$UserName$ in the credential attribute and use this attribute in your bot automation.
    • If you want to use a username in the format username@example.com where the username is stored in the CyberArk property called UserName and the address (example.com) is stored in the CyberArk property called Address, then enter the property set in the format $UserName$@$Address$ in the credential attribute and use this attribute in your bot automation.
    Azure
    Enter the prefix stored in the locker.
    HashiCorp
    Enter the prefix of secrets stored in the locker. For example, enter the prefix prfusr1 for secret that is stored as prfusr1_obj1_usr1.
  7. Click Next.
  8. Add the Owners.
    A locker must have at least one owner. The locker owner can edit, view, and delete a locker and also add or remove other owners.
  9. Click Next.
  10. Optional: Add the Managers and click Next.
    The locker manager can view, edit and delete the locker, and add participants but cannot add owners or managers to the locker.
  11. Optional: Add the Participants and click Next.
    A locker participant has access to view a locker and add their own credentials to a locker.
    Note: A locker participant does not have access to or visibility of credentials created by other users.
  12. Add the Consumers.
    Select one or more roles. Users with these roles have access to the locker. System-created roles are not shown in the Consumers list.
    TypePermission
    Standard Locker consumers can view the locker and all the credentials inside the locker. All consumers see the same credential value set by the credential owner.
    User-provided Locker consumers can input their information in user-provided credentials with user-provided attributes.
  13. Click Create locker.
If the email notification setting is enabled, users receive an email confirming the locker name and their permissions to that locker.