The use of optional safe in CyberArk Password Vault integration with the Control Room allows logical segregation of credential management in auto-login workflows by supporting role-based credential segregation.

You can integrate CyberArk Password Vault in your Control Room for securely storing and retrieving credentials used in auto-login workflows. This integration allows administrators to configure a default safe, and additionally configure up to 25 optional safes to support role-based credential segregation.

If an optional safe is not configured, the Control Room will use the default safe configured to retrieve credentials for auto-login.

How do optional safes work?

An optional safe is an additional CyberArk safe that can be configured in the Control Room to support role-based credential segregation. You can configure more than one optional safe and each optional safe is mapped to one or more Control Room Roles (CR Roles), such as Bot Developer, AAE_Basic, or any other user-defined custom roles.

When an auto-login workflow uses a Bot Runner user, the Control Room determines which CyberArk safe to query for the credentials to be used for the auto-login workflow. The safe is selected (from the list of configured optional safe) based on the role mappings configured in optional safes. The value retrieved from the selected safe is used in the auto-login workflow.

The following process is used by the Control Room to retrieve credentials from CyberArk when multiple optional safes are configured in the Control Room. The credentials retrieved from the safe are used in the auto-login workflow.

  1. The Control Room checks if the Bot Runner user is part of any of the Control Room Roles configured in optional safes:
    • The Bot Runner user role assigned to a single optional safe in the Control Room: The optional safe that is assigned to the role is selected. When an auto-login workflow uses this Bot Runner user, the safe assigned to this role is used for retrieving auto-login credentials from CyberArk.
    • The Bot Runner user assigned to multiple optional safe in the Control Room:
      1. The first optional safe (in the order optional safes are configured) that includes the user role is selected.
      2. After the Control Room finds the first optional safe that is assigned to this user role, it stops evaluating any additional optional safes, even though the same user role might be part of multiple matching mappings with other safes.
    • The Bot Runner user not assigned to any optional safe in the Control Room: The default safe is selected.
  2. The safe selected in the previous step along with the Bot Runner username is used to query CyberArk for credentials.

Considerations when using optional safes

  • Using an optional safe is optional: If you do not configure any optional safe, the system will use the default safe.
  • Only one optional safe is selected: When a Bot Runner user is assigned to multiple optional safes in the Control Room, the Control Room will only select the first optional safe (in the order optional safes are configured) that includes the user role for the auto-login workflow. The Control Room will not check for the user role in other optional safes.
  • The optional safe configuration order is important: The evaluation of optional safe is done in the order they are configured. Review this order to match your requirements.
  • Avoid overlapping user role mappings: Assign unique roles to each optional safe. If the same role is mapped to multiple safes, only the first matching safe will be used, potentially resulting in incorrect credential resolution.
  • Applies only to auto-login workflows: An optional safe is used only in auto-login workflows.