ConnectorsCyberArk
CyberArk
Connect CyberArk Privileged Access Manager to Compass for PAM analysis.
The CyberArk connector integrates with CyberArk Privilege Access Manager to pull privileged access metrics, vault inventory, and session management data.
Prerequisites
- CyberArk PAM with PVWA (Password Vault Web Access) accessible
- A user account with auditor or read-only permissions
Setup
1. Create a Read-Only User
We recommend creating a dedicated service account with the minimum required permissions:
- In CyberArk, create a new user "CompassDiscovery"
- Assign the Auditors group (or a custom group with read-only vault permissions)
- Ensure the user can:
- List safes and accounts
- View account properties (but not retrieve passwords)
- Access audit logs and session recordings metadata
2. Add to Compass
- Go to Settings > Connectors in Compass
- Click Add Connector > CyberArk
- Enter:
- PVWA URL — Your CyberArk PVWA URL (e.g.,
https://pvwa.yourcompany.com) - Username — The service account username
- Password — The service account password
- PVWA URL — Your CyberArk PVWA URL (e.g.,
- Click Test Connection
- Save
Metrics Collected
| Category | Metrics |
|---|---|
| Vaults & Safes | Total safes, accounts per safe, safe utilisation |
| Privileged Accounts | Total count, account types, accounts without rotation |
| Credential Rotation | Rotation compliance, average rotation age, overdue rotations |
| Sessions | Session recording coverage, average session duration, suspicious sessions |
| Access Control | Users with vault access, permission distribution, break-glass account usage |
Troubleshooting
Connection refused
Ensure your firewall allows connections from Compass to your PVWA endpoint. For on-premises deployments, you may need to set up a secure tunnel or use the Enterprise on-prem deployment option.
Insufficient permissions
The service account needs safe-level read permissions. If metrics are missing for certain safes, check that the CompassDiscovery user has been added to those safes with at least "List" permissions.