ExportVaultData Utility Implementation Guide PDF

ExportVaultData Utility
Implementation Guide
Version 7.1
All rights reserved. This document contains information and ideas, which are
proprietary to Cyber-Ark Software. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any
means, electronic, mechanical, photocopying, recording, scanning, or
otherwise, without the prior written permission of Cyber-Ark Software.
EVD-007-1-0-1
Copyright © 2000-2012 by Cyber-Ark® Software Ltd. All rights reserved.
2 ExportVaultData Utility Implementation Guide
The Cyber-Ark Vault

Table of Contents 3
Table of Contents
What’s New in Version 7.1? ...............................................................5

New Features ................................................................................................ 6
Additional output fields ......................................................................................... 6
New Parameters ..................................................................................................... 6
Support for Vault File Categories .......................................................................... 6
Exporting Data to Files .......................................................................7
Requirements ............................................................................................... 8
Installing the ExportVaultData Utility .......................................................... 8
Upgrading the ExportVaultData Utility......................................................... 9
Using the ExportVaultData Utility .............................................................. 10
Errors and Logs ........................................................................................... 11
Exporting Data to MSSQL Databases .............................................. 13
Requirements ............................................................................................. 14
Installing the ExportVaultData Utility ........................................................ 14
Upgrading the ExportVaultData Utility....................................................... 16
Configuring the ExportVaultData Utility..................................................... 17
Changing the Name of the MSSQL Database ........................................................ 17
Changing the Owner of the MSSQL Tables ........................................................... 17
Using the MSSQL Bulk Copy Utility ....................................................................... 17
Synchronizing Times and Dates ............................................................................ 17
Using the ExportVaultData Utility .............................................................. 18
Utility Logs ................................................................................................. 19
Errors .......................................................................................................... 21
Exporting Vault Data into an MSSQL Database Regularly ........................... 21
Example ...................................................................................................... 22
Output Values .................................................................................... 24
Unique IDs................................................................................................... 25
Text Type Values ........................................................................................ 25
Locations List Report .................................................................................. 28
Users List Report ........................................................................................ 29
Groups List Report ...................................................................................... 32
Group Members List Report ........................................................................ 34
Safes List Report......................................................................................... 35
Owners List Report ..................................................................................... 39
Files List Report.......................................................................................... 42
User and Safe Activities Report .................................................................. 46
System Log Report ...................................................................................... 49
The Cyber-Ark Vault

Requests List Report ................................................................................... 50

Confirmations List Report........................................................................... 53
Events List Report ...................................................................................... 55
Object Properties Report ........................................................................... 57
Appendices ......................................................................................... 58
Appendix A: Creating a User Credential File .............................................. 59
CreateCredFile Utility .......................................................................................... 59
Appendix B: Vault Parameter File .............................................................. 67
Appendix C: ITAlog Messages ...................................................................... 69
Appendix D: Action Codes .......................................................................... 70
The Cyber-Ark Vault

5
What’s New in Version 7.1?
This version of the ExportVaultData utility includes changes made in the Cyber-Ark
Vault version 7.1.
This chapter introduces you to the new features and includes the following
sections:
 New Features
The Cyber-Ark Vault

New Features
This section describes the new features that have been added to the
ExportVaultData utility.
Additional output fields

Additional output fields have been added to the following reports:
 Users List
 Files List
 Safes List
 Owners List
 Group Members List
New Parameters
The ExportVaultData utility contains two new parameters for ease of use and
improved logging:
 Time displayed in reports – The utility can display the times displayed in reports
in either the local time or in GMT.
 Logging – An additional layer of trace information can be written in the utility
log files for more informative logging.
Support for Vault File Categories

The ObjectPropertyValue parameter in the Object Properties Report can now
contain up to 4,000 characters, which enables the entire value of the file category
to be included.
The Cyber-Ark Vault

7
Exporting Data to Files
The ExportVaultData utility exports data from the Vault to TXT or CSV files, from
where they can be imported into third party applications or databases. Each report
is saved in a different file.
This chapter contains the following sections:
 Requirements
 Installing the ExportVaultData Utility
 Upgrading the ExportVaultData Utility
 Using the ExportVaultData Utility
 Errors and Logs
The Cyber-Ark Vault

Requirements
The minimum operating system requirements for running the Cyber-Ark
ExportVaultData utility on Windows are as follows:
Operating System
 Windows 2003R2, Windows 2008R2, Windows 7
 SQL Server 2005, SQL Server 2008
Cyber-Ark Vault
 Cyber-Ark Vault, version 7.1 or higher
Installing the ExportVaultData Utility

The following instructions show you how to prepare your Cyber-Ark Vault
environment so that you can work with the ExportVaultData utility.
The installation package that you will receive from your Cyber-Ark representative
contains the following:
 ExportVaultData.exe – The main utility that retrieves information from the
Vault and generates reports.
 Vault.ini – The Vault parameter file which specifies the Vault where
information will be taken.
 CreateCredFile.exe – The utility that is used to create the user credentials file
that enables the user that will retrieve information to log onto the Vault.
To Create the ExportVaultData Utility Environment

1. Install the Cyber-Ark Vault, version 5.0 or higher. For more information, refer
to the PIM Suite Installation Guide.
Note: This instruction is relevant if you have not yet installed a Cyber-Ark Vault.
2. Create a new folder on the machine where the ExportVaultData utility will run,
and copy the contents of the installation package to this folder.
3. In the Vault, create a Vault user with the following authorizations on the Safes
that he will access to export data:
It is recommended to use either the Auditor user or a Vault user who belongs to
the Auditors group.
The user requires the following Vault authorizations:
 Audit All
The Cyber-Ark Vault

Upgrading the ExportVaultData Utility 9
The user requires the following Safe authorizations:

 View Audit – for the Owners List, Files List, User and Safe Activities, and
Events List
 Retrieve Files – on the System Safe for the System Log List
 Update Files – on the System Safe for the System Log List
 Access Safe without Confirmation
 Confirm Safe Requests – for the Requests List and Confirmations List
4. Use the CreateCredFile utility to create a logon file that will enable the
ExportVaultData utility to log onto the Vault automatically. For more
information, refer to Appendix A: Creating a User Credential File, page 59.
5. Check that Vault parameter file, Vault.ini contains the correct Vault connection
properties. For more information, refer to Appendix B: Vault Parameter File,
page 67.
Note: The amount of information that the utility will be able to export depends on the
user that is used in the credential file to access the Vault. Use a Vault user who can
monitor the Safe and administrate all the users, such as the ‘Auditor’ user.
Upgrading the ExportVaultData Utility

The following instructions describe how to upgrade the ExportVaultData utility
from version 4.1 to version 5.5.
The upgrade package that you will receive from your Cyber-Ark representative
To Upgrade the ExportVaultData Utility

1. Open the ExportVaultData Utility installation folder on your local machine, and
copy the contents of the upgrade package into it. Overwrite existing
executables and DLLs.
DO NOT copy the new Vault.ini file. This file is blank and will overwrite your
current Vault parameter file.
2. From a command line interface, run the ExportVaultData utility, taking into
account the new parameters and reports that have been added. For more
information, refer to New Features, page 6.
The Cyber-Ark Vault

Using the ExportVaultData Utility

The ExportVaultData utility runs from a command line. All its parameters are
optional.
You can export the information to as many reports as you require. Reports that are
not specified in the utility are not generated and exported.
The ExportVaultData utility uses the following syntax:
ExportVaultData \VaultFile=<VaultFileName>
\CredFile=<CredentialFileName>
\LogFile=<LogfileName>
\Target=<File>
\LogNumOfDays=<NumberOfDaysForLogList>
\Separator=<SeparatorCharacter>
\Qualifier=<QualifierCharacter>
\UseQualifier=<All/None/Strings>
\timezone=<GMT/LocalTime>
\enabletrace
\<OutputName>=<FileName> [{\<OutputName>=<FileName>}
...]
/?
Parameter Specifies
\VaultFile Full path of the Vault configuration file (if not set, default value is ‘vault.ini’).
\CredFile Full path of the user credentials file (if not set, default value is ‘user.ini’).
\Logfile Full path of the log file (if not set, default value is ‘log.txt’).
\Target The output of the utility will be saved in a file.
\LogNumOfDays The number of previous days that will be included in the Safe and user log
activities report. The default number is 1.
\Separator The character that will be used as the separator between fields. The default
separator is comma (,).
Note: Some characters are not valid as separators (e.g., | ).
\Qualifier The character that will be used as the text qualifier. The default qualifier is
quotation-marks (“).
Note: Some characters are not valid as qualifiers (e.g., | ).
\UseQualifier Whether to use the text qualifier in all types of fields, none of the fields, or only
with string fields. Valid values are “All”, “None” or “Strings”). The default value is
“Strings”.
\timezone The time zone that will be used in all reports time fields. Specify one of the
following:
 Local time
 GMT – This is the default value.
\enabletrace Whether or not Casos log files will include Casos transaction information. Specify
one of the following:
 Yes - Casos log files will include Casos transaction information. This is
the default value.
 No - Casos log files will not include Casos transaction information.
Note: This affects the size of the log files.
The Cyber-Ark Vault

Errors and Logs 11
Parameter Specifies
\OutputName The type of report and the name of the output file. At least one output file must
be specified.
Note: Specify the output type and file name directly, as shown in the following
example which would generate a Safes List report:
ExportVaultData \VaultFile=Vault.ini \CredFile=user.cred \Target=File
\SafesList=MySafesList.log
This can be any of the following:
FilesList A files list report will be generated.
LogList A log activities report will be generated.
OwnersList An owners list report will be generated.
RequestsList An incoming requests list report. will be generated
SafesList A Safes list report will be generated.
GroupsList A groups list report will be generated.
GroupMembers List A group members list report will be generated.
UsersList A users list report will be generated.
LocationsList A locations list report will be generated.
ConfirmationsList A request confirmations list report will be
generated.
Italogfile A system log (ITAlog) file will be generated.
EventsList An events list report will be generated.
ObjectProperties A file categories list will be generated.
\? Lists the available options.
The following example shows how to use this utility to generate a log list:
ExportVaultData \VaultFile="D:\ExportVaultData\Vault.ini"
\CredFile="D:\ExportVaultData\auditor.cred" \Target=File
\LogList="D:\ExportVaultData\loglist.txt"
The above example will create a log activities report for the Vault defined in the
Vault.ini file in D:\ExportVaultData. The user who will access the Vault to
generate this report is defined in the auditor.cred file in D:\ExportVaultData.The
log activities report will be saved in a file called loglist.txt, also in
D:\ExportVaultData.
Errors and Logs

The ExportVaultData utility terminates automatically every time there is an error
and writes the error to a log file. As described above, by default, this log file is
called Log.txt and is stored in the location specified in the ‘Logfile’ parameter.
The Cyber-Ark Vault

The Cyber-Ark Vault

13
Exporting Data to MSSQL Databases
The ExportVaultData utility exports data from the Vault to MSSQL databases. Each
report (output) is stored in a dedicated table inside the database. Once the reports
are in the database, users can use the information to generate the specific report
that they require.
This chapter contains the following sections:
 Requirements
 Installing the ExportVaultData Utility
 Upgrading the ExportVaultData Utility
 Configuring the ExportVaultData Utility
 ExportVaultData Utility Usage
 Utility Logs
 Errors
 Exporting Vault Data into an MSSQL Database Regularly
 Example
The Cyber-Ark Vault

Requirements
The minimum operating system requirements for running the Cyber-Ark
ExportVaultData utility on MSSQL are as follows:
Operating System
 Windows XP, 2003, 2008
Microsoft SQL Server

 Microsoft SQL Server version 2000, 2003, 2008
Cyber-Ark Vault
 Cyber-Ark Vault, version 5.0 or higher
Installing the ExportVaultData Utility

The following instructions describe how to prepare the ExportVaultData utility
environment so that you can export data into an MSSQL database.
The installation package that you will receive from your Cyber-Ark representative
Vault and imports it into the MSSQL database.
 CreateDB.sql – The script that creates the database and schema.
 CAMSSQLImport.cmd – The utility that imports data into an MSSQL database.
To Create the ExportVaultData Utility Environment

1. Install the Cyber-Ark Vault, version 5.0 or higher. For more information, refer
to the PIM Suite Installation Guide.
Note: This instruction is relevant if you have not yet installed a Cyber-Ark Vault.
2. Create a new folder on the machine where the ExportVaultData utility will run,
and copy the contents of the installation package to this folder.
The Cyber-Ark Vault

Installing the ExportVaultData Utility 15
3. Install the MSSQL database:

i. Open an MSSQL Server client application (for example, Query Analyzer).
ii. Create the database and tables schema:
a. From the client application, execute the CreateDB.sql script.
b. From the confirmations that appear, check that all the commands ended
successfully.
By default, the name of the database is CyberArk.
iii. Assign the NT user that will run the ExportVaultData utility as an owner of
the above database with all the relevant permissions to insert and update
records.
4. Install the MSSQL client, then restart the machine.
5. In the Vault, create a Vault user with the following authorizations on the Safes
that he will access to export data:
It is recommended to use either the Auditor user or a Vault user who belongs to
the Auditors group.
The user requires the following Vault authorizations:
 Audit All
The user requires the following Safe authorizations:
 View Audit – for the Owners List, Files List, User and Safe Activities, and
Events List
 Retrieve Files – on the System Safe for the System Log List
 Update Files – on the System Safe for the System Log List
 Access Safe without Confirmation
 Confirm Safe Requests – for the Requests List and Confirmations List
6. Use the CreateCredFile utility to create a logon file that will enable the
ExportVaultData utility to log onto the Vault automatically. For more
information, refer to Appendix A: Creating a User Credential File, page 59.
7. Check that Vault parameter file, Vault.ini contains the correct Vault connection
properties. For more information, refer to Appendix B: Vault Parameter File,
page 67.
The Cyber-Ark Vault

Upgrading the ExportVaultData Utility

The following instructions describe how to upgrade the ExportVaultData utility
from version 4.1 to version 5.5.
The upgrade package that you will receive from your Cyber-Ark representative
 CreateDB.sql – The script that creates the database and schema.
 CAMSSQLImport.cmd – The utility that imports data into an MSSQL database.
 Vault.ini – The Vault parameter file which specifies the Vault where information
will be taken.
To Upgrade the ExportVaultData Utility

1. Open the ExportVaultData Utility installation folder on your local machine, and
copy the contents of the upgrade package into it. Overwrite existing
executables and DLLs.
DO NOT copy the new Vault.ini file. This file is blank and will overwrite your
current Vault parameter file.
2. Run CreateDB.sql to re-create the database tables.
i. Open an MSSQL Server client application (for example, Query Analyzer).
ii. Create the database and tables schema:
a. From the client application, execute the CreateDB.sql script.
b. From the confirmations that appear, check that all the commands ended
successfully.
By default, the name of the database is CyberArk.
Or,
Clear the existing data from the target database and re-create the tables
according to the sets of columns in reports that have been modified for this
version.
3. In the ExportVaultData utility installation folder, delete the following .dat files:
 Log.dat
 Events.dat
This will ensure that the next time the ExportVaultData utility is run, a
complete report will be generated, not an incremental one.
4. From a command line interface, run the ExportVaultData utility, taking into
account the new parameters and reports that have been added. For more
information, refer to New Features, page 6.
The Cyber-Ark Vault

Configuring the ExportVaultData Utility 17
Configuring the ExportVaultData Utility

The following configurations enable you to change various aspects of the MSSQL
database to which the ExportVaultData utility exports data. These changes are all
made in the CAMSSQLImport.cmd batch file, which is in the ExportVaultData
installation folder.
Changing the Name of the MSSQL Database

By default, the name of the database created by the CreateDB.sql script is
CyberArk. To change the name of the database, do the following:
1. Inside the database, change the default name of the database, CyberArk, to
the name you prefer.
2. Open the CAMSSQLImport.cmd utility and in the Database parameter,
specify the new database name. For example,
Database=CompanyVault
Changing the Owner of the MSSQL Tables

By default, the owner of all the tables is dbo. To change the owner, do the
following:
 Open the CAMSSQLImport.cmd batch file and in the TableOwner parameter,
specify the name of the owner you require. For example,
TableOwner=Administrator
Using the MSSQL Bulk Copy Utility

The CAMSSQLImport.cmd utility is a wrapper for the MSSQL bulk copy utility (BCP).
As such, you can specify specific BCP options, as follows:
 Open the CAMSSQLImport.cmd batch file, and in the BCP activation line,
change the BCP options to suit your needs.
For more information about bulk copy options, refer to the MSSQL Server
documentation.
Synchronizing Times and Dates

1. Make sure that the date formats used on the machine where the MSSQL
database is installed and on the machine where the ExportVaultData utility is
installed are the same.
2. Synchronize the times on the machine where the MSSQL database is installed
and the machine where the ExportVaultData utility is installed, as follows:
 The time that is displayed on both machines must reflect the real local
time.
 The time definitions (timezone and the daylight saving time) must reflect
the real local time.
The Cyber-Ark Vault

Using the ExportVaultData Utility

The ExportVaultData utility runs from a command line. All its parameters are
optional.
You can export the information to as many reports as you require. Reports that are
not specified in the utility are not generated and exported.
The ExportVaultData utility uses the following syntax:
ExportVaultData \VaultFile=<VaultFileName>
\CredFile=<CredentialFileName> \Logfile=<LogfileName>
\Target=<MSSQL>
\DBServerName=<DBServerName>
\Separator=<SeparatorCharacter>
[\<ContinueOnErrors>]
\<OutputName>
[{\<OutputName>=<FileName>} ...]
\ChunkSize=<number>
/?
Parameter Specifies
\VaultFile Full path of the Vault configuration file (if not set, default value is ‘vault.ini’).
\CredFile Full path of the user credentials file (if not set, default value is ‘user.ini’).
\Logfile Full path of the log file (if not set, default value is ‘log.txt’).
\Target The output of the utility will be saved in an MSSQL database.
\DBServerName The name of the MSSQL database where the output of the utility will be
exported. This can be either IP or DNS
\Separator The character that will be used as the separator between fields. The default
separator is comma (,).
Note: Some characters are not valid as separators (eg, | ).
\ContinueOnErrors The utility will continue to import tables into the database after an error
occurs. By default, this parameter is not set.
\OutputName The type of report and the name of the output file. At least one output file
must be specified.
Note: Specify the output type and file name directly, as shown in the following
example which would generate a Safes List report:
ExportVaultData \VaultFile=Vault.ini \CredFile=user.cred \Target=File
\SafesList=MySafesList.log
This can be any of the following:
FilesList A files list report will be generated.
LogList A log activities report will be generated.
OwnersList An owners list report will be generated.
RequestsList An incoming requests list report will be
generated.
SafesList A safes list report will be generated.
GroupsList A groups list report will be generated.
GroupMembers List A group members list report will be generated.
UsersList A users list report will be generated.
LocationsList A locations list report will be generated.
The Cyber-Ark Vault

Utility Logs 19
Parameter Specifies
ConfirmationsList A request confirmations list report will be
generated.
Italogfile A system log (ITAlog) file will be generated.
EventsList An events list report will be generated.
ObjectProperties A file categories list will be generated.
\ChunkSize Determines the size of the chunk of information that will be exported. The
default chunk size is -1, which exports 20,000 records. If this parameter is not
specified or specified with a value other than -1, only the first 20,000 records
will be exported.
\? Lists the available options.
The following example shows how to use this utility to generate a log list:
ExportVaultData \VaultFile="D:\ExportVaultData\Vault.ini"
\CredFile="D:\ExportVaultData\auditor.cred" \Target=File
\LogList="D:\ExportVaultData\loglist.txt"
The above example will create a log activities report for the Vault defined in the
Vault.ini file in D:\ExportVaultData. The user who will access the Vault to
generate this report is defined in the auditor.cred file in D:\ExportVaultData.The
log activities report will be saved in a file called loglist.txt, also in
D:\ExportVaultData.
Utility Logs
The ExportVaultData utility creates a log file which contains information about
operations that took place and errors, if they occurred. This log is created the first
time that the ExportVaultData utility is run, and information is added to it each
subsequent time.
In addition, during the import process into the MSSQL database, a new logs folder is
created for the batch file logs.
This folder is created under the ExportVaultData log folder and uses the following
format for its name:
<current date>_<current EVD execution time>
This folder contains one or more of the following files for each imported database
table:
 <table name>.isql.out – This log file is created during a full import when the
table in the current database is cleared, to be replaced by new data. This file is
temporary and is automatically deleted after the table has been cleared
successfully.
 <table name>.out – This log file is created when a table is imported into the
database.
 <table name>.err – This error log file is created when a table is imported into
the database. If this file contains information, an error occurred during the
import process.
The Cyber-Ark Vault

The ExportVaultData and external MSSQL client log files are not deleted
automatically. They will all be stored until they are deleted manually or by a
scheduled task. For more information, refer to Exporting Vault Data into an MSSQL
Database Regularly, page 21.
The Cyber-Ark Vault

Errors 21
Errors
Errors may occur while tables are being imported into the MSSQL database,
whether the process adds new information to existing tables (incremental) or
clears the existing table and creates a new one (full).
 Errors during a ‘full’ import – When an error occurs during a full import, data
integrity is not affected as the ExportVaultData utility will import the entire
table from the beginning the next time it runs.
 Errors during an ‘incremental’ import – When an error occurs during an
incremental import, the ExportVaultData utility distinguishes between two
types of errors:
 Errors that result in a database rollback – When a database rollback occurs,
for example, when the connection to the target MSSQL database is lost
during an import process, incremental indications are not updated for the
current execution. This means that the next time that the ExportVaultData
utility runs, it will begin importing records from exactly the same point as it
did when it started running the previous time (when an error occurred).
 Errors that do not result in a database rollback – When a database rollback
does not occur, the external MSSQL client utility completes its importing
process successfully and the incremental indication is updated. This error
indicates that certain records were not imported to the MSSQL database due
to “client side” problems.
Records that were not imported must be handled manually. These records are
listed in the external MSSQL client error log, <table name>.err. For more
information, refer to Utility Logs , page 19.
Exporting Vault Data into an MSSQL Database

Regularly
The ExportVaultData utility can either be run manually or by a scheduled task. You
can define scheduled tasks to export data as frequently as you require.
For example, you can schedule a task to run the ExportVaultData utility once a day
or more. As the Activities Log report is incremental, the task should not affect
Vault performance adversely.
Note: Make sure that the user who runs the scheduled task is trusted by the target
database and has the appropriate permissions as described in Installing the
ExportVaultData Utility, page 14.
It is important to remember that log files are not deleted automatically. You can
define another scheduled task to delete old log files regularly.
The Cyber-Ark Vault

Example
The following example shows a query that retrieves all the users who accessed
privileged accounts (passwords) in the last month, with the reason for retrieving
the password:
SELECT CAATime, CAFSafeName, CAAInfo1, CAFModificationDate,
CAFModifiedBy, CAAUserName, CAUFirstName, CAULastName,
CAARequestReason
FROM (CALog LEFT JOIN CAFiles ON (CAAInfo1ID = CAFFileID AND
CAASafeID = CAFSafeID)) LEFT JOIN CAUsers ON (CAAUserID =
CAUUserID)
WHERE CAAtime >= DATEADD(month, -1, GETDATE()) AND
CAAActivityCode = 295 AND
CAAInfo1Type = 3
ORDER BY CAFSafeName, CAAInfo1
The Cyber-Ark Vault

Example 23
The Cyber-Ark Vault

24
Output Values
The following tables list the information for each report that is exported from the
Vault into a text file. All the values that are exported into the text file are
enclosed within quotation marks (“”).
This chapter lists the output values for the following reports:
 Locations List Report
 Users List Report
 Groups List Report
 Group Members List Report
 Safes List Report
 Owners List Report
 Files List Report
 User and Safe Activities Report
 System Log Report
 Requests List Report
 Confirmations List Report
 Events List Report
 Object Properties Report
The Cyber-Ark Vault

Unique IDs 25
Unique IDs
The following unique IDs are used throughout the system:
 LocationID – the ID of a Location in the Vault hierarchy.
 UserID – the unique ID of a user in the Vault.
 GroupID – the unique ID of a group in the Vault.
Note: A user and a group cannot have the same ID.
 SafeID – the unique ID of a Safe.
 Log Activities MasterID – the unique ID that identifies each report.
 System Log Timestamp – a unique timestamp that is attached to the System log,
and which can be configured to a microsecond level. For more information,
refer to the Release Notes for this version.
 EventID – the unique ID of an Event.
Note: This ID is unique per Safe.
 MapID – the unique ID of an external user & group map.
Notes:
 All IDs in the system are non-negative.
 If an ID does not exist for a specified object, the ID in the generated output will be
empty. This may be due to:
 A previous Vault server version ,
 Log records that were created prior to upgrading the Vault server to V3.51,
 There is no relevant information.
 All date values appear in the format that is specified on the local computer. The date
values include the date and the time.
 All date values are converted to UTC (GMT) in order to avoid time zone problems.
 If the value of a ‘Date’ field has not been initialized, an empty string will be exported.
Text Type Values

The following table displays the values of the codes that appear in the reports that
are exported to MSSQL database reports. Refer to the ‘Possible Values’ column in
each report output in this documentation to see the text type assigned to this
column. The unique combination of the text type and the code that you receive in
the column in the database can be used to return the text value for this code.
TTextType TTextID TText
1 1 Password
1 2 PKI
1 4 SECURID
1 8 NTAuth
1 16 RADIUS
2 0 None
2 1 Users Administrators
2 2 Safes Administrators
The Cyber-Ark Vault

2 4 Network Area Administrators
2 8 User Templates Administrators
2 16 File Categories Administrators
2 32 Autdit All
2 64 Backup All
2 128 Restore All
3 0 None
3 1 Full
3 2 Partial
3 4 LogonAs
4 1 Internal
4 2 External
5 1 Internal
5 2 External
5 4 Public (Internet)
6 8 Unsecured
6 16 Secure
6 32 Highly Secured
7 0 None
7 1 Require Full Impersonation
7 2 Require Partial Impersonation
7 4 Require LogonAs Impersonation
7 8 Require Authentication And Open
8 0 None
8 1 Open Safe
8 2 Get File
8 3 Open And Get
9 0 None
9 1 Accessed
9 2 New
9 4 Modified
9 7 All
10 0 User
The Cyber-Ark Vault

Text Type Values 27
10 1 Group
10 2 Gateway account
11 1 Pending
11 2 Valid
11 4 Invalid
12 1 File
12 2 Password
13 2 User log record
13 3 Safe log record
14 0 None
14 1 User
14 2 Location
14 3 File/Password
14 4 Network area
14 5 Category
15 1 Open Safe
15 2 Get File
15 4 Get Password
16 0 One time access
16 1 Multiple access
17 0 None
17 1 Expired
17 2 Already Used
17 4 Damaged - Missing supervisor
17 8 Damaged - Confirmation settings changes
17 16 Damaged – Object deleted
17 32 Damaged – Incompatible version
17 64 ToDate passed
18 1 Waiting
18 2 Confirmed
19 0 None
19 1 Reject
19 2 Confirm
The Cyber-Ark Vault

Locations List Report

The Locations List report contains a list of the Locations in the Vault hierarchy and
their names.
The name and import method of the report depends on the target mode, as
follows:
File
Name: Locations.csv
Database
Name: CALocations
Import mode: Full
The LocationsList parameter generates an output file that contains the following
information:
Field Field Type Description Possible Values Relevant
(File) (Database) (Database) Version
LocationID CALLocation bigint The ID number of the Numeric (empty All

ID* Location. in old servers)
LocationName CALLocation nvarchar The name of the String – up to All

Name (128) Location. 128 characters
- CALVaultID nvarchar The name of the Vault String – up to 28 v4.1 and

(28) where the Location is characters above
created.
* - These fields are used as the index.
The Cyber-Ark Vault

Users List Report 29
Users List Report

The Users List Report contains a list of the users in the Vault, their location in the
Vault hierarchy, and their user properties.
follows:
File
Name: Users.csv
Database
Name: CAUsers
Import mode: Full
The UsersList parameter generates an output file that contains the following
information:
UserID CAUUserID* bigint The ID number of Numeric All

the User. (empty in old
servers)
UserName CAUUsername nvarchar The User’s String – up to 28 All

(28) username in the characters
Vault.
LocationID CAULocationID bigint The ID of the Numeric All

Location that the (empty in old
User belongs to servers)
in the Vault
hierarchy.
LocationName CAULocation nvarchar The name of the String – up to 128 All

Name (128) Location. characters
FirstName CAUFirstName nvarchar The User’s first String – up to 30 All

(30) name. characters
LastName CAULastName nvarchar The User’s last String – up to 30 All

(30) name. characters
BusinessEmail CAUBusiness nvarchar The User’s String – up to 50 All

Email (50) business email. characters
Disabled CAUDisabled nvarchar Whether or not YES/NO All

(5) the user account
is disabled.
FromHour CAUFromHour int The hour from Numeric – 0-24 All

when the user
can access the
Vault.
ToHour CAUToHour int The hour until Numeric – 0-24 All

when the user
can access the
Vault.
The Cyber-Ark Vault


CreationDate CAUCreation datetime The date when Date v7.1 and

Date the user’s above
account was
created in the
Vault.
ExpirationDate CAUExpiration datetime The date when Date All

Date the user’s
account will
expire.
PasswordNever CAUPassword nvarchar Whether or not YES/NO All

Expires NeverExpires (5) the user’s
password will
ever expire.
LogRetention CAULog int The log retention Numeric All

Period Retention Period period in days of (non-negative)
the user’s
account history.
Authentication CAU int The Combination of All

Methods Authentication authentication the following
Methods method that the numeric values:
user will use to 1 – Password
log onto the 2 – PKI
Vault. 4 – SECURID
8 – NTAuth
16 – RADIUS
Text type (DB): 1
Authorizations CAU int The user’s Combination of All

Authorizations authorization in the following (‘AuditAll’,
the Vault. numeric values: ‘BackupAll’
0 – None and
1 – User ‘RestoreAll’
Administrator are relevant
2 – Safe from v4.0 and
Administrator above.)
4 – NetworkArea
Administrator
8–
UserTemplates
Administrator
16 –
FileCategories
Administrator
32 – AuditAll
64 – BackupAll
128 – RestoreAll
256 – Reset
Users' Passwords
512 – Activate
Users
Text type (DB): 2
The Cyber-Ark Vault

Users List Report 31

Gateway CAUGateway int Gateway Account Combination of All

Account Account impersonation the following
Authorizations Authorizations authorizations numeric values:
0 – None
1 – Full
2 – Partial
4 – LogonAs
Text type (DB): 3
Distinguished CAUDistinguished nvarchar The user’s String – up to 512 All (field

Name Name (512) certificate DN characters description
(for PKI logon). was changed
in v4.0)
Internal/External CAUExternal int The type of user: One of the v4.0 and
Internal external or following numeric above
internal. values:
1 – Internal
2 – External
Text type (DB): 4
LDAPFullDN CAULDAPFullDN nvarchar If the user is an String – up to v4.0 and

(1024) external user – 1024 characters above
the full DN of
the user on the
external
Directory.
LDAPDirectory CAULDAP nvarchar If the user is an String – up to 256 v4.0 and

Directory (256) external user – characters above
the name of the
external
Directory.
MapName CAUMapName nvarchar If the user is an String – up to 128 v4.0 and

(128) external user – characters above
the name of the
Map according to
which the user
was created.
MapID CAUMapID bigint If the user is an Numeric v4.0 and

external user – (empty in old above
the ID of the Map servers, and
by which the internal users)
user was
created.
LastLogonDate CAULastLogon datetime The last time the Date v5.5

Date user logged on to
the Vault.
PrevLogonDate CAUPrevLogon datetime The date prior to Date v5.5

Date the last logon
date that the
user logged on to
the Vault.
UserTypeID CAUUserTypeID int The unique user Valid user type ID v5.5
type ID. according to
license
The Cyber-Ark Vault


Restricted CAURestricted nvarchar Restricted client Client IDs through v5.5

Interfaces Interfaces (1024) IDs. which logon to
the Vault is not
permitted.
Application CAUApplication nvarchar Application String v5.5

Metadata Metadata (4000) metadata.
- CAUVaultID nvarchar The name of the String – up to 28 v4.1 and

(28) Vault where the characters above
user is created.
Notes:
 The “Master” user’s details cannot be fully exported. Details that cannot be exported
are written as empty values.
 * - These fields are used as the index.
Groups List Report

The Groups List report contains a list of the Groups in the Vault and their location
in the Vault hierarchy.
follows:
File
Name: Groups.csv
Database
Name: CAGroups
Import mode: Full
The GroupsList parameter generates an output file that contains the following
information:
Field Field Type Description Possible Relevant

(File) (Database) (Database) Values Version
GroupID CAGGroupID* bigint The ID number of the Numeric All

Group. (empty in old
servers)
GroupName CAGGroupName nvarchar The name of the Group. String – up to All
(28) 28 characters
LocationID CAGLocationID bigint The ID of the Group’s Numeric All
Location in the Vault (empty in old
hierarchy. servers)
LocationName CAGLocation nvarchar The name of the String – up to All
Description CAGDescription nvarchar A description of the String – up to All
(100) Group. 100 characters
The Cyber-Ark Vault

Groups List Report 33

ExternalGroup CAGExternal nvarchar The name of an String – up to v4.0 and

Name GroupName (128) External group that is a 128 characters above
member of the Vault
Group.
Internal/External CAGExternal int The type of group: One of the v4.0 and
Internal external or internal. following above
numeric
values:
1 – Internal
2 – External
Text type
(DB): 4
LDAPFullDN CAGLDAP FullDN nvarchar If the group is an String – up to v4.0 and
(1024) external group – the full 1024 above
DN of the group on the characters
external Directory.
LDAPDirectory CAGLDAP nvarchar If the group is an String – up to v4.0 and
Directory (256) external group – the 256 characters above
name of the external
Directory.
MapName CAGMapName nvarchar If the group is an String – up to v4.0 and
(128) external group – the 128 characters above
name of the Map
according to which the
group was created.
MapID CAGMapID bigint If the group is an Numeric v4.0 and
external group – the ID (empty in old above
of the Map according to servers, and
which the group was internal
created. groups)
- CAGVaultID nvarchar The name of the Vault String – up to v4.1 and
(28) where the Group is 28 characters above
created.
The Cyber-Ark Vault

Group Members List Report

The Group Members List report contains a list of group members for each group in
the Vault.
follows:
File
Name: GroupMembers.csv
Database
Name: CAGroupMembers
Import mode: Full
The GroupMembersList parameter generates an output file that contains the
following information:
GroupID CAGMGroup bigint The ID number of the Numeric (empty All
ID* Group. in old servers)
UserID CAGMUser ID* bigint The user ID of the Group Numeric (empty All
member. in old servers)
- CAGMVault ID nvarchar The name of the Vault String – up to 28 v4.1 and
(28) where the Group is characters above
created.
MemberIsGroup CAGMMember nvarchar Indicates whether the YES/NO v7.1 and
IsGroup (5) Group member is a above
Group.
The Cyber-Ark Vault

Safes List Report 35
Safes List Report

The Safes List Report contains a list of all the Safes in the Vault and their Safe
properties.
follows:
File
Name: Safes.csv
Database
Name: CASafes
Import mode: Full
The SafesList parameter generates an output file that contains the following
information:

SafeID CASSafeID* bigint The unique ID number Numeric All

of the Safe. (empty in old
servers)
SafeName CASSafeName nvarchar The name of the Safe. String – up to All

(28) 28 characters
CreationDate CASCreationDate datetime The date when the Date v7.1 and
Safe was created. above
CreatedBy CASCreatedBy nvarchar The name of the user String – up to v7.1 and
(128) who created the Safe. 128 characters above
LocationID CASLocationID bigint The ID of the Location Numeric All

of the Safe in the Vault (empty in old
hierarchy. servers)
LocationName CASLoccation nvarchar The name of the String – up to All

Size CASSize bigint The size of the Safe (in Numeric All
KB). (positive)
MaxSize CASMaxSize bigint The maximum size of Numeric All

the Safe (in MB). (positive)
%UsedSize CASUsedSize int The percentage of the Numeric All

Safe size that has been (positive)
used.
LastUsed CASLastUsed date The most recent date Date All

when the Safe was
used.
VirusFree CASVirusFree nvarchar Whether or not the YES/NO All

(5) Safe is a Virus-Free
Safe.
The Cyber-Ark Vault


TextOnly CASTextOnly nvarchar Whether or not the YES/NO All

(5) Safe is a Text-Only
Safe.
AccessLocation CASAccess int The access location of One of the All

Location the Safe. following
numeric
values:
1 – Internal
2 – External
4 – Public
(Internet)
Text type (DB):
5
SecurityLevel CASSecurity int The security level of One of the All

Level the Safe. following
numeric
values:
8 – Unsecured
16 – Secure
32 – Highly
Secured
Text type (DB):
6
Delay CASDelay int The delay in minutes Numeric (non- All

between a user negative)
opening a Safe and
actually being able to
access its contents.
FromHour CASFromHour int The time from when Numeric – 0-24 All
users can access the
Safe.
ToHour CASToHour int The time until when Numeric – 0-24 All
users can access the
Safe.
DailyVersions CASDaily int The number of daily Numeric (non- All

Versions object versions to be negative)
saved in the Safe.
MonthlyVersions CASMonthly int The number of monthly Numeric (non- All

Versions versions of files to be negative)
saved in the Safe.
YearlyVersions CASYearly int The number of yearly Numeric (non- All

Versions versions to be saved in negative)
the Safe.
LogRetention CASLog int The number of days Numeric (non- All

Period Retention that must pass before negative)
Period log records can be
deleted from the Safe.
The Cyber-Ark Vault

Safes List Report 37

ObjectsRetention CASObjects int The number of days Numeric (non- All

Period Retention that must pass before negative)
Period previous versions of
files can be deleted
from the Safe.
RequestRetention CASRequests int The number of days Numeric (non- All

Period RetentionPeriod that must pass before a negative)
request and its
confirmations can be
deleted from the Safe.
ShareOptions CASShare int The Safe sharing Combination of All

Options settings. the following
numeric
values:
0 – None
1 – RequireFull
Impersonation
2–
RequirePartial
Impersonation
4–
RequireLogonAs
Impersonation
8 – Require
Authentication
AndOpen
Text type (DB):
7
NumberOf CASNumberOf int The number of Numeric (non- v7.1 and

Password PasswordVersions password versions negative) above
Versions stored in the Safe.
ConfirmersCount CASConfirmers int The number of owners Numeric (non- All

Count that are required to negative)
confirm requests for
access to the
Safe/files/ passwords.
ConfirmType CASConfirm Type int The type of One of the All

confirmation that is following
required. numeric
values:
0 – None
1 – OpenSafe
2 – GetFile
3–
OpenAndGet
Text type (DB):
8
The Cyber-Ark Vault


DefaultAccess CASDefault int The default access Combination of All

Marks Access marks for the Safe. the following
Marks numeric
values:
0 – None
1 – Accessed
2 – New
4 – Modified
7 – All
Text type (DB):
9
DefaultFile CASDefault File nvarchar Whether or not the YES/NO All

Compression Compression (5) files are compressed by
default.
DefaultReadOnly CASDefault nvarchar Whether or not the YES/NO All

ReadOnly (5) files are retrieved in
read-only mode by
default.
RequireReason CASRequire nvarchar Whether or not users YES/NO v4.0 and

ToRetrieve ReasonTo (5) need to specify a above
Retrieve reason in order to
retrieve files from the
Safe.
QuotaOwner CASQuota Owner nvarchar The name of the user String – up to All
(128) who the quota is 128 characters
allocated to.
UseFileCategories CASUseFile nvarchar Whether or not File YES/NO All

Categories (5) Categories can be
specified when a new
file is stored in the
Safe.
EnforceExlusive CASEnforce nvarchar Whether or not YES/NO v4.1 and

Passwords Exclusive (5) passwords in this Safe above
Passwords are retrieved
exclusively to a single
user and are changed
before being released.
RequireContent CASRequire nvarchar Whether or not files YES/NO v4.1 and

Validation Content (5) and passwords in this above
Validation Safe require content
validation.
- CASVaultID nvarchar The name of the Vault String – up to v4.1 and

(28) where the Safe exists. 28 characters above
Notes:
 Not all the information from the “System” and “Pictures” Safes can be exported, and
therefore not all their details can be included in the report. Details that cannot be
exported are written as empty values.
The Cyber-Ark Vault

Owners List Report 39
Owners List Report

The Owners List report contains a list of Owners of the Safes in the Vault and their
permissions in each one.
follows:
File
Name: Owners.csv
Database
Name: CAOwners
Import mode: Full
The OwnersList parameter generates an output file that contains the following
information:

SafeID CAOSafeID* bigint The ID of the Safe whose Numeric All

owners are listed. (empty in
old servers)
SafeName CAOSafe Name nvarchar The name of the Safe. String – up All
(28) to 28
characters
OwnerID CAOOwnerID* bigint The user/group ID of the Numeric All

owner. (empty in
old servers)
OwnerName CAOOwner nvarchar The name of the owner. String – up v4.1 and
Name (128) to 128 above
characters.
OwnerType CAOOwner int The type of the owner One of the v4.1 and
Type following above
numeric
values:
0 – User
1 – Group
2 – Gateway
account
Text type
(DB): 10
Expiration CAOExpiration datetime The date when the Date All

Date Date Owner’s ownership on
the Safe will expire.
Expdt CAOExpdt datetime The date when the user’s Date v7.1 and
ownership on the Safe above
will expire.
List CAOList nvarchar Whether or not the YES/NO v5.5

(5) owner has the ‘List Files’
permission.
The Cyber-Ark Vault


Retrieve CAORetrieve nvarchar Whether or not the YES/NO v5.5

(5) owner has the 'Retrieve
Files' permission.
CreateObject CAOCreate nvarchar Whether or not the YES/NO v5.5

Object (5) owner has the 'Create
Objects' permission.
UpdateObject CAOUpdate nvarchar Whether or not the YES/NO v5.5

Object (5) owner has the 'Update
UpdateObject CAOUpdate nvarchar Whether or not the YES/NO v5.5

Properties ObjectProperties (5) owner has the 'Update
Object Properties'
permission.
RenameObject CAORename nvarchar Whether or not the YES/NO v5.5

Object (5) owner has the 'Rename
Object' permission.
Delete CAODelete nvarchar Whether or not the YES/NO All

(5) owner has the ‘Delete
files from Safe’
authorization.
ViewAudit CAOViewAudit nvarchar Whether or not the YES/NO v5.5

(5) owner has the 'View
Audit' permission.
ViewOwners CAOViewOwners nvarchar Whether or not the YES/NO v5.5

(5) owner has the 'View
Owners' permission.
UsePassword CAOUsePassword nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Use
Passwords' permission.
InitiateCPM CAOInitiate nvarchar Whether or not the YES/NO v5.5

Change CPM Change (5) owner has the ‘Initiate
CPM Change’ permission.
InitiateCPM CAOInitiateCPM nvarchar Whether or not the YES/NO v5.5

ChangeWith ChangeWithManual (5) owner has the ‘Initiate
ManualPassword Password CPM Change With Manua l
Password’ permission.
CreateFolder CAOCreateFolder nvarchar Whether the owner has YES/NO v5.5

(5) the 'Create Folder'
permission.
DeleteFolder CAODeleteFolder nvarchar Whether or not an owner YES/NO v5.5

(5) has the "Delete Folders'
permission.
UnlockObject CAOUnlockObject nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Unlock
The Cyber-Ark Vault

Owners List Report 41

MoveFrom CAOMoveFrom nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Move
Files' permission.
MoveInto CAOMoveInto nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Move into'
permission.
ManageSafe CAOManageSafe nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Manage
Safe' permission.
ManageSafe CAOManage nvarchar Whether or not the YES/NO v5.5

Owners SafeOwners (5) owner has the "Manage
Safe Owners' permission.
ValidateSafe CAOValidate nvarchar Whether or not the YES/NO v5.5

Content SafeContent (5) owner has the "Validate
Safe Content' permission.
Backup CAOBackup nvarchar Whether or not the YES/NO All

(5) owner has the ‘Backup
Safe’ permission.
NoConfirm CAONoConfirm nvarchar Whether or not the YES/NO All

Required Required (5) owner has the ‘Access
Safe without
Confirmation’
permission. This enables
them to access the Safe
or retrieve files or
passwords from the Safe
without confirmation,
even if other users
require confirmation.
Confirm CAOConfirm nvarchar Whether or not the YES/NO All

(5) owner has the ‘Confirm
Safe Requests’
permission.
EventsList CAOEventsList nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Events
List' permission.
EventsAdd CAOEventsAdd nvarchar Whether or not the YES/NO v5.5

(5) owner has the "Events
Add' permission.
- CAOVaultID nvarchar The name of the Vault String – up v4.1 and

(28) where the Safe owner to 28 above
owns the Safe. characters
The Cyber-Ark Vault

Files List Report

The Files List report contains information about files and passwords that are stored
in the specified Vault.
follows:
File
Name: Files.csv
Database
Name: CAFiles
Import mode: Full
The FilesList parameter generates an output file that contains the following
information:

SafeID CAFSafeID* bigint The ID of the Numeric (empty in old All

Safe where servers)
the file is
stored.
SafeName CAFSafeName nvarchar The name of String – up to 28 All

(28) the Safe. characters
Folder CAFFolder nvarchar The name of String – up to 170 All

(170) the folder characters
where the
file is stored.
FileID CAFFileID* bigint The ID Numeric All

number of
the file in the
Safe. This
number is
unique to the
Safe.
FileName CAFFileName nvarchar The name of String – up to 170 All

(170) the object. characters
InternalName CAFInternal Name nvarchar A unique file String – up to 28 All

(28) name that characters
identifies a
specific
version of the
file.
Size CAFSize bigint The size (in Numeric – 0 for All

bytes) of the password objects
specified
object.
The Cyber-Ark Vault

Files List Report 43

CreatedBy CAFCreatedBy nvarchar The name of String – up to 128 All

(128) the user who characters
created the
original file.
CreationDate CAFCreationDate datetime The date Date All

when the
original file
was created.
LastUsedBy CAFLastUsedBy nvarchar The name of String – up to 128 All

last used the
file.
LastUsedDate CAFLastUsedDate datetime The date Date All

when the file
was last
used.
LastUsed CAFLastUsedBy nvarchar The name of String – up to 128 v7.1and

ByHuman Human (128) the human characters above
user who last
used the file.
LastUsed CAFLastUsed datetime The date Date v7.1 and

HumanDate HumanDate when the file above
was last used
by a human
user.
LastUsedBy CAFLastUsedBy nvarchar The v7.1 and

Component Component (128) component above
that last used
the file.
LastUsed CAFLastUsed datetime The date Date v7.1 and

Component ComponentDate when the file above
Date was last used
by a
component.
Modification CAFModification datetime The date Date All

Date Date when the file
was last
modified.
ModifiedBy CAFModifiedBy nvarchar The name of String – up to 128 All

last modified
the file.
LastModified CAFLastModifiedBy nvarchar The name of String – up to 128 v7.1 and

By (128) the user who characters above
last modified
the file.
The Cyber-Ark Vault


LastModified CAFLastModified datetime The date Date v7.1 and

Date Date when the file above
was last
modified.
DeletedBy CAFDeletedBy nvarchar The name of String – up to 128 All

deleted the
specified file.
DeletionDate CAFDeletion Date datetime The date Date All

when the file
was deleted.
LockDate CAFLockDate datetime The date Date All

when the
specified file
was locked.
LockBy CAFLockBy nvarchar The name of String – up to 128 All

locked the
file.
LockedBy CAFLockByID bigint The ID of the Numeric (empty in old All

UserID user who servers or if the file is
locked the not locked)
file.
Accessed CAFAccessed nvarchar Whether or YES/NO All

(5) not the
specified file
or object has
been
accessed by
another user.
New CAFNew nvarchar Whether or YES/NO All

(5) not new files
in the Safe
are marked.
Retrieved CAFRetrieved nvarchar Whether or YES/NO All

(5) not files that
have been
retrieved
from the Safe
are marked.
Modified CAFModified nvarchar Whether or YES/NO All

(5) not files that
have been
modified are
marked.
The Cyber-Ark Vault

Files List Report 45

IsRequest CAFIsRequest nvarchar Whether or YES/NO v4.0 and

Needed Needed (5) not the user above
who is logged
on requires
confirmation
to retrieve
the object.
Note: This is
based on Safe
and owner
details, not
on current
existing
requests.
Validation CAFValidation int Whether or One of the following v4.1 and

Status Status not the numeric values: above
object 1 – Pending
content is 2 – Valid
valid. 4 – Invalid
(1 in previous server
versions or if the Safe
doesn’t require
content validation)
Text type (DB): 11
Type CAFType int Whether the One of the following All

object is a numeric values:
file or a 1 – File
password. 2 – Password
Text type (DB): 12
- CAFVaultID nvarchar The name of String – up to 28 v4.1 and

(28) the Vault characters above
where the
where the
file is stored.
Notes:
 The ‘IsRequestNeeded’ field returns a user-related value. If the specific user that is
logged on has the ‘Access Safe without Confirmation’ authorization, the value will be
NO, even if confirmation is required by other users to access the file.
 The ‘IsRequestNeeded’ field is also not time-dependent. If the user doesn’t need
confirmation at this specific point in time because there is already a confirmed request
for this object, but a request is required to retrieve the file, the value will be YES.
The Cyber-Ark Vault

User and Safe Activities Report

The User and Safe Activities report includes all the activities carried out by users
on other users/groups/locations and all the operations carried out by users in the
different Safes in the Vault. Each activity is marked as either a User activity or a
Safe activity.
Note: The LogNumOfDays parameter can be used to determine the number of previous
days that will be included in the report. The default setting will export the log
activities that occurred during the last day (24 hours).
follows:
File
Name: Log.csv
Database
Name: CALog
Import mode: Incremental
The LogList parameter generates an output file that contains the following
information:

MasterID CAAMasterID* bigint A cross-system unique Numeric: Log Type + All

ID for the log record. Log ID + entity
(User/Safe) ID
(when an ID is empty
due to an old server, it
will appear as “00”)
LogID CAAActivity ID bigint The log record ID. Numeric (empty in old All
This ID is unique to servers)
the type of entity –
User/Safe.
Type CAAActivity int The log record type. One of the following All
Type numeric values:
2 – User log record
3 – Safe log record
Text type (DB): 13
Code CAAActivity int The code number for Numeric (positive) All
Code the specified type of
log record.
For a list of the codes
and log messages
generated by this
report, refer to
Appendix D: Action
Codes, page 70.
Time CAATime datetime The time that the Date All

action took place.
The Cyber-Ark Vault

User and Safe Activities Report 47

Action CAAAction nvarchar The type of action String – up to 500 All

(500) that was carried out. characters
SafeID CAASafeID bigint The ID of the Safe in Numeric (empty in old All
the ‘SafeName’ field. servers or if this is a
user activity)
SafeName CAASafeName Nvarchar The name of the Safe String – up to 260 All
(260) where the action took characters
place.
UserID CAAUserID bigint The ID of the user in Numeric All

the ‘UserName’ field. (empty in old servers)
UserName CAAUser Nvarchar The username of the String – up to 128 All

Name (128) user who carried out characters
the action.
UserTypeID CAAUser int The unique User Type A valid User Type ID V5.5
TypeID Id that specifies the specified in the license.
type of user.
InterfaceID CAAInterface nvarchar The unique Client ID Any valid interface ID. V5.5
Id (11) that specifies the
type of interface that
the user can use to
access the Vault.
Info1ID CAAInfo1ID bigint The ID of the value in Numeric – specific field All
the ‘Info1’ field. value depends on the
action (empty in old
servers or if there is no
relevant information)
Info1Type CAAInfo1 int The type of the value One of the following All
Type in the ‘Info1’ field. numeric values:
0 – None
1 – User
2 – Location
3 – File/password
4 – Network area
5 – Category
Text type (DB): 14
Info1 CAAInfo1 nvarchar Additional String – up to 513 All

(513) information. characters. Specific
field value depends on
the action.
Info2ID CAAInfo2ID bigint The ID of the value in Numeric – specific field All
the ‘Info2’ field. value depends on the
action (empty in old
servers or if there is no
relevant information)
The Cyber-Ark Vault


Info2Type CAAInfo2 int The type of the value One of the following All
Type in the ‘Info2’ field. numeric values:
0 – None
1 – User
2 – Location
3 – File/ password
4 – Network area
5 – Category
Text type (DB): 14
Info2 CAAInfo2 nvarchar Additional String – up to 513 All

(513) information. characters. Specific
field value depends on
the action.
RequestID CAARequestID int The ID of the request Numeric (empty in old All
(if relevant). servers or if a request
was not required)
Request CAARequest nvarchar The reason for the String – up to 520 All
Reason Reason (520) request (if relevant). characters
Alert CAAAlert nvarchar Whether or not the YES/NO All

(5) log entry is an alert.
AppAuditDate CAAAppAudit Datetime The date and time of Date V5.5

Date an external
operation.
ExternalAudit CAAExternal nvarchar Whether this YES/NO V5.5

Audit (5) operation is external
or not.
- CAAVaultID nvarchar The name of the String – up to 28 v4.1 and

(28) Vault where the characters above
activity took place.
The Cyber-Ark Vault

System Log Report 49
System Log Report

The System Log Report contains a list of system information, such as intrusion
detection, basic system status, track login failures, server shutdown, and all other
activities that have taken place in the Vault.
follows:
File
Name: ITALog.csv
Database
Name: CAITALog
Import mode: Full
The ITAlogfile parameter generates an output file that contains the following
information:

Time CASLTime* int The time when Unique timestamp. This All
the log record timestamp is configurable to
was written. the micro second level in the
Vault dbparm.ini file.
Code CASLCode nvarchar A unique log String – up to 9 characters All

(9) record type code.
LogMessage CASLLog nvarchar The content of String – up to 256 characters All

Message (256) the log record.
- CASLVaultID nvarchar The name of the String – up to 28 characters v4.1 and

(28) Vault. above

For a list of the codes and log messages that are shared by this report and the User
and Safe Activities report, refer to Appendix C: ITAlog Messages, page 69.
The Cyber-Ark Vault

Requests List Report

The Requests List Report contains a list of all the requests in the Vault that have
been created for access to a Safe and/or files or passwords. In order to generate a
full list of all the requests in the Vault, the user who runs the utility with this
parameter must have the ‘Confirm Safe Requests’ authorization in all the Safes
that require users to receive access confirmation from authorized users.
Note: The requests of the user who runs this utility will not appear in the report.
follows:
File
Name: Requests.csv
Database
Name: CARequests
Import mode: Full
The RequestsList parameter generates an output file that contains the following
information:

RequestID CARRequestID* int The unique ID of this Numeric All

request.
This ID is unique per
Safe.
UserID CARUser ID bigint The ID of the user who Numeric (empty All
sent this request. in old servers)
UserName CARUserName nvarchar The name of the user String – up to 128 All
(128) who sent this request. characters
Type CARType int The type of the One of the All

request. following numeric
Note: These numeric values:
values were changed in 1 – OpenSafe
this version and must 2 – GetFile
be changed in your 4 – GetPassword
script accordingly. Text type (DB):
15
SafeID CARSafeID* bigint The ID of the Safe for Numeric (empty All
which the request has in old servers)
been sent.
SafeName CARSafeName nvarchar The name of the Safe String – up to 28 All

(28) for which the request characters
has been sent.
FolderName CARFolder nvarchar The name of the folder String – up to 170 All
Name (170) that the request refers characters
to.
The Cyber-Ark Vault

Requests List Report 51

FileID CARFileID bigint The ID number of the Numeric (empty if All

file/ password that the the request is for
request refers to. Safe access)
FileName CARFileName nvarchar The name of the file/ String – up to 28 All

(170) password that the characters
request refers to.
Reason CARReason nvarchar The reason specified String – up to 200 All

(200) by the request. characters
AccessType CARAccess Type int The access type of the One of the All
values:
0 – OneTime
access
1 – Multiple
access
Text type (DB):
16
Confirmations CAR int The number of owners Numeric All

Count Confirmations that have confirmed (non-negative)
Count the request.
Confirmations CAR int The number of owners Numeric All

Left Confirmations that are still required (non-negative)
Left to request
confirmation.
RejectionsCount CARRejections int The number of owners Numeric All

Count that rejected the (non-negative)
request.
InvalidReason CARInvalid int The reason the request Combination of All

Reason is invalid. the following
numeric values:
0 – None
1 – Expired
2 – Already Used
4 – Damaged
Missing Supervisor
8 – Damaged
Confirmation
Settings Changed
16 – Damaged
Object Deleted
32 – Damaged
Incompatible
Version
64 – ToDate
Passed
CreationDate CARCreation datetime The date when the Date All

Date request was created.
ExpirationDate CARExpiration datetime The date when the Date All

Date request expires.
The Cyber-Ark Vault


PeriodFrom CARPeriodFrom datetime The date from when Date All

the request is usable.
PeriodTo CARPeriodTo datetime The date until when Date All

the request is usable.
LastUsedDate CARLastUsed datetime The most recent date Date All

Date that the request was
used.
Status CARStatus int The status of the One of the All

values:
1 – Waiting
2 – Confirmed
5 – Waiting but
invalid. The
request was never
approved.
6 – Confirmed but
invalid due to
timeframe/ one-
time usage.
- CARVaultID nvarchar The name of the Vault String – up to 28 v4.1 and

(28) where the request was characters above
created.
The Cyber-Ark Vault

Confirmations List Report 53
Confirmations List Report

The Confirmations List Report generates a list of all the confirmations given to
requests in the Vault and their status. In order to generate a full list of all the
confirmations in the Vault, the user who runs the utility with this parameter must
have the ‘Confirm Safe Requests’ authorization in all the Safes that require users
to receive access confirmation from authorized users.
Note: Confirmation given in response to requests of the user who runs this utility will not
appear in the report.
follows:
File
Name: Confirmations.csv
Database
Name: CAConfirmations
Import mode: Full
The ConfirmationsList parameter generates an output file that contains the

RequestID CACRequest int The ID number of the Numeric All

ID* request.
SafeID CACSafeID* bigint The ID of the Safe where Numeric (empty in old All
the request was created. servers)
SafeName CACSafe nvarchar The name of the Safe String – up to 28 All

Name (28) where the request was characters
created.
UserID CACUserID* bigint The ID of the User who Numeric (empty in old All
confirmed/ rejected the servers or if the
request. authorized owner is a
group and the request
is waiting for a group
member to
confirm/reject it)
UserName CACUser nvarchar The name of the User String – up to 128 All
Name (128) who confirmed/ characters
rejected the request.
GroupID CACGroup bigint The ID of the Group that Numeric (empty in old All
ID the authorized user who servers or if the
confirmed/rejected the authorized owner is a
request belongs to. user)
GroupName CACGroup nvarchar The name of the Group String – up to 128 All
Name (128) that the authorized user characters
who confirmed/rejected
the request belongs to.
The Cyber-Ark Vault


Reason CACReason nvarchar The reason for retrieving String – up to 170 All
(170) the file/ password. characters
Action CACAction int The action that the One of the following All
authorized user carried numeric values:
out on the request. 0 – None
1 – Reject
2 – Confirm
Text type (DB): 19
ActionDate CACAction datetime The date when the Date All

Date authorized user carried
out the action on the
request.
- CACVaultID nvarchar The name of the Vault String – up to 28 v4.1 and

(28) where the request was characters above
created.
The Cyber-Ark Vault

Events List Report 55
Events List Report

The Events List report contains a list of the application events in the Safes and
their details.
follows:
File
Name: Events.csv
Database
Name: CAEvents
Import mode: Incremental
The EventsList parameter generates an output file that contains the following
information:

SafeName CAESafe nvarchar The Safe in which the String – up v4.0 and
(28) Event was created. to 28 above
characters
EventID CAEEventID* bigint The ID of the Event. Numeric v4.0 and

This ID is unique per above
Safe.
SourceID CAESourceID int The source ID of the Numeric v4.0 and

Event. above
EventTypeID CAEEvent int The Event Type ID of Numeric v4.0 and

TypeID the Event. above
ClientID CAEClientID nvarchar The client ID of the String – up v4.0 and

(10) Event. to 10 above
characters
UserName CAEUser nvarchar The user who created String – up v4.0 and
(128) the Event. to 128 above
characters
AgentName CAEAgent nvarchar The agent that created String – up v4.0 and
(128) the Event. to 128 above
characters
FromIP CAEFromIP nvarchar The IP where the event String – up v4.0 and
(15) was created. to 15 above
characters
Version CAEVersion nvarchar The version of the String – up v4.0 and

(15) client that created the to 15 above
Event. characters
CreationDate CAECreation datetime The date when the Date v4.0 and
Date Event was created. above
The Cyber-Ark Vault


ExpirationDate CAEExpiration datetime The date when the Date v4.0 and
Date event will expire. above
Data CAEData nvarchar The data of the event. String – up v4.0 and
(1000) to 1000 above
characters
EventVersion CAEEvent int The version of the Numeric v5.5

Version event version (0/1)
- CAEVaultID nvarchar The name of the Vault String – up v4.1 and

(28) where the Event was to 28 above
created. characters
Notes:
 Events data may contain unprintable characters.
The Cyber-Ark Vault

Object Properties Report 57
Object Properties Report

The ObjectProperties report contains information about file categories that are
stored in the specified Vault.
follows:
File
Name: ObjectProperties.csv
Database
Name: CAObjectProperties
Import mode: Full
The ObjectProperties parameter generates an output file that contains the

ObjectProperty CAOPObject bigint The file category Id. v5.5

Id PropertyId This number is
unique in a safe.
ObjectProperty CAOPObject nvarchar The name of the file String – up to 29 v5.5

Name PropertyName (29) category. characters
SafeId CAOPSafeId bigint The ID of the safe v5.5

where the file where
the file is stored.
FileId CAOPFileId int The ID number of the v5.5

file for which the file
category was
created. This number
is unique to the Safe.
Object CAOPObject nvarchar The value of the file String – up to v5.5 – 161
Property Property (4000) category. 4000 characters,
Value Value v7.1 – 4000
characters
Options CAOPOptions bigint The file category Combination of v5.5

settings the following
numeric values:
0 – None
1 – File category
defined for the
entire vault (not a
specific Safe)
4 – File category
is required for
files in specified
Safe.
- CAFVaultID nvarchar The name of the String – up to 28 v5.5

(28) Vault where the file characters
is stored.
The Cyber-Ark Vault

58
Appendices
This chapter contains the following appendices:

 Appendix A: Creating a User Credential File
 Appendix B: Vault Parameter File
 Appendix C: ITAlog Messages
 Appendix D: Action Codes
The Cyber-Ark Vault

Appendix A: Creating a User Credential File 59
Appendix A: Creating a User Credential File

Some Vault components can access the Vault server with a user credential file that
contains the user’s name and encrypted authentication details, preventing the
need for interactive authentication and enabling file sharing and transfer processes
to be performed automatically.
Before creating the user credential file, make sure that you are familiar with the
user’s authentication details in the Vault.
CreateCredFile Utility
The ExportVaultData utility, version 5.5, uses the CreateCredFile utility to create a
user credential file that contains the user’s Vault username and encrypted logon
information. This user credential file can be created for password, Token, PKI, or
Radius authentication with a utility that is run from a command line prompt. It can
also create a credentials file for authentication through a Proxy server.
User credential files can specify restrictions which increase their security level and
ensure that they cannot be used by anyone who is not permitted to do so, nor from
an unauthorized location. The CreateCredFile utility included in this version can
enforce any of the following restrictions:
 Specific application – The credentials file can only be used by a specific Cyber-
Ark application or module. This can be specified for Password, Token, or PKI
authentication but not for Proxy authentication. For more details about specific
applications, refer to Specifying Applications, page 60.
 Specific path – The credentials file can only be used by an executable located
in a certain path.
 IP address – The credentials file can only be used on the machine where it is
created.
 Operating System user – The credentials file can only be used by an
application started by a specified Operating System user.
These restrictions are specified during the credentials file creation process.
Credential files that were created in previous versions with the CreateAuthFile
utility can still be used. However, they do not contain the increased security
restrictions that are included in up-to-date CreateCredFile utility.
Credentials files that are created with restrictions will not be supported by
previous versions of the ExportVaultData utility.
Before creating or updating the user credential file, make sure that you are
familiar with the user’s authentication details in the Vault as you will be required
to provide logon credentials to generate the encrypted credentials file.
The Cyber-Ark Vault

Specifying Applications
The following Client ID can be specified in the user credentials file to enable the
ExportVaultData user to log onto the Vault:
Application ID
ExportVaultData utility HTTPGW
The CreateCredFile utility is located in the installation folder. It can be used to

create a user credential file for password, RADIUS, Token, or PKI authentication
with a utility that is run from a command line prompt.
It can also create a user credential file for authentication through a Proxy server.
The CreateCredFile utility uses the following syntax:
CreateCredFile <FileName> <command> [command parameters]
Parameter Specifies
Filename The name of the user credential file to create or update, specifically
user.cred.
Password Indicates that the credential file will be created with password
authentication details.
/Username Sets the username in the credential file.
This parameter is required. If you do not specify it in the command, you
will be prompted for it.
/Password The password that will be encrypted in the credential file.
/DisableSyncPasswordToDR Whether or not replaced passwords will be replicated to all the
configured DR sites before they are removed from the credential file.
By default, this parameter is set to ‘No’.
/ExternalAuth The type of external authentication that will be used to authenticate
users to the Vault.
Radius Creates a user name-password credential file for use with RADIUS
server.
LDAP Creates a user name-password credential file for use with an LDAP
directory.
No This credential file will not be used with either a Radius server or an
LDAP directory.
/AppType A unique application ID that specifies the application that will be able
<Application ID> use this file.
/ExePath <Path> The full path of the executable that will be able to use this file.
Notes:
 On UNIX machines, if the executable will be executed from the PATH
you can specify only the name of the executable. Otherwise, specify
the complete path.
 When you specify PVWA, specify the full path of the web server
executable, e.g. c:\windows\system32\inetsrv\w3wp.exe.
/IpAddress When this parameter is specified, the credentials file will specify the IP
address of the current machine and will only authenticate the user to
the Vault from the current machine.
The Cyber-Ark Vault

Parameter Specifies
/OSUsername <Operating The name of the Operating System user who will be able to use this file.
System User name> Notes:
 On UNIX machines, specify only the username.
 On Windows machines, specify the username in
“domain_name\username” format.
 When the application is executed as a Windows service that uses
local system permissions, specify “nt authority\system”. The
quotation marks are required because of the space in “nt authority”.
/DisplayRestrictions When this parameter is specified, the generated credentials file will
specify all the restrictions in a readable manner. This will enable users
to understand the exact restrictions on the file.
Token Creates a user credential file with a key stored on a token.
/Username Sets the username in the credential file.
/Password The password that will be encrypted in the credential file.
/DLLpath Specifies the DLL file path used by the token device.
/PIN Specifies the PIN code required by the token device.
/ExternalAuth The type of external authentication that will be used to authenticate
users to the Vault.
Radius Creates a credential file for use with RADIUS server.
LDAP Creates a credential file for use with an LDAP directory.
No This credential file will not be used with either a Radius server or an
LDAP directory.
/InitToken Initializes the token device for use with Cyber-Ark password
authentication. This parameter must be specified the first time you use
a token device to store a Cyber-Ark password encryption key.
Notes:
the complete path.
executable.
The Cyber-Ark Vault

Parameter Specifies
PKI Creates a credential file based on a PKI certificate.
/CertIssuer Personal certificate issuer.
/CertSerial Personal certificate serial number.
/PIN Specifies the PIN code required to access the certificate.
This parameter is required if the certificate is stored on a Token.
Notes:
the complete path.
executable.
PROXY Creates a credential file based on PROXY authentication.
/ProxyUser The name of the Proxy user.
/ProxyPassword The password that will be decrypted in the credential file.
/ProxyAuth Domain The domain name of the Proxy user.
The Cyber-Ark Vault

Parameter Specifies
Notes:
the complete path.
executable.
/? Lists the available options.
The following instructions explain how to create a user credential file. The
examples used in these instructions run the utility from the EVD\Utilities folder,
and create a credential file called ‘user.cred’.
Note: The text typed by the user appears in bold.
Creating the User Credential File for Password Authentication

1. At the command line prompt, run the CreateCredFile.exe utility. You must
specify the username and password to the Vault. You can also specify whether
or not Radius authentication will be used.
C:\Program Files\CyberArk\EVD> createcredfile.exe EVDuser.cred password
/username EVDuser /password abcdef /radius
The above example shows that this credential file will be called ‘EVDuser.cred’,
and will contain an encrypted password for the Vault user called ‘EVDuser’. The
file can be used to log onto the file with Radius authentication.
If you do not specify the command parameters, username, password, and
radius, you are prompted for them now. An example of this appears in the
following example:
Vault Username [mandatory] ==> EVDuser
Vault Password (will be encrypted in credential file) ==> *******
Radius server will be used for authentication (yes/no) [y] ==> yes
The user’s credential file will now be created and saved in the current folder.
Command ended successfully
The Cyber-Ark Vault

Creating the User Credential File using a Token

The Vault supports logon with a password that has been encrypted by a key on a
USB token or a Smartcard. This password is stored in the user’s credential file, and
is decrypted by the external token for logon.
Any PKCS#11 token can be used for this type of authentication, as long as it meets
all of the following criteria:
 The token must be a hardware token.
 The token is accessible through the PKCS#11 interface.
 Access to the token is only possible after supplying a PIN.
 The token supports RSA with 1024 or 2048 bit key length.
 The token must be able to perform encryption and key generation in hardware.
These instructions are for creating a user credential file with a new external token.
1. Attach the token to the computer.
 If you are using a USB token, place the token in the USB port.
 If you are using a Smartcard, place the card in the Smartcard reader.
2. At the command line prompt, run the CreateCredFile.exe utility. You must
specify the username and password to the Vault, the full path of the PKCS#11
dll file that will encrypt the password, and the PIN that is required by the token
device. You can also specify
C:\Program Files\CyberArk\EVD> CreateCredFile.exe EVDuser.cred token
/username EVDuser /password asdf /dllpath i:\windows\system32\etpkcs11.dll
/pin 12341234
and will be created with a key that is stored on a token. ‘EVDuser’ is the user
who will be specified in the credential file, together with his password, asdf.
The dll path used by the token device is specified, as well as the PIN that is
required to access the token device.
If you have not specified the username, password, dll path and password, you
are prompted for it now.
Vault Username [mandatory] ==> EVDuser
Vault Password (will be encrypted in credential file) ==> ****
Path of Token dll [mandatory] ==> i:\windows\system32\etpkcs11.dll
Pin code required by the Token device ==> ********
Radius server will be used for authentication (yes/no) [optional] ==> no
Initialize the Token (yes/no) [optional] ==> no
3. To initialize the token, type yes,

or,
If the token has already been initialized with the CreateCredFile utility, type
no.
The user credential file is now created and saved in the current folder.
The Cyber-Ark Vault

Creating the User Credential File for PKI Authentication

The user can create a user credential file for logon with a PKI certificate. Before
creating the credential file, the authentication certificate must be imported into
the Microsoft Windows certificate store.
When using the Distribution and Collection Agent with PKI Authentication, the DCA
Service must use the windows account whose certificate store contains the
certificate that is used for authentication.
For more details, refer to Importing a Certificate for Authentication, page 66.
Note: A PIN to access a PKI certificate can only be used in a Windows 2000 environment or
higher.
 At the command line prompt, run the CreateCredFile.exe utility.
C:\Program Files\CyberArk\EVD> createcredfile.exe EVDuser.cred pki
createcredfile.exe Simon.cred pki /certissuer "CN=MyCompany_CA" /certserial
"1963f68d00000000017c" /pin 12341234
and will be created based on a PKI certificate. The certificate issuer for this
credential file is MyCompany_CA and the certificate detail serial number is
‘1963f68d00000000017c’. The PIN required to access this certificate is
‘12341234’.
If you do not specify the certificate issuer and serial number, the Select
Certificate window appears to enable you to select the PKI certificate that will
give the user access to the Vault.
Note: If a PIN is required to access the certificate, you must enter the PIN in the
command line.
 Select the PKI certificate to use, then click OK; the user’s credential file will
now be created and saved in the current folder.
The following message appears to confirm that the authentication file has been
created successfully.
For details about configuring the Vault and the user to work with PKI
authentication, refer to the PIM Suite Installation Guide.
The Cyber-Ark Vault

Importing a Certificate for Authentication

Authentication certificates can be used to authenticate to the Vault if the
certificate has been imported into the Microsoft Windows certificate store.
The certificate store is divided into several locations to limit accessibility (for
security reasons). The most common location for certificates is the “Current User”
location. When importing certificates into Microsoft Windows, this is the default
location into which the certificates are imported. The certificates in the “Current
User” location are only accessible to the user that is currently logged on. One user
will not be able to access certificates in another user’s “Current User” location.
Creating the User Credential File for Proxy Authentication

The Proxy user and password can be stored encrypted in a credentials file instead
of being specified in the Vault parameter file.
1. At the command line prompt, run the CreateCredFile.exe utility.
C:\Program Files\CyberArk\EVD> CreateCredFile.exe PUser.cred proxy /proxyuser
PUser /proxypassword abcd /ProxyAuthDomain MyCompany.com
The above example will create a file called ‘PUser.cred’ and will enable the
proxy user to log onto the Vault with proxy authentication. The credentials file
will contain an encrypted proxy password for the proxy user called PUser on a
proxy authentication domain called ‘MyCompany.com’.
If you do not specify the name and password of the proxy user, you will be
prompted for them. An example of this appears in the following example:
Proxy Username [mandatory] ==> PUser
Proxy Password (will be encrypted in credential file) ==> ****
Domain name of ProxyUser [optional] ==> MyCompany.com
The user’s credential file will now be created and saved in the current folder.
The Cyber-Ark Vault

Appendix B: Vault Parameter File 67
Appendix B: Vault Parameter File

The Vault parameter file, Vault.ini, contains all the information about the Vault.
This information specifies which Vault the ExportVaultData utility will access and
retrieve information from.
Parameter Description Default Value Acceptable
Values
Vault The name of the Vault. None String
Address The IP address of the Vault. None IP address
Port The Vault IP Port. 1858 Number
Timeout The number of seconds to wait for a Vault 30 Number
to respond to a command before a timeout
message is displayed.
NTAuthAgentName The name of the NT Authentication Agent. String (1-260
characters)
NTAuthAgentKey The name of the NT Authentication Key String
File File.
VaultDN The Distinguished Name of the Vault (PKI String
Authentication).
ProxyType The type of proxy through which the Vault None HTTP,
is accessed. HTTPS,
SOCKS4,
SOCKS5
ProxyAddress The proxy server IP address. This is None IP address
mandatory when using a proxy server.
ProxyPort The Proxy server IP Port. 8081 Number
ProxyUser User for Proxy server if NTLM None User name
authentication is required.
ProxyPassword The password for Proxy server if NTLM None Password
authentication is required.
ProxyAuthDomain The domain for the Proxy server if NTLM NT_DOMAIN_ Domain name
authentication is required. NAME
BehindFirewall Accessing the Vault via a Firewall. No Yes/No
UseOnlyHTTP1 Use only HTTP 1.0 protocol. Valid either No Yes/No
with proxy settings or with
BEHINDFIREWALL.
NumOfRecords The number of file records that require an 15 Number
PerSend acknowledgement from the Vault server
NumOfRecords The number of file records to transfer 15 Number
PerChunk together in a single TCP/IP send/receive
operation
ReconnectPeriod The number of seconds to wait before the 1 Number
sessions with the Vault is re-established.
EnhancedSSL Whether or not to use an enhanced SSL No Yes/No
based connection (port 443 is required).
PreAuthSecured Whether or not to enable a pre- No Yes/No
Session authentication secured session.
The Cyber-Ark Vault

Parameter Description Default Value Acceptable

Values
TrustSSC Whether or not to trust self-signed No Yes/No
certificates in pre-authentication secured
sessions.
AllowSSCFor3 Whether or not self-signed certificates are No Yes/No
PartyAuth allowed for 3rd party authentication (eg,
RADIUS).
CIFSGateway The name of the CIFS Gateway. String
HTTPGateway The URL of the HTTP Gateway. URL URL
Address Note: This parameter has been
deprecated.
The Cyber-Ark Vault

Appendix C: ITAlog Messages 69
Appendix C: ITAlog Messages

The following table lists and explains the codes and messages that are shared by
the System Log report and the User and Safe Activities report.
ITAlog ITAlog Message User Safe Comments
code Activity Activity
Log code Log code
ITATS023E Safe is closed 23 23 ITAlog message doesn’t appear
in Find actions.
ITATS433E IP Address <address> is 5 -
suspended for User <username>
ITATS008E User <username> can't be used 5 - No User activity log when using
from IP Address <address>. Master user.
ITATS467E User <username> failed to 18 -
impersonate User <username>
(code: <code1>, <code2>)
ITATS365E User <username> is not allowed 18 -
to impersonate User
<username>.
ITATS368E Cannot perform partial 18 -
impersonation of User
<username>. Impersonation
ticket is invalid.
ITATS364E User <username> is not 15 -
authorized to impersonate
another User
ITATS470E User <username> is unauthorized 284 -
to refresh Firewall Network
Areas
ITATS202E An invalid NT authentication 4 -
ticket was received from User
<username>, station: <station>
(Reason: <code>)
ITATS528E Authentication failure for User 4 -
<username> from station:
<station> (code: <code>)
ITATS560E PKI Authentication failure for 4 -
User <username> from station:
<station> (reason: <code>)
ITATS108E Authentication failure for User 4 - This may appear without a user
<username> (Code: <code>) log message, e.g. when the
problem is caused by a
communication error
ITATS539E RADIUS authentication failure 4 - This may occur without a user
for user <username>. (Diagnostic log message, e.g. when the
information: <code>, <code>) problem is caused by a
communication error
The Cyber-Ark Vault

Appendix D: Action Codes

The following table lists the action codes available in the User and Safe Activities
(LogList) report that can be exported to a SIEM solution using Syslog protocol.
 Alerts indicate that an unauthorized operation was performed, such as
performing a task without permission, authentication failure, etc.
Code Action Info1 Info2 Info3 File Alert Version
Categories
for Syslog
0 Delete Directory Map Username 
(map
name)
1 Delete Directory Map Username
(map
name)
2 Add External User Username
3 Get LDAP 
configuration data
4 User Authentication Network 
area
5 Unauthorized Station Network 
area
6 External Audit 
7 Logon Network Network
area area
8 Logoff Network
area
9 External Audit 
10 Update user station Username 
failed, not
authorized
11 Update Safe Share 
12 Update Safe Share 
13 Safe Access through 
Gateway
14 Safe Access through 
Gateway
15 Impersonation not by 
an agent
16 Update Your Trusted Username 
Network Areas
17 Add Safe 
18 Non authorized Username 
impersonation
19 Full Gateway Username
Connection
The Cyber-Ark Vault

Appendix D: Action Codes 71

Categories
for Syslog
20 Partial Gateway Username
Connection
21 Partial Gateway Username 
Connection
22 CPM Verify Password Filename Additional 
Info
23 Action On Closed Filename 
Safe
24 CPM Change Filename Additional 
Password Info
25 Open/Close Safe 
26 Open/Close Safe 
27 Open Safe 
(Unsecured Station)
28 Add/Update Owner Username 
31 CPM Reconcile Filename Additional 
Password Info
32 Add Owner Username
33 Update Owner Username
34 Rename Safe 
35 Rename Safe 
36 Confirm Open Safe Username
37 Confirm Get File Filename Username 
38 CPM Verify Password Filename Additional  
Info
39 Rename Safe
40 List Files Filename 
41 List Files Filename 
42 Retrieve File Filename  
43 Retrieve File Filename  
44 Store File Filename 
45 Store File Filename 
46 Delete File Filename 
47 Delete File Filename 
48 Add Note 
49 Add Note 
50 Store File Filename
51 Retrieve File Filename 
succeeded
The Cyber-Ark Vault


Categories
for Syslog
52 Delete File Filename
53 Get Notes
54 Get Notes
55 Find Files Filename 
56 Find Files Filename 
57 CPM Change Filename Additional  
Password Info
58 Clear User History
59 Clear Safe History
60 CPM Reconcile Filename Additional  
Password Info
61 Update Trusted Network
Network Areas area
62 Create File Version Filename
63 Rename User Username Username 
64 Rename User Username Username
65 Rename User Username Username 
66 Rename User Username Username
67 CPM Auto Detection Filename Additional 
Add Password Info
68 Update Trusted User Username
69 Add Location Location
70 Add Location Location 
71 Update Location Location
72 Update Location Location 
73 Delete Location Location
74 Delete Location Location 
75 Take Quota
Ownership
76 Take Quota 
Ownership
77 Take Quota 
Ownership
78 Rename/Move Location Location 
Location
79 Rename/Move Location Location
Location
80 Add External Group Username
(group)
81 Update Address Network
area
82 Clear User History Username 
The Cyber-Ark Vault


Categories
for Syslog
83 Clear User History Username
Update Password Info
85 Update Network Area Network 
area
86 Update Network Area Network
area
87 Update Address Network 
area
88 Set Password
89 Set Password 
90 Rename Network Network 
Area area
91 Rename Network Network
Area area
92 Move Network Area Network 
area
93 Move Network Area Network
area
94 Backup Safe
95 Restore Safe
96 Backup Safe 
97 Backup Safe 
98 Open File (Write Filename
Only)
99 Open File Filename
100 Open File Filename 
101 Open file Filename 
102 User Time Limit Network 
Restriction area
103 User Has Expired Network 
area
104 User Is Disabled Network 
area
105 Add File Category Filename Category
106 Update File Category Filename Category
107 Delete File Category Filename Category
108 Open Safe Request
109 Get File Request Filename 
110 Add Safe (More 
Secured Than
Station)
111 Delete Open Safe Username
Request
The Cyber-Ark Vault


Categories
for Syslog
112 Delete Get File Filename Username
Request
113 Cannot use station Network 
because time limits area
114 Last Required Username
Confirmation To
Open Safe Given
115 Last Required Filename Username
Confirmation To Get
File Given
116 Confirmation Status 
117 Confirmation Status 
118 Reject Open Safe Username
Request
119 Reject Get File Filename Username 
Request
120 Add automatic Location
location
121 Move File Filename
122 Undelete File Filename
123 Move File (Cont.) Filename
124 Rename File Filename
125 Rename File (Cont.) Filename
126 Unlock File Filename
127 Hide Open Safe Username
Request
128 Hide Get File Request Filename Username
Archive Password Info
130 CPM Disable Password Filename Additional  
Info
131 Update Safe (More 
Secured Than
Station)
132 Add Safe Event 
133 Add Safe Event 
134 Get Safe Events List 
135 Get Safe Events List 
136 CPM Release Filename Additional 
Password Info
137 CPM Release Filename Additional  
Password Failed Info
138 Rename Folder Filename
(folder)
The Cyber-Ark Vault


Categories
for Syslog
139 Move Folder Filename
(folder)
140 Rename Folder Filename
(Cont.) (folder)
141 Move Folder (Cont.) Filename
(folder)
142 Delete Safe 
143 Store Picture Username
144 Delete Picture Username
145 Delete Safe 
146 Update Safe 
147 Update Safe 
148 Delete Safe 
149 Delete Safe 
150 Restore Safe 
152 Add Folder 
153 Add Folder 
154 Delete Folder 
155 Delete Folder 
156 Backup Safe Network 
area
157 Get License 
Information
158 Move/Rename Folder 
159 Move/Rename Folder 
160 Move File Filename 
161 Move File Filename 
162 Undelete File Filename 
163 Undelete File Filename 
164 Rename File Filename 
165 Rename File Filename 
166 Unlock File Filename 
167 Unlock File Filename 
168 Clear Expired History 
169 Clear Expired History 
170 Delete Safe (Has 
Unexpired Files)
171 Update Picture Username 
172 Update Your Picture Username 
173 Add User 
The Cyber-Ark Vault


Categories
for Syslog
174 Update User Username 
175 Update Your User Username 
176 Delete User Username 
177 Delete Your User Username 
178 Get User's Details Username 
179 Get Your User's Username 
Details
180 Add User Username
181 Update Safe
182 Update User Username
183 Delete Safe
184 Delete User Username
185 Add Safe
186 Get UserDetails By 
Identifier
187 Add Folder Filename
(folder)
188 Delete Folder Filename
(folder)
189 Delete Folder (Has Filename 
Unexpired Files) (folder)
190 Lock As Draft Filename
191 Lock As Draft Filename 
192 Unlock Draft Filename
193 Unlock Draft Filename 
194 Backup Safe
195 Object content Filename
validated
196 Update Owners 
197 Update Owners 
198 Delete Folder (Has Filename 
Locked Files) (folder)
199 Object content Filename
invalidated
200 Monitoring old
backup files
201 Monitoring old
backup files
202 Deleting old backup
files
203 Deleting old backup
files
The Cyber-Ark Vault


Categories
for Syslog
204 Retrieve File (Wrong Filename 
Key)
205 Store File (Wrong Filename 
Key)
206 External Object Username 
Operation
207 Compress Safe 
208 Compress Safe 
209 Compress Safe
211 Update User Detailed Additional
Information Info
214 Add Directory Map Username 
LDAP Branch (map
name)
215 Update Directory Map Username 
LDAP Branch (map
name)
216 Delete Directory Map Username 
LDAP Branch (map
name)
217 Add Directory Map Username
LDAP Branch (map
name)
218 Update Directory Map Username
LDAP Branch (map
name)
219 Delete Directory Map Username
LDAP Branch (map
name)
221 Ownership Expired 
222 List Directory Map Username 
LDAP Branches (map
name)
224 Load metadata to
backup
229 Object content status Filename
pending
236 Metadata backup file
fetched
237 Rules List 
238 Rules List 
239 Update Directory Map Additional
Detailed Information Info
240 Release Gw Locks
241 Prepare Backup
Metadata
The Cyber-Ark Vault


Categories
for Syslog
243 Update user safe 
options failed
244 Update user safe 
options failed
246 LDAP Synchronization
247 LDAP Synchronization
248 Add Rule Filename 
249 Add Rule Filename 
250 Restore metadata Network 
area
251 Restore metadata Network
area
252 Update Directory Map Username
(map
name)
253 Update Directory Map Username 
(map
name)
254 Add Directory Map Username
(map
name)
255 Add Directory Map Username 
(map
name)
256 Update External User Username
257 Update External Username
Group (group)
259 Add/Update Group Username
(group)
260 Add/Update Group Username 
(group)
261 Add Group Member Username 
(group)
262 Delete Group Username 
Member (group)
263 Update Group Username 
(group)
264 Update Group Username
(group)
265 Add Group Member Username Username
(group)
266 Remove Group Username Username
Member (group)
267 Reorganize database
268 Reorganize database
The Cyber-Ark Vault


Categories
for Syslog
269 Delete Group Username 
(group)
270 Delete Group Username
(group)
271 List Group Members Username 
(group)
272 Delete Folder Filename 
(folder)
273 Remove Owner Username
276 Delete External User Username
277 Delete External Username
Group (group)
278 Add Rule Filename Username
279 Delete Rule Filename Username
280 Delete Rule Filename 
281 Delete Rule Filename 
284 Unauthorized 
Firewall Network
Areas refresh
285 Firewall Network
Areas refresh
286 Add Group Member - Username
Sync From Ldap (group)
287 Delete Group Username
Member - Sync From (group)
Ldap
288 Auto Clear Users
History start
289 Auto Clear Users
History end
290 Auto Clear Safes
History start
291 Auto Clear Safes
History end
292 Auto Download
Certificate
Revocation List Data
start
293 Auto Download
Certificate
Revocation List Data
end
294 Store password Filename 
295 Retrieve password Filename 
296 Open Safe
297 Rules List Filename 
The Cyber-Ark Vault


Categories
for Syslog
298 Rules List Filename 
300 PSM Connect Filename Additional 
Info
301 PSM Connect Failed Filename Additional  
Info
302 PSM Disconnect Filename Additional 
Info
303 PSM Disconnect Filename Additional  
Failed Info
304 PSM Upload Filename Additional 
Recording Info
305 Run Report
306 Use Password Filename  
307 Use Password Filename  
308 Use Password Filename 
309 Undefined User Logon Report 
Name
310 Monitor DR V5.50
Replication start
311 Monitor DR V5.50
Replication end
312 Monitor Backup V5.50
Replication start
313 Monitor Backup V5.50
Replication end
314 Reset Password User Username  V5.50
315 Reset Password Your Username  V5.50
User
316 Reset User Password Username Additional V5.50
Detailed Information Info
317 Reset User Password Username V5.50
318 Activate/Deactivate Username V5.50
Trusted Network
Areas
319 Retrieve password Filename  V5.50
(From Provider)
320 Retrieve password Filename   V5.50
(From Provider)
321 Add Report Definition V6.00
322 Edit Report Definition V6.00
323 Delete Report V6.00
Definition
324 Hide Report V6.00
325 Send Report V6.00
The Cyber-Ark Vault


Categories
for Syslog
326 CPM Auto Detection V6.00
Start Automatic
Detection
327 CPM Auto Detection V6.00
End Automatic
Detection
328 CPM Auto Detection Filename Additional  V6.00
Add Usage Info
Update Usage Info
Delete Usage Info
331 Add User By Username V6.00
Template
333 Add Privileged Filename Username  V6.00
Command
334 Add Privileged Filename Username Resource V6.00
Command
336 Delete Privileged Filename Username  V6.00
Command
337 Delete Privileged Filename Username Resource V6.00
Command
339 Add Privileged Policy Username  V6.00
Command Name
340 Add Privileged Policy Username Resource V6.00
Command Name
342 Delete Privileged Policy Username  V6.00
Command Name
343 Delete Privileged Policy Username Resource V6.00
Command Name
344 S Privileged command Filename Additional  V6.00
initiated Info
345 S Privileged command Filename Additional   V6.00
initiation failed Info
346 S Privileged command Filename Additional  V6.00
completed Info
347 S OPM failed to Filename Additional   V6.00
execute privileged Info
command
348 S PIMSu recording Filename Additional  V6.00
uploaded Info
349 Update Privileged Filename Username  V6.00
Command
350 Update Privileged Filename Username  V6.00
Command
351 Update Privileged Policy Username Resource V6.00
Command Name
The Cyber-Ark Vault


Categories
for Syslog
352 Update Privileged Policy Username  V6.00
Command Name
353 Update Privileged Policy Username  V6.00
Command Name
354 Update Privileged Policy Username Resource V6.00
Command Name
355 Monitor License Username V6.00
Expiration Date start
356 Monitor License Username V6.00
Expiration Date end
357 Monitor FW rules Username V6.00
start
358 Monitor FW Rules end Username V6.00
359 SQL command Username Safe File  V7.00

360 SQL Command audit Username Account Account   V7.10
failed Safe Object
361 Keystroke logging Username Safe File  V7.00
362 Keystroke logging Username Account Account   V7.10
audit failed Safe Object
363 Ownership not yet Username Safe  V7.00
active
364 LDAP Configuration Username V7.00
Refresh success
365 LDAP Configuration Username  V7.00
Refresh failed
366 Object content Username Safename File name  V6.00
validated failed
367 Update Email Username V7.00
Notifications
Configuration
368 Forget My Password Username Username Note V6.00
Requested
369 Forget My Password Username Username Note  V6.00
Requested
370 Forget My Password Username Username Note V6.00
Completed
371 Forget My Password Username Username Note  V6.00
Completed
372 Terminate Session Username Recordings Target  V7.10
Safe Session
File
373 Terminate Session Username Recordings Target   V7.10
Failed Safe Session
File
The Cyber-Ark Vault


Categories
for Syslog
374 Monitor Session Start Username Recordings Target  V7.10
Safe Session
File
375 Monitor Session Start Username Recordings Target   V7.10
Failed Safe Session
File
376 Monitor Session End Username Recordings Target  V7.10
Safe Session
File
377 Monitor Session End Username Recordings Target   V7.10
Failed Safe Session
File
378 PSM Secure Connect Username PSM Secure  V7.10
Session Start Internal Connect
Accounts Internal
Safe Account
Object
name
379 PSM Secure Connect Username PSM Secure   V7.10
Session Start Failed Internal Connect
Accounts Internal
Safe Account
Object
name
380 PSM Secure Connect Username PSM Secure  V7.10
Session End Internal Connect
Accounts Internal
Safe Account
Object
name
381 PSM Secure Connect Username PSM Secure   V7.10
Session End Failed Internal Connect
Accounts Internal
Safe Account
Object
name
The Cyber-Ark Vault

ExportVaultData Utility Implementation Guide PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ExportVaultData Utility Implementation Guide PDF

Încărcat de

Drepturi de autor:

Formate disponibile

ExportVaultData Utility

The Cyber-Ark Vault

What’s New in Version 7.1? ...............................................................5

The Cyber-Ark Vault

Requests List Report ................................................................................... 50

The Cyber-Ark Vault

What’s New in Version 7.1?

The Cyber-Ark Vault

Additional output fields

Support for Vault File Categories

The Cyber-Ark Vault

Exporting Data to Files

The Cyber-Ark Vault

Installing the ExportVaultData Utility

To Create the ExportVaultData Utility Environment

The Cyber-Ark Vault

The user requires the following Safe authorizations:

Upgrading the ExportVaultData Utility

To Upgrade the ExportVaultData Utility

The Cyber-Ark Vault

Using the ExportVaultData Utility

The Cyber-Ark Vault

Errors and Logs

The Cyber-Ark Vault

The Cyber-Ark Vault

Exporting Data to MSSQL Databases

The Cyber-Ark Vault

Microsoft SQL Server

Installing the ExportVaultData Utility

To Create the ExportVaultData Utility Environment

The Cyber-Ark Vault

3. Install the MSSQL database:

The Cyber-Ark Vault

Upgrading the ExportVaultData Utility

To Upgrade the ExportVaultData Utility

The Cyber-Ark Vault

Configuring the ExportVaultData Utility

Changing the Name of the MSSQL Database

Changing the Owner of the MSSQL Tables

Using the MSSQL Bulk Copy Utility

Synchronizing Times and Dates

The Cyber-Ark Vault

Using the ExportVaultData Utility

The Cyber-Ark Vault

The Cyber-Ark Vault

The Cyber-Ark Vault

Exporting Vault Data into an MSSQL Database

The Cyber-Ark Vault

The Cyber-Ark Vault

The Cyber-Ark Vault

The Cyber-Ark Vault

Text Type Values

TTextType TTextID TText

The Cyber-Ark Vault

TTextType TTextID TText

2 4 Network Area Administrators

2 8 User Templates Administrators

2 16 File Categories Administrators

2 128 Restore All

7 1 Require Full Impersonation

7 2 Require Partial Impersonation

7 4 Require LogonAs Impersonation

7 8 Require Authentication And Open