Ability to RBAC Orchestrator CyberArk Credential Stores with Modern Folders

Most enterprises require that automation have standards and controls in place to govern the use and management of credentials. For our organization, digital workers need to be governed by a privileged access manager (PAM) and for us that’s CyberArk.

Currently, there isn’t a way at a tenant level to be able to permission which Modern Folders and the automations within them can use which tenant-level credential store.

As a tenant administrator, I need to be able to permission which Modern Folder(s) have access to which credential store, so that I can ensure that credential stores are only used by those who should have access to use them.

What is the scenario here? The credential stores as designed, are not a security feature, and permissions in the folder apply to all objects of the same type (all assets, all queues, etc). If some users don’t have access to specific assets (no matter where they are stored), they should not be on that folder at all, or their permissions should be changed as needed.

@Ovidiu_Constantin, thanks for the question.

The scenario here is that Credential Stores, in particular ones that leverage a PAM like CyberArk (not referring to the Orchestrator credential store), are by their very nature role-based access. The assumption should be that whenever a CyberArk credential is being created within Orchestrator, it should by default have a “zero trust” mindset, meaning at the time those credential stores are created, NO automations should be able to use those CyberArk credential store.

The tenant admin can then intentionally permission which Modern Folder or Folders to have access to a particular CyberArk credential store with the assumption that anyone that’s been RBAC’ed to that Modern Folder (top-level parent) should have permission to use any CyberArk credential store that’s been permitted by the tenant admin.

Then as the developer, you only get to add CyberArk credential stores to automations that are within the Modern Folders that those developers have permissions to.

Again, this is ONLY for CyberArk credential stores at the tenant level, and the enhancement I’m looking for is to ensure that we maintain privileged access management to those credentials and which automations can then use those credentials.

Thank you for the details. I’m pushing the feedback to our product management software and we’ll take it from there, to be planned for future releases.