Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CyberArk
  5. PAM-DEF

CyberArk PAM-DEF Exam Questions
CyberArk Defender - PAM (Page 5 )

Updated On: 8-May-2026
Page 5 of 31
PDF with 239 Questions

The primary purpose of exclusive accounts is to ensure non-repudiation (Individual accountability).

  1. TRUE
  2. FALSE

Answer(s): A

Explanation:

The primary purpose of exclusive accounts is to ensure non-repudiation (individual accountability). Exclusive accounts are accounts that can only be used by one user at a time, and are locked during usage. This means that no other user can access the same account until the current user releases it or the session expires. By using exclusive accounts, the organization can enforce individual accountability and traceability for the actions performed on the target systems. Exclusive accounts also reduce the risk of credential theft and unauthorized access, as the passwords are changed every time they are retrieved by a user. Exclusive accounts can be configured in the Master Policy under the Password Management section, by enabling the Exclusive Access rule.


Reference:

1: The Master Policy, One Time Password subsection
2: The Master Policy, Exclusive Access subsection



You have associated a logon account to one your UNIX cool accounts in the vault.
When attempting to [b]change [/b] the root account's password the CPM will.....

  1. Log in to the system as root, then change root's password
  2. Log in to the system as the logon account, then change roofs password
  3. Log in to the system as the logon account, run the su command to log in as root, and then change root's password.
  4. None of these

Answer(s): C

Explanation:

When attempting to change the root account's password, the CPM will log in to the system as the logon account, run the su command to log in as root, and then change root's password. This is because the logon account is used to initiate sessions to machines that do not permit direct logon, such as Unix systems that restrict root access.
When a logon account is associated with a privileged account, it will be used to log onto the remote machine and then elevate itself to the role of the privileged user. As different types of machines might have different logon prompts or elevation commands, the CPM can use the AutoLogonSequenceWithLogonAccount parameter to define the logon process and the elevation to the privileged account. This parameter contains regular expression prompts and responses that define the logon process and subsequent activities. The regular expressions can include dynamic values that the CPM reads from the account properties, user parameters, or client-specific parameters. For example, the following is a possible AutoLogonSequenceWithLogonAccount parameter for a Unix platform:



This parameter instructs the CPM to log in to the system as the logon account, enter the logon password, run the su - command to switch to the root user, enter the logon password again, run the change command to change the root password, exit the root session, and exit the logon session.
The other options are not correct, as follows:
A . Log in to the system as root, then change root's password. This option is not possible, because the root account cannot be used for direct logon. The logon account is associated with the root account to enable the CPM to access the system and change the password. B . Log in to the system as the logon account, then change root's password. This option is not effective, because the logon account does not have the permission to change the root's password. The logon account needs to elevate itself to the root user by using the su command before changing the password.
D . None of these. This option is not valid, because there is a correct answer among the choices.


Reference:

1: Logon Accounts for SSH and Telnet Connections



It is possible to restrict the time of day, or day of week that a [b]verify[/b] process can occur

  1. TRUE
  2. FALSE

Answer(s): A

Explanation:

It is possible to restrict the time of day, or day of week that a verify process can occur by using the Verify Time Window parameter in the Platform Management page. This parameter allows the administrator to define a time window for each platform, during which the verify process can be performed. The verify process will not run outside of this time window, unless it is manually initiated by the administrator. This feature can help reduce the load on the target systems and the network during peak hours.


Reference:

[Defender PAM Course], Module 4: Managing Accounts, Lesson 2: Account Verification, Slide 8: Verify Time Window
[Defender PAM Documentation], Version 12.3, Administration Guide, Chapter 4: Managing Platforms, Section: Verify Time Window



Which of the Following can be configured in the Master Poky? Choose all that apply.

  1. Dual Control
  2. One Time Passwords
  3. Exclusive Passwords
  4. Password Reconciliation
  5. Ticketing Integration
  6. Required Properties
  7. Custom Connection Components
  8. Password Aging Rules

Answer(s): A,B,C,H

Explanation:

The Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. The Master Policy includes the following main concepts1:
Basic policy rules: These rules allow the administrator to define specific aspects of privileged account management, such as privileged access workflows, password management, session monitoring and auditing.
Advanced policy rules: Some basic policy rules have related advanced settings that provide more granular control over the policy enforcement.
Exceptions: These are policy rules that differ from the overall Master Policy for a specific scope of accounts, such as accounts associated with a specific platform. The Master Policy rules are divided into four sections2:
Privileged Access Workflows: These rules define how the organization manages access to privileged accounts, such as requiring dual control, one-time passwords, exclusive passwords, transparent connections, reason for access, etc.
Password Management: These rules determine how passwords are managed, such as requiring password change, password verification, password reconciliation, ticketing integration, required properties, custom connection components, etc.
Session Management: These rules determine whether or not privileged sessions are recorded and how they are monitored, such as requiring session isolation, session recording, session audit, etc. Audit: This rule determines how Safe audits are retained, such as specifying the audit retention period.

Based on the above information, the following options can be configured in the Master Policy:
A . Dual Control: This is a basic policy rule in the Privileged Access Workflows section that determines whether users need to get approval from authorized users before accessing a privileged account. B . One Time Passwords: This is a basic policy rule in the Privileged Access Workflows section that determines whether users can only use a password once before it is changed. C . Exclusive Passwords: This is a basic policy rule in the Privileged Access Workflows section that determines whether users need to check out a password and prevent other users from accessing it until it is checked in.
H . Password Aging Rules: This is a basic policy rule in the Password Management section that determines how often passwords need to be changed.
The following options cannot be configured in the Master Policy:
D . Password Reconciliation: This is not a policy rule, but a process that restores the password of a privileged account to the value that is stored in the Vault, in case it is changed or out of sync. E . Ticketing Integration: This is not a policy rule, but a feature that enables the integration of the Vault with external ticketing systems, such as ServiceNow, Jira, etc. F . Required Properties: This is not a policy rule, but a platform setting that determines which properties are mandatory for adding accounts to a platform. G . Custom Connection Components: This is not a policy rule, but a platform setting that determines which connection components are used to connect to target systems, such as PVWA, PSM, PSMP, etc.


Reference:

1: The Master Policy
2: Master Policy Rules
3: Password Reconciliation
: Ticketing Integration
: Required Properties
: Custom Connection Components



If a password is changed manually on a server, bypassing the CPM, how would you configure the account so that the CPM could resume management automatically?

  1. Configure the Provider to change the password to match the Vault's Password
  2. Associate a reconcile account and configure the platform to reconcile automatically
  3. Associate a logon account and configure the platform to reconcile automatically
  4. Run the correct auto detection process to rediscover the password

Answer(s): B

Explanation:

A reconcile account is a privileged account that has the permission to reset the password of another account on the target system. By associating a reconcile account with the account that has been changed manually, the CPM can use the reconcile account to restore the password of the account to the value that is stored in the Vault, in case it is changed or out of sync. This process is called password reconciliation and it ensures that the passwords are synchronized and available for use. To configure the account so that the CPM can resume management automatically, the platform that the account belongs to must have the following parameters set1:

RCAutomaticReconcileWhenUnsynched: This parameter determines whether passwords will be reconciled automatically after the CPM detects a password on a remote machine that is not synchronized with its corresponding password in the Vault. The acceptable values are Yes or No. RCReconcileReasons: This parameter determines the codes that represent the CPM plugin errors that will launch a reconciliation process. The acceptable values are plug-in return codes separated by a comma.
RCFromHour, RCToHour: These parameters determine the time frame in hours during which the CPM can reconcile passwords, either manually or automatically. The acceptable values are 0-23 or -1 for none.
RCExecutionDays: This parameter determines the days of the week when the CPM will reconcile passwords. The acceptable values are days of the week, separated by commas.


Reference:

1: Password Reconciliation



What is the maximum number of levels of authorization you can set up in Dual Control?

  1. 1
  2. 2
  3. 3
  4. 4

Answer(s): B

Explanation:

Dual Control is a feature that allows you to set up a workflow for approving access requests to sensitive accounts. You can configure up to two levels of authorization for each account, meaning that you need up to two different authorizers to approve the request before the user can access the account. The authorizers can be either users or groups, and they can have different approval methods, such as email, SMS, or CyberArk interface.


Reference:

[Defender PAM] course, Module 5: Privileged Session Management, Lesson 5.2: Dual Control [Defender PAM Sample Items Study Guide], Question 31
[CyberArk Documentation], Dual Control



As long as you are a member of the Vault Admins group you can grant any permission on any safe.

  1. TRUE
  2. FALSE

Answer(s): B

Explanation:

The Vault Admins group is a predefined group that is automatically created during the installation or upgrade of the Vault. This group has all possible permissions in the Vault, and can create and manage other users, groups, platforms, policies, safes, and accounts. However, this group is not automatically added to every safe in the Vault, but only to some system safes that are used for administrative purposes. Therefore, being a member of the Vault Admins group does not guarantee that you can grant any permission on any safe, unless you are also a member or an owner of that safe. To grant permissions on a safe, you need to have the Authorize safe members authorization on that safe, which allows you to add or remove users or groups as safe members, and assign or revoke their authorizations. Alternatively, you can use the Administrator user, which is a predefined user that is a member of the Vault Admins group, and has all possible permissions on any safe in the Vault.


Reference:

Predefined users and groups
Safe member authorizations



In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system.
What is the BEST way to allow CPM to manage root accounts.

  1. Create a privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Reconcile account of the target server's root account.
  2. Create a non-privileged account on the target server. Allow this account the ability to SSH directly from the CPM machine. Configure this account as the Logon account of the target server's root account.
  3. Configure the Unix system to allow SSH logins.
  4. Configure the CPM to allow SSH logins.

Answer(s): B

Explanation:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Using-Logon- Accounts-for-SSH-and-Telnet-Connections.htm?Highlight=logon%20account



Viewing page 5 of 31
Viewing questions 33 - 40 out of 239 questions


PAM-DEF Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!