CyberArk - Safes

CyberArk gives you the flexibility to organize accounts according to individual organizational requirements, and store them in different Safes.

By organizing accounts in different Safes, you can limit access to them. For example, an organization might decide to organize its accounts according to departments, and would then create a Safe for each department where all the accounts for that department would be stored. Using this scenario, only the administrator of the Windows accounts would have access to the Windows accounts Safe, while only the administrator of the Unix accounts would have access to the Unix accounts Safe.

In addition, only authorized users have access to the accounts. As authorizations for each Safe member are given separately, some users will only have access to view an account, while others will have access to modify its properties. For more information, see Safe Members.

Throughout the entire account management procedure, the account benefits from all the security and tracking features of the CyberArk Vault.

Authorized users can add Safes in CyberArk and modify their properties, as well as manage Safe members and their authorizations.

Add Safes in the PVWA

Authorized users can add Safes through the PVWA. The Safes page displays a list of all the Safes they own, and where they can create new Safes.


Users require the following authorization in the Vault:



Add Safes

Enables the user to add Safes.

Users who do not have the Add Safe authorization can view the Safes page with either of the following authorizations:



Manage Safe

Enables the user to view the Safes page and manage the properties of existing Safes.

Manage Safe Members

Enables the user to view the Safes page and manage Safe members’ authorizations.

Safes that are created in the PVWA are based on properties specified in a Safe template. For more information about creating Safe templates, refer to Safes.

Add a new Safe
  1. In POLICIES, click Access Control (Safes) to display the list of Safes.

  2. Click Add Safe; the Add Safe page appears.

    Add Safe

  3. Specify the name of the Safe and a description, if required.

  4. To control access to accounts in the Safe, regardless of user authorizations in the Safe, select Enable Object Level Access Control. For more information, refer to Object Level Access Control.

  5. Specify password version management for the Safe, as follows:

    • Save previous password versions – Determines the number of password versions of every password that is stored in the Safe. These versions will be saved in the Safe indefinitely until they are replaced by a newer version.

    • Save password versions for a time period – Determines the number of days that password versions are saved in the Safe.

  6. You can display the saved password versions in the Versions tab of the Account Details page. By default, the last five password versions are stored. For more information, refer to Passwords.

  7. Click Save; the Safe will be created in the Vault and the Safe Details page appears.


    Reports Safes and PSM Recording Safes are created automatically with the Auto-purge is enabled setting, which means that files in these Safes will automatically be purged after the Object History Retention Period defined in the Safe properties. In addition, these Safes cannot be managed by the CPM.

    The Members tab displays the Owners of the Safe and their authorizations in the Safe. By default, all predefined users and groups are hidden. To display them, clear Hide predefined users and groups.

    For more information about Safe members’ authorizations, refer to Safe Members.

Update Safe properties in the PVWA

Safes that are created in the PVWA are based on properties specified in a Safe Template. Users who have the Manage Safe permission in the Safe can modify some of the Safe properties that can be updated in the PVWA. Other properties can be changed in the PrivateArk Administrative Client.

For more information about the properties specified in Safe templates, refer to Safes.

Update Safe properties
  1. In the Safes list, select the Safe to update, then click Edit Safe; the Edit Safe page appears.

  2. Modify the Safe properties, then click Save; the updated Safe properties are saved.

Manage Safes

Rename a Safe

Users who have the Add Safes permission in the Vault can rename a Safe.

  1. In the Safes list, select the Safe to rename, then click Edit Safe; the Edit Safe page appears.

  2. Click Show advanced section, then specify the new Safe name.

    Manage Safe

  3. Click Save; the updated Safe name is saved.

Delete a Safe

If you are sure that the contents of a Safe are no longer needed and the Safe can be deleted, it can be deleted by users who have the Manage Safes permission in the Vault.


A deleted Safe cannot be recoverd, so make sure that you will not need any passwords or files that are stored in it.

1.Display the Safe Details page for the Safe to delete, then click Delete Safe; the following message appears.

Delete Safe

2.Click OK to delete the Safe and all its contents,


Click Cancel to return to the Safe Details page without deleting the Safe.

Keywords:CyberArk, PAM, vault, safes   Doc ID:110937
Owner:Peter V.Group:Office of Cybersecurity
Created:2021-05-20 15:23 CDTUpdated:2021-05-20 15:29 CDT
Sites:Office of Cybersecurity
Feedback:  0   0