PAS Reporter Quick Start Guide

- PAS Reporter v0.60 -

Contents
1 Using PAS Reporter ......................................................................................................................... 2
1.1 Manual mode .......................................................................................................................... 2
1.2 Integrated Mode ..................................................................................................................... 4
1.3 Automatic Mode...................................................................................................................... 7
1.3.1 Example scheduled task configuration ............................................................................ 8
2 FAQ .................................................................................................................................................. 9
1 Using PAS Reporter

The PAS Reporter can generally be used in three modes; “Manual mode”, “Integrated mode” and
“Automatic mode”. In the manual mode, Export Vault Data (EVD) export CSV-files and supported
configuration and logfiles can be dragged and dropped into the tool for generating the reports.

In the integrated mode, the EVD exports and the supported configuration files can be retrieved with
the EVD and PACLI integrations from the Vault.

The automatic mode is basically the integrated mode, but the exporting and reports generation
actions are triggered via command line parameters. This allows running the tool as scheduled task for
instance.

1.1 Manual mode

In the manual mode, you can drag and drop supported EVD exports and configuration files in the
according sections of the tool. The supported EVD exports and configuration files are described in the
FAQ section in this guide.

You can find example scripts in the “evd” folder of the tool for retrieving the EVD exports and
configuration files from the Vault. The configuration files can also be retrieved from the Vault using
the PrivateArk Client. Please note, that this requires specific permissions on the relevant safes in the
Vault. The required permissions are described in the FAQ section in this guide.

Once the EVD exports and configuration files were added, the reports can be generated. Please note,
that the tool can provide the most information if all supported EVD exports and all supported
configuration files were added.

Figure 1: EVD export CSV-files are added to the tool

PAS Reporter v0.60 – Quick Start Guide 2

Figure 2: Supported configuration files or logfiles are added to the tool

Once supported files were added, the files can be processed by clicking the “Process Files” button.

Figure 3: The manually added EVD exports and configurations files are getting processed

Figure 4: Reports data can be seen if the reports generation as successful

PAS Reporter v0.60 – Quick Start Guide 3

1.2 Integrated Mode

The integrated mode allows retrieving EVD exports as well as supported configuration files from the
Vault with the tool’s EVD and PACLI integrations.

Therefore, the tool needs to be configured through the settings menu of the tool.

Figure 5: Click on the “Settings & Help” button to open the settings menu

Figure 6: Set the Vault IP, and select credentials files for PACLI and EVD

PAS Reporter v0.60 – Quick Start Guide 4

Figure 7: Save the settings by clicking on the “Save” button

Once the settings were applied, the EVD exports and the supported configuration files can be
retrieved from the Vault by clicking on the according buttons in the tool.

Figure 8: By clicking on “Retrieve EVD exports”, the tool tries retrieving the EVD export from the Vault

Figure 9: By clicking on “Retrieve config files”, the tools tries retrieving configuration files via PACLI

PAS Reporter v0.60 – Quick Start Guide 5

During the EVD exports and the configuration files retrieval procedures via PACLI, you can check the logs
section if the operations are carried out successfully.

Figure 10: The “Log output“ section provides information about the status of the retrieval procedures

Once the EVD exports and configuration files were successfully retrieved, the reports can be generated by
clicking on the “Process files” button.

Figure 11: The EVD exports and configurations files are getting processed

Figure 12: Once the files were successfully processed, reports can be seen in the according report sections

PAS Reporter v0.60 – Quick Start Guide 6

1.3 Automatic Mode

The automatic mode is basically the integrated mode, but the exporting and reports generation
actions are triggered automatically via command line parameters. This allows running the tool as
scheduled task for instance.

Please note, that EVD exports are creating load on the Vault. Therefore, it can be an idea to run the
tool only once per day outside of business hours for instance.

In order to run the tool in automatic mode, it needs to be configured as described in the Integrated
Mode section in this guide.

You can then run the PAS Reporter.exe with the “/?” parameter in order to see the automatic mode
parameter options as well as according examples.

Figure 13: Run PAS Reporter with the /? parameter to open the automation help window

Figure 14: See available automation parameters and examples in the automation help window

PAS Reporter v0.60 – Quick Start Guide 7

1.3.1 Example scheduled task configuration

Figure 15: PAS Reporter folder

Figure 16: Scheduled task configuration

Figure 17: Check the PAS Reporter automatic mode log

PAS Reporter v0.60 – Quick Start Guide 8

2 FAQ

Is this tool supported or maintained by CyberArk?

This is a community tool which does not come with any support or maintenance. Please refer to the
"CyberArk Marketplace Terms of Use" for further information.

If you want to support the idea of PAS Reporter becoming a supported tool, you might want to take a
look at the following enhancement request: https://cyberark-customers.force.com/s/enhancement-
request-detail?id=0872J000000kCluQAE

Can I open a support case at CyberArk with regards to this tool (e. g. when I have an issue or a
question about the tool)?

CyberArk support cases with regards to this tool will not be handled since this is a non-supported
community tool. Questions, feedback, or other matters regarding this tool can be discussed in the
CyberArk Customer Community for instance.

Will this tool experience further development?

This tool will not experience further development. We recommend the officially supported CyberArk
Telemetry tool for reporting and keeping track of your project's success and outcomes.

Is the information which the tool generates accurate?

The tool was developed with the ambition to provide accurate and helpful information and insights.
However, there is no guarantee that the information which the tool generates is accurate.

On which data sources does the tool rely on?

The tool analyzes Export Vault Data (EVD) exports as well as various configuration files, Vault trace
logs, and information retrieved via REST API.

How can I use this tool?

Generally, there are three options:

1) Retrieve EVD export CSV files as well as supported configuration files from the Vault and add them
to the tool. This can be achieved via dragging and dropping the EVD export CSV files as well as the
supported configuration files to the according sections of the tool.

2) Retrieval of the EVD exports and supported configuration files through the EVD and PACLI
integrations of the tool. The authentication for EVD and PACLI needs to happen via credential files for
the according EPV users.

3) Run the tool in automatic mode (e. g. as scheduled task)

PAS Reporter v0.60 – Quick Start Guide 9

What are the system requirements for this tool?

The tool requires a Windows 64-Bit OS with .NET Framework 4.5.2 or higher.
The recommended hardware specifications are:
• Dual-Core CPU @2.0 GHz
• 16 GB of RAM
• 300 MB disk space for the tool itself + additional disk space depending on the amount of
retrieved and generated data
• Screen with Full HD resolution (1.920 x 1.080) or higher
o Users with high resolution screens (e. g. 4K or Ultrawide resolutions) will benefit since
charts will scale in accordance to the screen resolutions
o Particularly users with screen resolutions lower than Full HD resolution (1.920 x 1.080)
might need to open charts in a new window sometimes to see all details

Where does the tool store the generated data?

The tool stores the generated data in the tool's SQLite database files (PASReporter.db &
VaultTraces.db) in the data folder of the tool.

Which permissions or authorization are required to retrieve the desired information from the
Vault?

For the retrieval of supported configuration files via PACLI, the user which is used for the retrieval
needs sufficient permissions on the according safes. By default, those safes usually are:

Safe Permissions Comments

PasswordManagerShared • List Files Contains the platform policy files
• Retrieve Files
PVWAConfig • List Files Contains the Policies.xml file
• Retrieve Files
PasswordManager_Pending • List Files Contains the pending accounts
System • List Files Contains the DBParm.ini file, the
• Retrieve Files License.xml file, and the Italog.log file
• Update/Store Files*

* Please note: Depending on the PAS version and other possible factors, it can be that the
“Update/Store Files” permissions will be required in addition to the "List Files" and "Retrieve Files"
permissions on the System safe.

In order to retrieve all EVD exports that are supported from this tool, an EPV user requires the "Audit
Users" Vault authorization. Furthermore, the EVD export user can be added to the built-in CyberArk
"Auditors" group which usually has sufficient permissions on the relevant safes. However, this might
differ depending various factors such as the CyberArk PAS version, configurations in your
environment, and other possible factors.

Furthermore, please always check the official CyberArk EVD documentation in order to ensure, that
the EVD export user is configured with least privileges.

Please note, that Vault trace files cannot be retrieved via EVD or PACLI. Please see the “Where can I
find the Vault trace files which can be processed with this tool?” in the FAQ section.

PAS Reporter v0.60 – Quick Start Guide 10

Can I export data from this tool?

Yes, please make a right click on any data grid or chart that you would like to export. There will
appear a context menu with according exporting options (e. g. export to Excel, CSV, or PNG).

Furthermore, you can export the generated data from this tool to a SQL-commands file. This can
allow you to import data from this tool into other SQL database system. This can be configured in the
“SQL Export Settings” of the tool.

Additionally, the PAS Reporter data can also be bulk-exported to CSV files. This can be configured in
the “CSV Export Settings” of the tool.

PAS Reporter v0.60 – Quick Start Guide 11

Furthermore, there are summary reports available that allow exporting numerous charts and KPIs in
a structured document (PDF, DOCX, XLSX, HTML).

The summary reports can be found in the “Reports” section of the tool.

The reports can also be automatically sent via email. Please also see “How can I automatically send
reports via email?” in this guide.

Some of the reports also offer an automated obfuscation of the data. This can be useful if there is
sensitive information in the reports which is not supposed to be shared.

PAS Reporter v0.60 – Quick Start Guide 12

Can I run several instances of the tool?

You can run several instances of the tool. Therefore, you can make copies of the entire tool (not only
the executable of the tool) and run copies of the tool simultaneously.

It is not possible to run several instances of the same PAS Reporter executable (let's say for example
on "D:\PAS Reporter\PAS Reporter.exe"). The reason is that running several instances of the same
PAS Reporter executable can cause issues with e. g. simultaneous write access operations to the
tool's SQLite database.

You can run for example "D:\PAS Reporter\PAS Reporter.exe" and "F:\PAS Reporter\PAS
Reporter.exe" simultaneously since both copies of the tool will have their dedicated SQLite databases
and run dedicated processes.

Do I need to use the tool in order to retrieve the EVD exports and the configuration files from the
Vault?

No, you do not need to use this tool to retrieve the EVD exports or the configuration files. You can
also retrieve the configuration files manually from the according safes in the Vault.

You can also find script examples in the "evd" folder of this tool for retrieving the EVD exports and
the configuration from the Vault. Once the files were retrieved, you can drag and drop them into the
tool.

How does the tool import EVD exports and configuration files into its SQLite database?

If the files and information are retrieved via the built-in EVD and PACLI integrations of the tool, the
EVD exports are retrieved as CSV files from the Vault in a subfolder of the "data" folder of the tool.
The configurations files are also retrieved on a subfolder of the "data" folder of the tool.

Once the EVD export CSV files were retrieved, they are automatically imported into the tool's SQLite
database by using "sqlite3.exe" utility for further processing.

The configuration files are getting processed during the data processing procedure of the tool and
the processed information is then stored in the tool's SQLite database.

How can I see which information the tool has stored and analyzed?

The information which the tool has generated is stored in the tool's SQLite database files. The
generated information is automatically loaded from the database and illustrated in the tool's user
interface when the tool was started. There are also tools available that allow you opening and
exploring the tool's SQLite database.

The EVD export CSV files and the configuration files which were retrieved through this tool, are
stored in according subfolders of the "data" folder of this tool. Furthermore, you can see table data
information from the tool's local SQLite database in the SQL export settings section and the
transaction management section of this tool.

PAS Reporter v0.60 – Quick Start Guide 13

Which EVD exports can be analyzed with the tool?

The tool supports the following 9 EVD exports:

• Master Policy export
• Files list export
• Safes list export
• Object properties export
• User list export
• Group list export
• Group members export
• Owner list export
• Log activities export

The tool will show according messages if un-supported EVD exports are added.

Which configuration files and logfiles can be analyzed with the tool?

The tool currently supports the following files:

• Platform policy ini-files

• The Policies.xml file.
• The License.xml file
• The DBParm.ini files
• Vault trace logfiles
• Vault Italog logfile

Additionally, the following information can be retrieved via REST API through the tool’s REST API
integrations:

• Additional platform policies information (e. g. whether or not a platform is active)

• Installed component versions
• OPM policy rules

Which EVD exports cannot be analyzed individually?

The following EVD exports are dependent on each other for the data processing procedure of the
tool and can only be analyzed together:

• Files list export

• Safes list export
• Object properties export
• User list export
• Group list export
• Group members export
• Owner list export

The tool will show according messages if dependent reports are missing.

PAS Reporter v0.60 – Quick Start Guide 14

Which EVD exports can be analyzed individually?

The following EVD exports can be analyzed individually:

• Master Policy export

• Log activities export

How can I get the maximum information from the tool?

The tool can generate the most information if all supported EVD exports and all supported
configuration files and logfiles were added and analyzed. Furthermore, the REST API integration of
the tool should be used so that information can be retrieved that is (exclusively) available via the
REST API.

How can I create credential files for EVD and PACLI?

Please refer to the official CyberArk documentation: https://docs.cyberark.com/Product-

Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/CreateCredFile-Utility.htm
Should I use separate credential files with individual EPV users to retrieve information from the
Vault?

It is recommended to use separate credential files with individual EPV users that have the least
privileges for retrieving the desired information.

Do I need to run this tool with administrative privileges (e. g. local Administrator on Windows)?

Generally, this tool was designed to run without administrative privileges. However, this might differ
depending on your system, its configuration, and other factors.

Where can I find the logs from the tool?

You can find the logs from the tool in the "logs" folder. Logfiles will be automatically created if
logging to files was enabled in the tool's settings.

Why does the tool sometimes need to convert EVD exports?

The tool uses a SQLite database. This database only supports the ISO 8601 DateTime format. EVD
exports that were generated on a system which does not have this DateTime format set, need to be
converted so that the data can be imported in the SQLite database of this tool.

EVD exports that are generated through this tool do not need to be converted since the exports will
automatically be generated with the ISO 8601 DateTime format.
How does the integrated EVD from this tool generate exports with the ISO 8601 DateTime format?

The EVD executable (ExportVaultData.exe) is run in a so-called culture context that uses the ISO 8601
format as DateTime pattern. As a result, the EVD exports are generated with the ISO 8601 DateTime
format.

PAS Reporter v0.60 – Quick Start Guide 15

How can I delete the generated data from the tool?

The tool stores the generated data in the tool's SQLite database files in the data folder. You can
delete the database files (PASReporter.db & VaultTraces.db) or delete the entire data folder for
instance.

On some charts I cannot see the labels or the legend. What can I do?

The labels or legends from charts can "disappear" if your screen resolution is low (e. g. smaller than
1.920 x 1.080) or if the labels or legends contain long strings. In those cases, you can make a right
click on the chart and select the "Open in new window" option. This will open the chart in a new
window which can also be resized as desired.

What can I do to improve the performance of the tool?

Please make sure that there is enough free memory available for the tool. For data writing
procedures (e. g. importing data in the tool's SQLite database), fast disk drives (e. g. SSDs) can
improve the performance. It has also been observed, that the tool runs in many cases faster on
physical hardware - compared to virtual machines with similar specifications.

Why are the executables of this tool not signed by CyberArk?

The executables of this tool are not signed by CyberArk because this tool a is a non-supported
community tool.

Which information is needed in order to create the license capacity report?

In order to create the license capacity report, the License.xml file as well as the "Users" EVD export
and its dependent EVD exports need to be added and processed.

Please note, that the accuracy of the license capacity report highly depends on having complete EVD
exports. For instance, if the "Users" EVD export is not complete (e. g. users are missing in the export),
the accuracy of the license capacity report is negatively impacted. In any case, the accuracy of the
license capacity report from this tool cannot be guaranteed and the report should not be considered
as an adequate "equivalent" for the native license capacity report.

PAS Reporter v0.60 – Quick Start Guide 16

Where can I find the Vault trace files which can be processed with this tool?

The Vault traces files can usually be found in the “Logs” folder of the CyberArk Vault installation.
For instance: “<Drive>:\Program Files (x86)\PrivateArk\Server\Logs”

The trace files usually have the following filenames:

• Trace.d0
• Trace.d1
• Trace.d2
• Trace.d3
• Trace.d4
• Arc-<DateTimeStamp> (for archived trace files)

Archived Vault traces files can be found in the “Archive” folder (a subfolder of the “Logs” folder).
Example archived trace filename: Arc-20191216-085206.log.

Logic container trace files are not supported and usually end with (“.LC.log”) in their filename.

I have added Vault trace files to the tool but they are not getting recognized, what can I do?

Please check if the trace files have been generated with a Vault debug setting that includes

PE(1),PERF(1,2)

Supported trace files are structured like in the following example:

Can I retrieve Vault trace files via PACLI or EVD?

There is no out-of-the box capability for retrieving Vault trace files via PACLI or EVD from the Vault.
Pleas also see “Where can I find the Vault trace files which can be processed with this tool?” for
further information.

PAS Reporter v0.60 – Quick Start Guide 17

Where can I add Vault trace files to the tool?

The Vault trace file can be added to the grid to which configuration and log files can be added:

Once valid trace files where added, the files can be processed by clicking on “Process Files”:

Where is the data from the “Transaction Management” section stored?

The data from the Transaction Management section is stored in the SQLite database file
“VaultTraces.db” in the data folder of the tool.

Why is the data from “Transaction Management” section stored in a separate SQLite database file?

This is mainly due to technical reasons, in particular because of performance considerations. There
can be millions of Vault transactions and storing those in a dedicated database file comes with some
benefits that improve the performance and UI responsiveness.

How can I delete the data from the “Transaction Management” section?

You can simply delete the “VaultTraces.db” SQLite database file in the data folder of the tool.

PAS Reporter v0.60 – Quick Start Guide 18

How can I get the user list export (non-EVD) which I can use as an option for the user type
determination for Vault transactions (transaction management section)?

You can create the user list export (non-EVD) using the PrivateArk Client.

➔ Select “Users List”

➔ Select “Report Output” tab and choose an export folder

Created users list output file (example):

Add the file to the tool along with Vault trace files:

PAS Reporter v0.60 – Quick Start Guide 19

How are the user types determined in the Vault transaction section?

The user types in the Vault transaction management section are determined based on the user type
detection regex settings that can be configuration in the tool.

If the EVD users export or the non-EVD user list (from the PrivateArk client) have been processed
with the tool, the user types will be determined from the EVD users export or the non-EVD user list
data in the first step and in the second step through the regular expression settings if the user type
could not be determined from the EVD users export or user list data.

If both, the EVD users export as well as the non-EVD user list (from the PrivateArk client) were added
to the tool, the non-EVD user list takes precedence over the EVD users export.

Can I use the users list export (non-EVD) for generating the license capacity report?

The license capacity report in the tool cannot be generated with the non-EVD users list export from
the PrivateArk client.

The main reason is that the non-EVD users list export from the PrivateArk client does not contain the
user type IDs of the users. These user type IDs are matched against the user type IDs in the
License.xml file which is a more accurate approach for determining the license consumption.

The user type IDs are included in the EVD users list export but not in the non-EVD users list export
from the PrivateArk client.

Please also see “Which information is needed in order to create the license capacity report?” for
further information.

After downloading or copying the tool I cannot start the “PAS Reporter.exe” file. I have double-
clicked the executable but nothing appears to happen. In the Windows event logs, I am seeing
errors such us “[…] App failed with error: This app can't be activated by the Built-in Administrator.
See the Microsoft-Windows-TWinUI/Operational log for additional information […]”. What can I do
about that?

You can check if the “PAS Reporter.exe” is blocked.

Please always make sure that downloaded and copied files are scanned with an AV solution and
reach out to your administrator and security team regarding security matters.

PAS Reporter v0.60 – Quick Start Guide 20

When trying to retrieve files via PACLI from the System safe, the following error occurs: “Error:
ITATS044E You are unauthorized to store object in Safe System.” What can I do?

Depending on the CyberArk PAS version and other possible factors, it can be that the “Update Files”
permission will be required in addition to the "List Files" and "Retrieve Files" permissions in order to
retrieve files from the System safe.

How does the tool generate the pending accounts report?

Since the pending accounts information is not in the EVD data, the tool retrieves the pending
accounts information via PACLI. You can configure the tool to retrieve the pending accounts
information in the settings.

Do I need to run the tool using the integrated mode to generate the pending accounts report?

The pending accounts report can be generated via the integrated mode as well as via the manual
mode. For the manual mode, you can run a script to generate the pending accounts list. You can then
drag and drop the retrieved pending accounts list into the tool and process the data to generate the
pending accounts report.

You can find a script to retrieve then pending accounts list in the “evd” folder of the tool (script
name: “02 Retrieve configuration files.cmd”).

Where can I find the pending accounts report in the tool?

The pending accounts report can be found in the “Account Management” section in the “Pending
Accounts View” tab:

PAS Reporter v0.60 – Quick Start Guide 21

How can I use the REST API integration of the tool?

In order to use the REST API, the URL of the PVWA or load balancer URL can be configured in the
“REST API Settings” section of the tool.

All authentication methods that are currently available via REST API can be used.

If the PAS Reporter is run automatically (e. g. via a scheduled task), it can be an idea to automate the
authentication via REST API through retrieving the user’s credentials via AAM or PACLI.

Please note, that for some authentication methods (e. g. RADIUS), non-interactive authentication is
not possible. These authentication methods are not supported for the automated mode.

If interactive authentication is required, the tool will automatically show an according authentication
dialog.

Figure 18: REST API authentication dialog

PAS Reporter v0.60 – Quick Start Guide 22

How can I automatically send reports via email?

In order to automatically send reports via email, the SMTP settings can be configured in the “Report
Settings” section of the tool.

If SMTP authentication is required, the authentication can be automated via credentials retrieval via
AAM or PACLI.

Furthermore, the sending of emails can be tested via the “Save & send test email” button.

PAS Reporter v0.60 – Quick Start Guide 23

Once the SMTP settings were configured and tested successfully, email jobs can be added via the
“Add email job” button.

In the email job the report can be chose, the file format (PDF, DOCX, XLSX, HTML), and the desired
recipients.

Furthermore, the email job can be configured to be sent only on specific weekdays and only once per
day. After the configuration, the report will be added to the email jobs list.

PAS Reporter v0.60 – Quick Start Guide 24