# CyberArk Privilege Cloud MCP for AI Agents MCP

> CyberArk Privilege Cloud connects your AI agents directly to your enterprise vaulting systems. You can audit secure safes, check out vaulted account passwords with mandatory justification, monitor user activity, and terminate active privileged sessions—all through natural conversation.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** privileged-access-management, vaulting, password-management, session-monitoring, zero-trust, audit-logs

## Description

This MCP lets your agent take full control of identity security without forcing you into complex consoles. Need to verify who has access to the domain controller? Your agent lists internal users and LDAP-mapped groups instantly. Curious if a service account needs rotation? Check its status or get detailed properties using `get_account`. For incident response, you don't need SSH keys; your agent can pull the clear-text password directly from the Vault with an auditable reason attached. It also handles session control—if something looks suspicious mid-session, it forces termination instantly. By connecting this MCP through Vinkius, you give your AI client a single pane of glass to manage critical privileged access and maintain strict compliance.

## Tools

### add_account
Automatically provision a new privileged service account into the Vault Safe after mapping it to its specific platform ID.

### delete_account
Remove a retired or decommissioned privileged account from the CyberArk Vault, stopping any failed rotation attempts.

### get_account
Fetch detailed property data for an existing vaulted credential before making changes or interacting with it.

### get_safe
Retrieve metadata and specific details about a designated Privileged Access Manager (PAM) Safe container.

### list_accounts
Search and retrieve high-sensitivity credentials, including Root or Administrator accounts, along with their current rotational status and allocated Safe.

### list_groups
List all user groups in the CyberArk Vault to verify how access permissions are structured across your organization.

### list_safes
Get a list of every secure Safe container used in the system, identifying where critical tier-0 credentials reside.

### list_users
Identify all human or service accounts that consume privileged sessions across local and synchronized directories.

### retrieve_password
Pull the actual, clear-text password for a specific account. This action requires a mandatory justification reason and triggers full auditing.

### terminate_session
Forcefully cut an active privileged session (PSM/PSMP) immediately when required as part of an incident response procedure.

## Prompt Examples

**Prompt:** 
```
What are all the service accounts for my web servers?
```

**Response:** 
```
**Vault Account Report: Web Servers**

*   Root-Web01 (ID: 902): Status **Active**. Last rotated: Yesterday. Safe: Linux-Servers.
*   ServiceUser-DB (ID: 456): Status **Requires Attention**. Rotation due in 7 days. Safe: Database Vault.

Need me to check the access permissions for these accounts?
```

**Prompt:** 
```
I need the root password for the staging database right now.
```

**Response:** 
```
Password retrieved successfully! For Root-Staging (ID: 123), the clear-text password is: `********`.

⚠️ **ACTION LOGGED:** This retrieval was triggered by you. Justification provided: 'Urgent patch deployment on staging environment'. Would you like me to check-in this account now?
```

**Prompt:** 
```
Who are the people with administrator rights in the finance department?
```

**Response:** 
```
Based on user and group listings, these users have admin access: 

1.  **John Doe:** Member of 'Finance_Admins' Group.
2.  **Jane Smith:** Direct Admin Role (ID: 789).
3.  **SystemGroup-Audit:** System service account with read-only admin rights.
```

## Capabilities

### Audit Vault Contents
List all secure Safes or search for specific accounts to understand the overall structure of your vaulting environment.

### View User & Group Permissions
Check which users, groups, and administrators have access to different parts of the system, verifying role-based access controls (RBAC).

### Retrieve Credentials on Demand
Pull actual vaulted passwords for specific accounts. This action is highly audited and requires a mandatory justification reason.

### Control Active Sessions
Instantly terminate an active privileged session when suspicious activity or unauthorized actions are detected during an incident response scenario.

### Manage Account Lifecycle
Provision new service accounts into the vault, or delete retired accounts to ensure proper credential management and cleanup.

## Use Cases

### Investigating a Suspected Breach
A SOC analyst suspects an account is compromised. Instead of logging into the console, they ask their agent to `terminate_session` for the suspect connection and then run `list_accounts` to see which accounts were recently accessed.

### Quarterly Compliance Audit
An auditor needs proof that only authorized teams access specific root credentials. They ask their agent to `list_groups` followed by checking Safe details using `get_safe` to verify group membership against policy.

### Emergency System Maintenance
The DBA finds a critical service account password missing. They use their agent to `retrieve_password`, providing the required justification ('Emergency DB patch'), and securely get the credential instantly.

### Service Account Cleanup
An IT Admin decommissioned an application. Instead of manually deleting credentials, they instruct the agent to use `delete_account` on the old service account ID, ensuring the Vault cleans up properly.

## Benefits

- Instant Incident Response: Don't rely on manual checks during an incident. Your agent can `terminate_session` instantly upon detecting suspicious activity.
- Zero-Touch Auditing: Quickly list all secure Safes using `list_safes` to locate critical credentials without navigating multiple security consoles.
- Compliance Visibility: Use `list_users` and `list_groups` to verify current RBAC rules across the entire directory structure, making audits faster than ever.
- Controlled Credential Access: Pulling a password via `retrieve_password` forces an auditable justification reason into the log, ensuring compliance even when emergency access is needed.
- Simplified Onboarding: Instead of manual console work, use `add_account` to provision new service credentials with minimal clicks and maximum automation.

## How It Works

The bottom line is you manage your entire privileged access infrastructure conversationally through your preferred AI client.

1. You subscribe to this MCP in Vinkius, providing your CyberArk Subdomain and Bearer access token.
2. Your AI client connects using the provided credentials, giving it read/write control over specific vaulting functions.
3. You interact with the system using natural language prompts; the agent executes the required action and returns structured data.

## Frequently Asked Questions

**How do I audit who can access my critical accounts using CyberArk Privilege Cloud MCP?**
You list all users and groups to verify the RBAC structure. This lets you see exactly which roles have permissions to certain safes, ensuring compliance before any changes are made.

**Can I use CyberArk Privilege Cloud MCP for AI Agents during an active security incident?**
Yes. The most critical function is session control; your agent can forcibly terminate suspicious connections instantly when a threat is detected, drastically reducing response time.

**What if I need to check out a password for emergency use via the MCP?**
The system handles this with mandatory controls. When you request a password using CyberArk Privilege Cloud MCP for AI Agents, you must provide a justification reason that is logged instantly.

**Does this tool help me manage service accounts and their rotation schedules?**
Yes. You can list all privileged accounts to check rotational status or use the MCP to onboard new credentials via `add_account`, ensuring automated lifecycle management.

**What is the difference between listing safes and listing users with CyberArk Privilege Cloud MCP?**
Listing safes shows you the physical containers where secrets are kept. Listing users tells you which human or service accounts have access to those containers in the first place.