CyberArk – Push and Pull Methods

The “push” and “pull” methods in CyberArk are primarily used for managing service accounts. However, they are not exclusive to service accounts and can be used to control various other types of accounts. Here are some examples:

1. Local and Domain Accounts: These include regular user accounts on individual systems or accounts in a larger network domain. 

2. Privileged Accounts: These accounts with special permissions provide higher-level access to systems and sensitive data. This category includes system administrators, root accounts, and others with elevated privileges.

3. Application Accounts: These are accounts applications or scripts use to access databases or other resources. 

4. Embedded Accounts: These are hardcoded accounts in applications, scripts, configuration files, or other places. 

5. Social Media Accounts: These are accounts on various social media platforms that CyberArk can also manage.

6. Cloud Accounts: These are associated with cloud-based resources, like those found in AWS, Azure, Google Cloud, etc.

The “push” and “pull” methods are primarily related to how the passwords for these accounts are managed:

  • The “push” method involves CyberArk’s Central Policy Manager (CPM) updating the passwords directly on the target systems. 
  • The “pull” method involves applications or systems retrieving or “pulling” the passwords from the CyberArk vault when needed.

The method will often depend on the system’s requirements, the tolerance for password update latency, and whether or not the application can retrieve passwords directly from the CyberArk vault.



PUSH – This mechanism is a part of CyberArk’s initial features, where it utilizes its Central Policy Manager (CPM) to communicate with and update passwords on targeted machines. This method effectively manages several service accounts, including Windows Scheduled Tasks, Windows Services, text files, registry files, and IIS app users.

A couple of things to remember about this method:

  • Limitations and Risks: There can be a maximum of 100 “usages” (instances where the managed account is used) per a single managed account. The process of the CPM reaching out to every target machine to update the passwords is somewhat time-consuming. It handles around three devices simultaneously, so there’s a delay before every device gets updated. This delay can lead to the risk of accounts getting locked or services failing if they require immediate password changes.
  • Best Uses: Given potential delays and risks, the “push” method is best used for non-critical service accounts or ones that can handle a slower password update.

PULL – This alternative mechanism to “push” involves the applications pulling the passwords directly from the CyberArk vault. This feature is grouped under “AIM” (Application Identity Management).

Essential aspects of this method:

  • Application Requirements: This method works best with specific business systems, custom applications, or applications capable of getting passwords using SOAP calls that have been built to interact with the CyberArk vault.
  • Licenses and Implementations: This feature generally requires a separate license for each device needing the passwords. You can install a CyberArk service on these devices to directly communicate with the vault or implement code to query the CCP (Central Credential Provider) for a password when the service needs it.

Advantages: The significant benefit here is that each service operates independently, meaning they can all be updated concurrently. This method is faster and more efficient, particularly for critical services that require immediate password updates.

Finally, Logon and Reconcile Accounts:

  • Reconcile Accounts: These are used in the “push” method when you need to change the actual password, but the account itself cannot change its password.
  • Logon Accounts: If you need to update the new password on a specific service (like a Windows Scheduled Task), but the account lacks permissions to log into the system and do so, you need a logon account.

In simpler terms, these two types of accounts act as helpers in scenarios where the original account can’t complete a required task on its own.



When dealing with service accounts, IIS, SQL, and AD accounts, both the “push” and “pull” methods can be utilized based on the specific needs and use cases. Here’s a typical guideline:

1. Service Accounts: Push and pull methods can be employed depending on how critical the service is. If the service can tolerate some latency in password change (not too critical), the “push” model can be used. However, if the service needs immediate password updates and operates independently, the “pull” method would be better.

2. IIS (Internet Information Services): An IIS application pool can run using a specific service account identity. The identity’s credentials (username and password) are stored in the applicationHost.config file. CyberArk can manage this using the “push” model. However, if the application can be modified to fetch credentials from CyberArk, you can use the “pull” method with AIM.

3. SQL Server Accounts: Both methods can be used based on the specific scenario. If the SQL Server can tolerate some delay and no custom coding is possible to fetch passwords, the “push” model is a good choice. For applications that have been designed to fetch the credentials from CyberArk directly (or can be modified), the “pull” method with AIM can be used.

4. Active Directory (AD) Accounts: Typically, the “push” method is used for managing AD accounts. CyberArk’s CPM can change the passwords for AD accounts by connecting to the domain controller. If an application uses the AD account and can fetch credentials from CyberArk, you could also use the “pull” method.

The choice between the “push” and “pull” methods will largely depend on the system’s requirements, the latency tolerance, the independence of services, and whether the application code can be modified to fetch credentials from CyberArk. It’s important to analyze these factors before deciding which method to use.