Delegate Vendor Manager role

This topic describes how Remote Access administrators can delegate the Vendor Manager role to company users for inviting external vendor managers and vendors.


Remote Access administrators can delegate permission rights to an internal company employee to manage external vendors. As an administrator, you can determine the level of control that the Vendor Manager has for inviting vendors, including to which vendor groups they can invite, within which timeframe, and for which applications.

Delegate Vendor Manager permissions

A Vendor Manager is a company user who has permissions to invite external vendor managers and vendors.

  1. As an administrator, go to the Users page. Click in the user account row, and select Delegate vendor manager permissions.

  2. Set the following:


    Description can

    Vendor access timeframe

    A timeframe that limits the amount of time that this Vendor Manager can invite vendors.

    Allowed applications

    A list of applications (PAM - Self-Hosted or CyberArk Identity web apps) that this Vendor Manager can invite vendors to access through Remote Access.

    User provisioning

    Select the method in which the Vendor user is created and managed.

    • Remote Access creates and manages the Vault user - For vendor access to PAM - Self-Hosted applications, enter the specific groups from which Vendors can be invited, or select all groups. You can also create a new group.

    • Admin creates and manages the Vault user - The Remote Access admin creates and manages the Vault user for invited vendors, who are then automatically authenticated to the PVWA.

      Enter the username that the Vendor Manager will use for invited vendors. This username is used for all their invited vendors.

      For more information about vendor groups, see Configure just-in-time vendor access.

    • For Vendor access to CyberArk Identity web apps, select the predefined CyberArk Identity Role , which determines the relevant access to specific applications in your organization. You can select more than one Role.

    Allowed email domains

    Allows you to determine specific email domains this Vendor Manager is allowed to send invitations to.

    If a list of allowed email domains is already set in Identities settings, this toggle is automatically turned on, and you can remove or add domains only from the authorized list.

    The allowed domains list applies to external vendor managers invited by this Vendor Manager as well. For example, if the domains list is restricted to, external vendor managers invited by this Vendor Manager are allowed to invite vendors with the email domain only.

    Account activation

    Whether the invited vendor account is activated automatically, or needs to be activated manually by the admin or Vendor Manager after registration.


    Whether this Vendor Manager can delegate to their invited vendors permissions to invite other vendors. When this setting is on, invited vendors who are delegated these permissions, can choose a subset of their own time frame, applications, and groups.

  3. Click Delegate permissions. The Vendor Manager receives a notification on their CyberArk Mobile app.

  4. Go to Identities > Users page. In the account row, click and select Activate.

    The invited user is now promoted to Vendor Manager.

The Vendor Manager can now begin inviting vendors. For more information, see Invite Vendors.