This topic describes how to invite Vendors to Remote Access.
Administrators, Vendor Managers, and external Vendors who have the relevant permissions, can invite vendors to Remote Access, providing them with just-in-time access to critical organizational applications and web apps.
There are a few different methods for creating, sending and accepting invitations. Incorporate invitation workflows that best suits your organization.
Click on each option to learn more:
The most direct way to invite a vendor is by filling out the invitation form in the Remote Access web portal or in the CyberArk Mobile app. This method can be used for creating ad-hoc invitations.
Go to Identities > Vendors, and click Invite vendors.
You can invite vendors from the Remote Access web portal or from the CyberArk Mobile app. The information below is relevant for both options.
Enter the general details for this vendor.
The name of the company that the vendor represents.
Vendor's first name.
Vendor's last name.
The vendor's email address in the company they represent.
Phone number to register
The phone number that the vendor entered when they registered for Remote Access.
Whether this vendor authenticates to Remote Access with an SMS code/phone call and a token received by email, instead of scanning the QR code with the CyberArk Mobile app.
For details about this sign in flow, see Join Remote Access using phone/text and email tokens.
Unique landline extension (if exists)
If you enabled the above option, you can add the user's unique landline extension for vendors who can only be identified via landline phone numbers.
Allows you to select the language of the invitation.
Default = English
Currently Japanese is supported.
This option is available only if the Language selector toggle is turned on in Settings. For details, see Set vendor invitations general settings.
Set the vendor activation policy and access time frame.
A time frame that limits this vendor's access to applications.
Some of the access time frame options might be limited according to restrictions set by the Admin or by the Vendor Manager.
Time zone - The time zone set for this access time frame. This setting should be set according to the location of this vendor.
From date - To date - Select the dates that this vendor can access applications. Start and end of day are determined by the selected time zone.
Allowed working days - Set the days of the week this vendor is allowed to access applications, within the selected access dates. For example, allow this vendor to access applications Mondays through Fridays, but not on Saturdays and Sundays.
Allowed working hours - Set the allowed hours during the day that this vendor is allowed to access applications, within the selected access dates and working days. For example, allow this vendor to access applications from 9:00 AM to 6:00 PM only.
Currently, allowed working hours and days can be edited from the Edit invite vendor form only.
Set the vendor delegation policy.
Whether this vendor can invite other vendors, providing them with external vendor manager rights. During the sub-vendor invitation process, this top-level vendor can choose a subset of their own time frame, applications, and groups for their invited vendors.
Whether the account activation for the sub-vendors invited by this external vendor manager, requires Admin or Vendor Manager confirmation, or is automatically activated after registration. For more information, see Confirm vendor sign-up.
Number of vendors to invite
Whether this external vendor manager can invite an unlimited number of sub-vendors, or is limited to a specific number.
This number applies to the number of sub-vendors who join Remote Access, not to the number of invitations that this vendor can send. It is displayed in the user's drop-down profile, as described in Invite Vendors.
Allows you to determine specific email domains this external vendor manager is allowed to send invitations to.
If a list of allowed email domains is already set in Identities settings, or is restricted for the Vendor Manager inviting this vendor, this toggle is automatically turned on, and you can remove or add domains from the authorized list only.
Determine the applications this vendor is allowed to access.
PAM orPrivilege Cloud applications that this vendor is allowed to access through Remote Access.
Allow access to CyberArk Identity web apps
Whether this vendor can access CyberArk Identity web apps.
This check box only appears if configured from the Settings - Identity SSO page.
Select the method that this vendor user is created and managed.
Remote Access will create and manage the user -
For vendor access to PAM - Self-Hosted applications, specify the name of the Vault user and the Remote Access VendorLDAP group that this vendor will belong to. For more information about VendorLDAP, see Manage groups.
To allow vendor access to specific CyberArk Identity web applications, select a predefined CyberArk Identity Role . You can select more than one Role.
Roles are created in the CyberArk Identity Admin portal to determine the access permissions to applications. For more information, see Create Roles.
Administer creates and manages the user - The Remote Access admin will create and manage the user for this vendor.
Select an invitation template and add comments.
Select custom invitation template
Choose a customized invitation to add to the vendor invitation.
Any comments you have about this vendor, including the purpose of this invitation. This is optional.