Manage groups

This topic describes how to create groups and add them to CyberArk Safes in order to streamline Configure just-in-time vendor access and simplify user management.


A group is a collection of users who have the same authorizations. When you update the authorizations of a group, the authorizations of each member of the group are affected.

Remote Access uses VendorLDAP groups to give vendors the permissions they need to perform tasks in CyberArk. When you invite a vendor to register to Remote Access, specify the group that the vendor will be added to when they join. When users access CyberArk through Remote Access, CyberArk identifies these groups and makes them Safe members. All members receive the permissions defined for the group in the Safe.

You can add vendors to multiple groups when you create their invitation. For details, see Invite Vendors.

Create a Remote Access group


You can create VendorLDAP groups in the Remote Access web portal and in the CyberArk Mobile app. The information below is relevant for both options.

Create groups in Remote Access to streamline user permissions in CyberArk Safes.

  1. In the Remote Access menu, click Identities > Groups, then click Create group.

  2. Specify the group name and a short description, then click Create to add the new group to the Groups list with all the other VendorLDAP groups.

The Groups list displays all the VendorLDAP groups that you have created. For each group, the admin can perform the following actions:




Change the name and description of the group.


Delete the VendorLDAP group from the Groups list. Users in this group will not be able to access corresponding Safes in the PVWA.

Add an VendorLDAP group to a Safe

After you have created the VendorLDAP group in Remote Access, add each group as a member of the relevant Safe in CyberArk.

  1. Log onto the PVWA and go to Policies > Access control (Safes).

  2. Select the Safe to add the VendorLDAP group to, and click Members > Add Member.

  3. In the Add Safe Member window, in the Search In drop-down list, select VendorLDAP, then click Search to display a list of the Remote Access groups that you can add as a member of this Safe.

  4. Select the group to add as a Safe member, then select the authorizations that this group will have in the Safe.

  5. Click Add, and then Close. The Remote Access group now appears in the Members list for this Safe.