Assign users to roles and manage roles

This topic describes how to manage role membership in the Identity Administration to control authorization to features and services.

Users can access a specific CyberArk service only if assigned a role with access permissions to that service. Built-in roles are available per service to define the access levels for each user in that service. Roles can be assigned to a group of users or to a single user.

Roles are the most efficient way to assign access rights to multiple users, enforce adaptive MFA, and deploy applications. All users should belong to at least one role.

See list of predefined roles and Identity Security Platform user roles.

About the Everybody role

By default, all new users are added to the Everybody role. Members of the Everybody role are automatically granted permission to access the Shared Services User Portal. Make sure the Everybody role allows user access to the Shared Services User Portal at all times. This allows users to access the Shared Services User Portal, open assigned applications and enroll mobile devices.

Before you begin

Check the following:

  • You must be assigned to the System Administrator role or to a role with the Role Management administrative right. You can only create roles and assign users to roles if you have the appropriate rights.

  • The CyberArk Identity Connector is installed and the AD users and groups are integrated into Identity Administration. See Deploy the CyberArk Identity Connector to add Active Directory users. This prerequisite enables:

    • domain users to log in to the User Portal using their domain credentials

    • adding domain users to roles

Add members to an existing role

The following procedure describes how to add members to existing roles.

You can also create a new role, and then add users to it. See Create a new role

To assign users to a role

  1. In the Identity Administration, click Roles.
  2. Select the role from the list of available roles. See built-in roles defined per CyberArk service.
  3. Click Members, then click Add to display the Add Members dialog box.
  4. Start typing the user name, Active Directory/LDAP group name, or an existing role.

    For CyberArk Cloud Directory users, you can also search by email domain suffix.

    Entries matching the string you type are displayed.

  5. Select the check box associated with the user, group, or role you want to add, then click Add.

    You must select a universal or security group. Local or distribution groups are not supported.

    If you are using Active Directory/LDAP as an identity store, all of the matching user accounts and groups in the Users container that can be seen in the domain or forest are displayed.

    After you add an Active Directory/LDAP user or group to a role, the name is shown on the Users page only after the user logs in to the User Portal or enrolls a device.

  6. Click Save.

Remove members from a role

When you remove users or Active Directory/LDAP groups from a role, any administrative rights or applications assigned to that role will no longer apply to those users. For example, if you have assigned the Box application to the role ABC, then users removed from that role will no longer have SSO access to Box.

To remove a role member
  1. In the Identity Administration, click Core Services > Roles.
  2. Click the role.
  3. Click Members.
  4. Click the check box for each member you want to remove.

    The Add button is replaced by an Actions button.

  5. From the Actions drop-down menu, click Delete.
  6. Click Save.

Assign domain users or groups to the System Administrator role

It is a best practice to secure your default administrator account by using your own personal account to administer Identity Administration. Assigning domain users or groups to the System Administrator role allows you to log in to Identity Administration with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, Google Workspace, or create users in the CyberArk Directory.

To assign domain users or groups to role

  1. Log in to the Identity Administration using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Identity Administration.

    The domain user should NOT match your Active Directory user name.

  6. Click Add.

    The Add Members page closes.

  7. Click Save.

    You can now log in with your domain credentials to the Identity Administration.

Change a user's role

To change a user's role, follow the steps above for Assign users to roles and manage roles, and assign the required user(s) to a new role.

When switching to a new role, the user's new permissions will take effect within a few minutes:

  • For logged in users, up to 15 minutes

  • After re-login, up to 3 minutes

Create a new role

You can create roles that are based on the service-specific roles described in Identity Security Platform user roles.

Role names are case-sensitive in Identity Security Platform. Make sure to create unique role names, and do not create two roles with the same name, where one is capitalized and the other is not (for example, admin and Admin).

To create a new role:
  1. Go to Core Services > Roles, then click Add Role.

  2. On the Description tab, complete the available fields and options.

    Field Description


    Enter a unique name for the role.


    Enter a description for the role's purpose.


    Select an organization from the drop-down menu.

    Role Type

    Select a role type.

    Static roles require you to manually add members. Dynamic roles evaluate membership based on object attributes. You can create this logic with JavaScript.

  3. Click Members, then add members to the role.

    The steps to add members to a role are different depending on the type of role.

    Click Add to add members to the role.

    You can add CyberArk Cloud Directory users and external directory service users.

    1. Enter JavaScript in the Custom Logic box to add objects to the role based on attribute values, then click Save.

      You can use attributes from either AD or CyberArk Cloud Directory. Examples of attributes that you could use include co, Department, Location, Group membership, and Title.

      Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).

      The following example shows the sample script that checks for the country code stored for a user.

      if(User.UserType == 'AD') { // User is an Active Directory user
          try {
              trace('Looking for property: co');
              if( == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('property: co not found');
      } else if(User.UserType == 'CUS') { // User is a cloud directory user
          try {
              trace('Looking for additional attribute: country_');
              if(User.Properties.Properties['country_'] == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('additional attribute: Country not found');
      return false;
    2. Click Test User, then search for the user that you want to add to the role and click Next.

      A window displays indicating whether or not the user would be a member based on your custom logic.

  4. Click Administrative Rights, then add appropriate administrative rights.

  5. Click Assigned Applications, then assign applications to role members.

    Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.

  6. Click Save to finish creating the role.