Account administrator

This topic introduces the Account administrator, who creates sets, users, and roles, and also configures the account.

Supported browsers


The EPM management console is only supported on Windows machines.

The EPM management console is supported on the following browsers:

  • Google Chrome

  • Microsoft Edge Chromium


In Tools > Internet options > Security > Custom level, enable the following options:

  • Run ActiveX controls and plug-ins

  • Script ActiveX controls marked safe for scripting


In a browser, enter the EPM URL, then specify your user name and password and click Sign in.

Account administrator only

The EPM management console appears.

Account administrator and set administrator

The Management Options screen appears.

Select a set to manage or click Administration to open the Account Management console.

Click Management Options to return to the Management Options screen.


A set can be defined as a logical container for computers and policies. Each set is self-contained, so settings in a specific set affect that set only. For example, you could create two sets, one for US and one for EU to allow local set administrators to modify a policy without affecting the other region. To manage computers, a new set must be created.

There are two types of sets: regular and non-persistent VDI.

Non-persistent VDI sets

These sets are appropriate for working with endpoints that are constantly being created and erased. Major features of non-persistent VDI sets are:

  • Only network and operating system data are reported from each endpoint. This data is not updated, since it becomes irrelevant once the endpoint is erased.
  • The Application Catalog, hardware inventory reports, and any computer specific settings are not available.
  • Only connected agents are counted for licensing purposes.
  • You can't create a policy with a specific computer name.
  • There are no manual computer group options.
  • There is an indicator near Set Name that this is a non-persistent VDI set.
  • NP_VDI is shown as the computer name in reports.
  • Graphs that reference specific machines are removed from the Reports > Dashboard page.

Create a set

  1. In the EPM management console, select Administration > Account Management.

  2. From the Create drop-down menu, select Create Set.

    Enter the following information:



    Set name

    The unique name of this set.


    The purpose of this set.

    Time zone

    The time zone in which this set is relevant.

    By default, the set time zone matches the browser's time zone.

    Set type

    The type of set defined by the license.

    Full protection - This set provides full EPM functionality.

    • Regular machines - Sets that are created for full protection on regular machines. In Edit mode, the type can be reset to non-persistent VDI machines, but cannot be reset to Credentials rotation.

    • Non-persistent VDI machines - Sets that are created for non-persistent VDI machines. In Edit mode, the type cannot be changed.

    Credentials rotation - This set manages credentials, according to the Credentials Rotation policy. In Edit mode, this type can be reset to full protection.

    For more details, see Manage your EPM license.

  3. Go to Agent Configuration > Extended protection > Support info file password, and change the password used to encrypt the support info file.

    To maintain a high level of security, make sure you change this password regularly.

Manage set users

  1. In the Account Management page, go to Create > Create User to create an administrator account that will manage the computers and policies in this set.

    Specify the following information:




    The user's email address, which is the user name.

    Password/Confirm Password

    The user's password.

    The password must be between 12 and 128 characters. For details, see Account settings.

    Account administrator

    The scope of the account administrator's access for the set. Options are:

    • Full control - The user can manage all the set properties.

    • View only - The user can only view the set and its properties.

    Allow to manage Sets

    The user can manage every aspect of the set.

  2. Click Next then, for each set, select the role for this user. A single user can manage multiple sets with different roles.

  3. In addition to the predefined Full Control and View Only roles, you can create custom roles. For more information, see Role management.

  4. Click Finish.

Change user binding settings

After you have set the initial binding settings between users and sets, you can change them as you need.

The set admin must be bound to a set so they can sign in to EPM.

  1. In the Account Management page, select the user and the set.

  2. Right-click and select Bind, Change binding for User/Set.

  3. Reset the role for the relevant set, then click OK.


The number of administrators for a set can vary and can be changed at any given time.

Edit a set

  1. In the EPM Management Console, select Administration > Account Management.

  2. Select the set to edit then, from the Edit drop-down menu, select Edit Set <set name>.

For more details about editing sets, see Create a set.

Role management

When a set administrator is assigned to manage a specific set, a specific role management function can be bound to an admin account. For example, certain admin accounts can be assigned the default "Full Control Set Admin" Role. If users only require read privileges, the default "View Only Set Admin Role" can be allocated.

You can also create custom roles that fit your specific requirements. For example, a "Help Desk" Role can have permissions to manage policies such as activate and export, but not have rights to delete or create new policies. Role management options are flexible on all levels of the EPM Management Console, and can address many different scenarios.

Configure roles

  1. In the EPM management console, select Role Management.

    The 'New UI' capabilities are relevant to the new UI that is being released gradually.

  2. Select Role à Create New Role to create a customized role. In the capabilities for the specific role, select permissions associated with the role.

  3. In Account Management, open the list of Set Administrators.

  4. Select a Set Administrator associated with a specific set, right-click and select Change binding of User "<name">.

  5. In the Roles column, select a specific role to assign to the Set Administrator.

Account settings

You can configure the account settings for all EPM users, including their password and session security settings.

Configure account settings

  1. In the EPM management console, select Account Configuration.

  2. Under Password Configuration, set the following parameters for password security:



    Minimum Length

    The minimum number of characters the password must contain. This value is 12.

    Users who have a password with fewer characters than 12 are not required to changed their current password, but when they update it, the new minimum length is enforced.

    Letter Case Requirement

    Set to On to require both uppercase and lowercase letters in the password.

    Number Requirement

    Set to On to require numbers in the password.

    Special Character Requirement

    Set to On to require at least one non-alphanumeric character in the password.

    Number of Incorrect Password Attempts

    The number of consecutive incorrect attempts to enter the password before the user is locked. The default value is 5.

    Enable Password Expiration

    Set to On to require that the password be changed at a set interval.

    Password Expiration Period

    If Enable Password Expiration is set to On, the number of days after the password is set until it must be changed. The default value is 90.

    Number of Incorrect Security Question Attempts

    The number of consecutive incorrect attempts to answer the security question before the user is locked. The default value is 3.

    Lockout Time (Minutes)

    The number of minutes the user is locked. The default value is 5.

  3. Under Session Expiration, set the following parameters for session security:



    Timeout for inactive session (minutes)

    The number of minutes before disconnecting an inactive session. The default value is 30.

CyberArk EPM plugin

Several EPM actions require that the CyberArk EPM plugin must be installed. If you have not installed it, when you perform one of these actions you will be prompted to install it.


The CyberArk EPM plugin is only supported on Windows machines.

Download the CyberArk EPM Plugin

Download the CyberArk EPM plugin in either of the following ways:

  • From the link in the prompt message, download the CyberArkEPMplugin.msi file.


  • From the Download Center:

    1. In the EPM Management Console, go to My Computers > Download Center and display the Tools tab.

    2. Under Offline authorization, download the Web browser plugin and save it locally.

Installation on Google Chrome and Microsoft Internet Explorer

  1. Double click the file to open the installation wizard, and follow the instructions.

  2. Enter the URL of the EPM Management Console.

  3. In Chrome, click Enable extension on the displayed message to enable the Chrome extension of the CyberArk EPM Plugin to be installed. After installation, the CyberArk icon will appear in the Extensions section.

  4. Continue the wizard until the CyberArk EPM Plugin is installed.

  5. In Chrome, open the On Startup section and verify that Chrome is not in Continue where you left off mode.

  6. Restart the browser.

  • In Chrome, the CyberArk EPM Plugin can only be run in incognito mode if the Chrome extension is marked as Allow in incognito.
  • The Chrome extension cannot be uninstalled unless you uninstall the CyberArk EPM Plugin in the Add/Remove Program.
  • In Chrome, you can enable the Continue where you left off mode after restarting.

Installation on Microsoft Edge Chromium

  1. Install the plugin via the EPM console from Google Chrome or Edge Chromium.

  2. In Edge Chromium, open the link to the extension in the webstore, then click Add to Chrome.

  3. In the confirmation prompt, click Add extension.