Identity Administration portal administrative rights

The following table describes the administrative rights you can assign to a role. Users cannot log in to the Identity Administration portal unless they have at least one of the following administrative rights.

If an administrator attempts to perform a task in the Identity Administration portal for which they do not have the associated administrative right, the Identity Administration portal displays an error message. In addition, the Identity Administration portal does not display data if it’s not pertinent to the administrator’s rights. For example, if the administrator has the Application Management right only, that user is not allowed to change policy settings.

Some administrative rights also grant reporting rights, but only for data that the user has been granted rights to read.

Administrative right


Admin Portal Login

Access to the Identity Administration portal.

Application Management

Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application.

In addition, this right grants the ability to start provisioning jobs either for all provisioning-enabled applications or a selected provisioning-enabled application.

Computer Login

Logging on to Windows computers where a CyberArk agent is installed. This administrative right is only applicable for the computers that are members of an CyberArk Identity role with this right.

Device Enroll On Behalf Of

Permissions to enroll devices on behalf of another user.

Device Management (Limited)

Use of all the commands that originate from the Devices page except the following:

All devices:

  • Wipe Device
  • Unenroll Device

Samsung devices only:

  • Device Lockout
  • Remove Container

The purpose of this permission is to provide limited device management rights to, for example, helpdesk staff. This allows users with this permission to help users but prevents them from performing any destructive actions to a device or a container.

Device Management (All)

Use of all the commands that originate from the Devices page, such as the ability to update policies, lock, reset the passcode, wipe, unenroll, delete, or view device details.

Note: The user must have the Device Management permission to run the APNS Certificate, Mass Deployment, and Exchange ActiveSync Server Settings options on the Settings page in the Identity Administration portal.

Federation Management

Permission to create, manage, and delete federation partnerships. See Set up external identity providers for information on setting up partner federations.

Identity Verification

Permission to perform the identity verification process for end users with a mobile phone number included in their user data. See Verify helpdesk caller identity.

MFA Unlock

Suspend multifactor authentication for 10 minutes.

System Enrollment

Permission for non-admin users to enroll Linux and Windows machines.

RADIUS Management

Permission to create, manage, and delete the RADIUS server. See Configure CyberArk Identity for RADIUS for information on using the CyberArk Identity Connector as a RADIUS server.

Read Only System Administrator

Access to all of the Identity Administration portal tabs, however, the user cannot make any changes. An error message is displayed when the user attempts to save the change.

Note: If you enable read-only access for a support technician, CyberArk Identity creates a temporary account that it adds as a member to this role.

Register and Administer Connectors

Register a CyberArk Identity Connector in your CyberArk Identity account.

During the connector installation, the wizard prompts you to enter the account of a user that has the Register connectors right. This must be a CyberArk Cloud Directory account. Make sure the account you specify is a member of a role with this permission.

Report Management

Create, delete, and run reports.

Role Management

Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights.

Shared Credentials

CyberArk Identity users is this Role can share User Password applications and credentials that have been manually added or captured using Land & Catch with other CyberArk Identity users.

User Management

Permission to use the Add User and Bulk User Import buttons to add users and modify CyberArk Cloud Directory user properties. Additionally, this permission allows users to import and delete OATH tokens.

Vault Management

Permission to manage objects in Privilege Cloud.

See Create roles for instructions on how to add Administrative Rights to a role.