Identity Administration portal administrative rights

Access to the Identity Administration portal.

Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application.

In addition, this right grants the ability to start provisioning jobs either for all provisioning-enabled applications or a selected provisioning-enabled application.

Logging on to Windows computers where a CyberArk agent is installed. This administrative right is only applicable for the computers that are members of an CyberArk Identity role with this right.

Permissions to enroll devices on behalf of another user.

Use of all the commands that originate from the Devices page except the following:

All devices:

• Wipe Device
• Unenroll Device

Samsung devices only:

• Device Lockout
• Remove Container

The purpose of this permission is to provide limited device management rights to, for example, helpdesk staff. This allows users with this permission to help users but prevents them from performing any destructive actions to a device or a container.

Use of all the commands that originate from the Devices page, such as the ability to update policies, lock, reset the passcode, wipe, unenroll, delete, or view device details.

Note: The user must have the Device Management permission to run the APNS Certificate, Mass Deployment, and Exchange ActiveSync Server Settings options on the Settings page in the Identity Administration portal.

Permission to create, manage, and delete federation partnerships. See Set up external identity providers for information on setting up partner federations.

Permission to perform the identity verification process for end users with a mobile phone number included in their user data. See Verify helpdesk caller identity.

Permission for non-admin users to enroll Linux and Windows machines.

Permission to create, manage, and delete the RADIUS server. See Configure CyberArk Identity for RADIUS for information on using the CyberArk Identity Connector as a RADIUS server.

Access to all of the Identity Administration portal tabs, however, the user cannot make any changes. An error message is displayed when the user attempts to save the change.

Note: If you enable read-only access for a support technician, CyberArk Identity creates a temporary account that it adds as a member to this role.

Register a CyberArk Identity Connector in your CyberArk Identity account.

During the connector installation, the wizard prompts you to enter the account of a user that has the Register connectors right. This must be a CyberArk Cloud Directory account. Make sure the account you specify is a member of a role with this permission.

Create, delete, and run reports.

Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights.

CyberArk Identity users is this Role can share User Password applications and credentials that have been manually added or captured using Land & Catch with other CyberArk Identity users.

Permission to use the Add User and Bulk User Import buttons to add users and modify CyberArk Cloud Directory user properties. Additionally, this permission allows users to import and delete OATH tokens.