Add users from an external directory service

The topics in this section describe how to add a directory service (for example, LDAP) to CyberArk Identity so you can continue using your existing directory without migrating users to another directory source.

After you add your existing directory service, users can access CyberArk Identity with their existing user accounts.

You can use all directory services simultaneously. For example, you can use Active Directory/LDAP as your primary directory service, and the CyberArk Cloud Directory as a convenient supplemental repository for the following use cases:

Use case Description

Emergency administrators

If there is ever a network break down to the Active Directory domain controller, no one with just an Active Directory/LDAP account can log in. However, if you create administrator accounts in CyberArk Identity, these users can log in to the Identity Administration portal and the user portal and launch web applications.

Temporary user

Some organization’s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task. If you have a temporary worker who needs access to just the applications you deploy through CyberArk Identity, it may be simpler to add the account to CyberArk Identity.

Contractors or less-trusted users

Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAP account provides. In this case, you create the account in CyberArk Identity only.

To avoid users logging in with the wrong account and other account-related confusion, CyberArk recommends that you do not create duplicate accounts (same user name/password) in both the CyberArk Cloud Directory and external directory sources.