Manage organizations with delegated administrators

This topic describes how delegated administrators create organizations, manage organizations, and assign user accounts and web apps to an organization.

The global system administrator can create organizations and assign a delegated administrator to manage the group. Delegated administrators assign tasks for a group of users to an organization, without allowing that administrator access to the entire user base in the Identity Administration portal.

For example, global system administrators can create multiple organizations for different regions within a company and assign a delegated administrator for each organization to manage certain tasks for that group. The delegated administrator of the organization can create roles within their organization to handle specific tasks, such as MFA unlock. A user in the role with the MFA Unlock administrative right can be assigned to perform MFA unlock tasks for other users within the organization. This consolidates and separates administrative access so that one administrator does not have too much control over management tasks.

The following illustrates the hierarchy for organizations:

Admin type	Description
Global System Administrator	The global system administrator has read/write access to all resources in the Identity Administration portal and performs the following tasks for the organization: Creates organizations Assigns users to organizations Assigns administrator(s) to the organization Assigns roles to the organization Manages all the Identity Administration portal resources shared with organizations Also refer to System administrator role permissions.
Delegated Administrator	Delegated administrators can only manage one organization and cannot be assigned to multiple organizations. However, multiple administrators can be assigned to an organization. Delegated administrators manage users and roles assigned to the organization and perform the following tasks: Create, edit, and delete users assigned to the organization Create, edit, and delete roles assigned to the organization Manage workflow requests for applications (the delegated administrator needs to be configured as an approver for the application) Delegated administrators have limited access to the Identity Administration portal pages, and only have access to the resources the global system administrator assigns to them. The following Identity Administration portal pages are not available to the delegated administrator: Dashboards, Policies, Organizations, Downloads, and Settings. You can also enable the Manage permission in the Identity Administration portal Application Permissions page to delegate the management of specific applications to other users or roles (see Delegate application management).

Admin type

Description

Global System Administrator

The global system administrator has read/write access to all resources in the Identity Administration portal and performs the following tasks for the organization:

Creates organizations
Assigns users to organizations
Assigns administrator(s) to the organization
Assigns roles to the organization
Manages all the Identity Administration portal resources shared with organizations

Also refer to System administrator role permissions.

Delegated Administrator

Delegated administrators can only manage one organization and cannot be assigned to multiple organizations. However, multiple administrators can be assigned to an organization. Delegated administrators manage users and roles assigned to the organization and perform the following tasks:

Create, edit, and delete users assigned to the organization
Create, edit, and delete roles assigned to the organization
Manage workflow requests for applications (the delegated administrator needs to be configured as an approver for the application)

Delegated administrators have limited access to the Identity Administration portal pages, and only have access to the resources the global system administrator assigns to them. The following Identity Administration portal pages are not available to the delegated administrator: Dashboards, Policies, Organizations, Downloads, and Settings.

You can also enable the Manage permission in the Identity Administration portal Application Permissions page to delegate the management of specific applications to other users or roles (see Delegate application management).

Set up an organization and assign a delegated administrator as a global system administrator

The global system administrator sets up organizations, assigns members and roles to the organization, and delegates an administrator to manage the organization.

The global system administrator can also remove members, administrators, and roles from the organization. The resources removed from the organization are still available in the Identity Administration portal.

The following procedure describes setting up an organization and assigning a delegated administrator.

Sign in to the Identity Administration portal using an account with the System Administrator role.
Go to Core Services > Organizations > Add Organization.
Add a name for the organization and (optionally) a description.
Click Administrators and click Add.
Start typing the name of the delegated administrator you want to add to the organization, select and click Add.

Members (administrators and users) can only be added to one organization. If a user or administrator is already part of an organization, the user must be removed from that organization before being added to another organization.

Assign roles to the organization as a global system administrator

The following procedure describes how the global system administrator can add roles to the organization.

Roles can only be assigned to one organization. The organization role assignment can be changed from the drop-down menu on the Roles page in the Identity Administration portal.

Sign in to the Identity Administration portal using an account with the System Administrator role.

New roles can be created or add existing roles can be added to the organization. For more details, see Create roles.
Click Core Services > Organizations and then select the organization to add a role.
Click Roles and click Add.
Start typing the name of the role you want to add, select the names, and click Add.

Once added, the role is assigned to the organization but members of that role that are not already assigned to the organization are not added and remain outside of the organization.
Click Save.

Any applications assigned to the role are assigned to the users in that role. The delegated administrator can access and assign applications. For more details, see Add web apps as a delegated administrator.

Add members to an organization as a global system administrator

The following procedure describes how the global system administrator adds members to an organization.

Sign in to the Identity Administration portal using an account with the System Administrator role.
Click Core Services > Organizations and then select the organization in which you want to add a member.
Click Members and click Add, then start typing the name of the user you want to add to the organization.
Select the name of the member and click Add.

Delete an administrator, members, or roles from an organization as a global system administrator

The following procedure describes how the system administrator deletes an administrator, members, or roles from an organization.

Sign in to the Identity Administration portal using an account with the System Administrator role.
Click Core Services > Organizations and then select the organization you want to edit.
Select one of the following: Administrators, Members, Roles.
Select the resources you want to delete.
Click Actions and Delete.

To delete an organization, delete all the resources (members and roles) associated with the organization. Once these resources are deleted, delete the organization from the Actions drop-down menu.

Assign user accounts to an organization in bulk as a global system administrator

Global system administrators can use an Excel spreadsheet or CSV file to assign user accounts to organizations, and assign a delegated administrator to an organization in bulk. The user account file can contain up to 10,000 accounts.

Make sure to run the Bulk Organization Update after creating organizations in the Identity Administration portal and assigning the roles.

To create the file, use the CSV file template provided in Organizations > Bulk Organization Update, or create the file. Ensure the file includes the following data and a header with the default field terminology:

Default Fields	Rules
Login Name	Enter the full user name, including the login suffix in the form <login name>@<loginsuffix> The login suffix must exist already.
Organization Unit	Enter the name of the organization. The user account is added to that organization.
OU Admin	Enter True or False. True: The user account is delegated as the administrator of the organization. False: The user account is a member of the organization.
Email Address	Enter the email address associated with the login name. You can specify only one email address. The email address must be a valid format. Plain text strings, such as N/A or unavailable, are rejected.

Update user accounts using the Bulk Organization Update file as a global system administrator

The following procedure assumes the Excel or CSV file with the data listed above was already created.

Log in to the Identity Administration portal using an account with the System Administrator role.
Go to Core Services > Organizations > Bulk Organization Update and click Browse.
Navigate to the file populated with user accounts and organization assignments.
Click Open and click Next.
The first 15 records are displayed. Use this display to ensure the entries are formatted correctly.
Click Confirm.

CyberArk Identity sends an email message to indicate the update is complete.

Manage organizations as a delegated administrator

The delegated administrator for an organization can create CyberArk Identity directory service users and roles for the organization, edit and remove users and roles, and manage applications for the organization.

Once assigned as the delegated administrator for an organization, the following tasks can be performed within the organization:

Create a new directory service user in the organization as a delegated administrator

Sign in to the Identity Administration portal with your delegated administrator account.
Go to Core Services > Users and then click Add User.
Enter the relevant user information as described in Create individual directory service users.

The Organization field is already configured with the organization name.
Click Create User.

Create a role in the organization as a delegated administrator

Sign in to the Identity Administration portal with your delegated administrator account.
Go to Core Services > Roles and then click Add Role.

The Organization field is already configured with the organization name.
Enter the relevant role information for the user access required as described in Create roles. The delegated administrator can create roles with the following Administrative Rights:
- MFA Unlock
- Role Management
- User Management
If additional Administrative Rights are required for a role, the global system administrator can create a role outside of the organization, and then assign that role to the organization. See Assign roles to the organization as a global system administrator.
Click Create Role.

Delete users in the organization as a delegated administrator

If a CyberArk Identity directory service user is created inside an organization by the delegated administrator, deleting that user from an organization also deletes the user from the Identity Administration portal. For Active Directory/LDAP user accounts assigned to the organization, deleting the account from the Identity Administration portal only removes the account from the Users page. Users can still use their account credentials to sign in to CyberArk Identity. Active Directory Users and Computers must be used to disable the account to remove access to the Identity Administration portal.

Sign in to the Identity Administration portal with your delegated administrator account.
Go to Core Services > Users and then select the users you want to delete.
Click Actions and click Delete .

Delete roles in the organization as a delegated administrator

Deleting a role created inside an organization deletes the role from the Identity Administration portal.

Sign in to the Identity Administration portal with your delegated administrator account.
Go to Core Services > Roles and then select the role you want to delete.
Click Actions and click Delete.

Run reports filtered by resources in the organization as a delegated administrator

Delegated administrators can run reports that are automatically filtered by resources available in the organization when run within the organization. When creating new reports from within the organization, the Data Dictionary is automatically filtered by resources available in the organization. Built-in reports that are filtered by available resources are also available.

To access built-in reports, go to Core Services > Reports, then expand Built-in Reports and select the desired report.

The following built-in reports are available to delegated administrators:

Active Users
Connector Server Detail
Failed Logins
Failed Logins by Device Type
Failed Logins Map
Inactive Users
Logins by Country
Logins Map
MFA Events
MFA Failures
MFA Failures By Location
MFA Requests Denied by User
MFA Special Events
MFA User Summary
Top User Logins
Unique Logins by Device Type
User MFA Challenges Setup Status
Users Security Question State

Manage applications and application requests as a delegated administrator

Delegated administrators for an organization can manage applications assigned to the organization and create application management roles to assign to other users within the organization.

Applications are assigned to the organization in the following ways:

Global system administrators assign a role with assigned applications to the organization.

Global application administrators (in a role with Application Management rights) or delegated application administrators (with the manage permission for an application) assign the application to users in the organization.

Accessible applications are visible to users within the organization from Identity Administration portal Web Apps and Mobile Apps.

The Requests page in the organization view of the Identity Administration portal includes a list of application requests and their status. The delegated administrator, or any user in the organization, can approve user requests to access applications assigned to the organization as long as the application workflow is enabled, and the user is configured as the approver. For more information, see Manage application access requests.

Add web apps as a delegated administrator

With organizations and roles created, delegated administrators can add a web application to an organization. Delegated administrators can manage web applications in their own organizations but cannot see organizations managed by others.

Sign in to the Identity Administration portal with your delegated administrator account.
Go to Core Services > Apps & Widgets > Web Apps and then click Add Web Apps.
On the Search tab, enter the name of the application in the Search field and click the search icon next to the name of the application and click Add.
Click the Organization drop-down menu, then select the organization to which you want to assign the web application.
In the Add Web App screen, click Yes to confirm and click Close.