Grant authentication permission to additional users

You might find it necessary to grant authentication permission (Agent Auth) to additional users or roles after enrolling a Windows machine. Although you can grant Agent Auth permission to users or roles after machine enrollment, the user assigned to the machine during the initial enrollment process remains the machine owner.

Users granted the Agent Auth permission also benefit from certificate-based authentication to CyberArk Identity once they have authenticated to the machine.

To grant permission to additional users to log in to the enrolled machine

  1. Sign in to the Identity Administration portal.
  2. Select Endpoints, then click the enrolled machine where you want to grant access to additional users.
  3. On the Permissions tab click Add, then select the user(s), group(s), or role(s) that you want to grant access to.

    If you are setting permissions for a Windows server, add the AD group listed in the server's Remote Desktop Users list to enforce your authentication policies via RDP connections.

  4. Select the appropriate permissions, then click Save.

    Permission descriptions

    Permission

    Description

    Grant

    Allows users to grant permissions to other users. Users can only grant permissions that they already have. For example, a user with Grant and View cannot grant another user Manage.

    View

    Users with only the View permission can view the endpoint in the Identity Administration portal, but cannot log in to the endpoint, see certificates, or modify permissions.

    Manage

    Allows full management of the device(s), including sending commands to the device such as remote wipe.

    Manage (Limited)

    Allows admins to lock and unlock device(s), but not issue other device commands.

    Agent Auth

    Enables endpoint authentication for the endpoint; provisioned users can authenticate (password-only or multi-factor authentication) to their machines without depending on direct connectivity (LAN or VPN) to the directory source (for example, Active Directory).

    If a user has Agent Auth but not View, the user can log in to the endpoint but not see the endpoint in the Identity Administration portal.