Assign users to roles and manage roles

This topic describes how to manage role membership in the Identity Administration portal to control authorization to features and services.

Users can access a specific CyberArk service only if assigned a role with access permissions to that service. Built-in roles are available per service to define the access levels for each user in that service. Roles can be assigned to a group of users or to a single user.

Roles are the most efficient way to assign access rights to multiple users, enforce adaptive MFA, and deploy applications. All users should belong to at least one role.

See list of predefined roles and CyberArk Identity Security Platform Shared Services user roles.

About the Everybody role

By default, all new users are added to the Everybody role. Members of the Everybody role are automatically granted permission to access the Identity Administration User Portal. Make sure the Everybody role allows user access to the Identity Administration User Portal at all times. This allows users to access the Identity Administration User Portal, open assigned applications and enroll mobile devices.

Before you begin

Check the following:

  • You must be assigned to the System Administrator role or to a role with the Role Management administrative right. You can only create roles and assign users to roles if you have the appropriate rights.

  • The Identity Connector is installed and the AD users and groups are integrated into Identity Administration. See Deploy the Identity Connector to add Active Directory users. This prerequisite enables:

    • domain users to log in to the User Portal using their domain credentials

    • adding domain users to roles

Add members to an existing role

The following procedure describes how to add members to existing roles. To create roles, refer to Create roles.

You can also create a new role, and then add users to it. See Create a new role

To assign users to a role

  1. In the Identity Administration portal, click Roles.
  2. Select the role from the list of available roles. See built-in roles defined per CyberArk service.
  3. Click Members, then click Add to display the Add Members dialog box.
  4. Start typing the user name, Active Directory/LDAP group name, or an existing role.

    Distribution groups and local groups display in the filter; however, only security groups are supported.

    For CyberArk Cloud Directory users, you can also search by email domain suffix.

    Entries matching the string you type are displayed.

  5. Select the check box associated with the user, group, or role you want to add, then click Add.

    You must select a universal or security group. Local or distribution groups are not supported.

    If you are using Active Directory/LDAP as an identity store, all of the matching user accounts and groups in the Users container that can be seen in the domain or forest are displayed. See Authenticate users in multiple domains for more information on which domains can be seen.

    After you add an Active Directory/LDAP user or group to a role, the name is shown on the Users page only after the user logs in to the User Portal or enrolls a device.

  6. Click Save.

Remove members from a role

When you remove users or Active Directory/LDAP groups from a role, any administrative rights or applications assigned to that role will no longer apply to those users. For example, if you have assigned the Box application to the role ABC, then users removed from that role will no longer have SSO access to Box.

To remove a role member
  1. In the Identity Administration portal, click Core Services > Roles.
  2. Click the role.
  3. Click Members.
  4. Click the check box for each member you want to remove.

    The Add button is replaced by an Actions button.

  5. From the Actions drop-down menu, click Delete.
  6. Click Save.

Assign domain users or groups to the System Administrator role

It is a best practice to secure your default administrator account by using your own personal account to administer Identity Administration. Assigning domain users or groups to the System Administrator role allows you to log in to Identity Administration with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, Google Workspace, or create users in the CyberArk Directory.

To assign domain users or groups to role

  1. Log in to the Identity Administration portal using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Identity Administration portal.

    The domain user should NOT match your Active Directory user name.

    Distribution groups and local groups display in the filter; however, only security groups are supported.

  6. Click Add.

    The Add Members page closes.

  7. Click Save.

    You can now log in with your domain credentials to the Identity Administration portal.

Change a user's role

To change a user's role, follow the steps above for Assign users to roles and manage roles, and assign the required user(s) to a new role.

When switching to a new role, the user's new permissions will take effect within a few minutes:

  • For logged in users, up to 15 minutes

  • After re-login, up to 3 minutes

Create a new role

You can create roles that are based on the service-specific roles described in CyberArk Identity Security Platform Shared Services user roles.

Role names are case-sensitive in CyberArk Identity Security Platform Shared Services. Make sure to create unique role names, and do not create two roles with the same name, where one is capitalized and the other is not (for example, admin and Admin).

To create a new role:
  1. Go to Core Services > Roles, then click Add Role.

  2. Complete the fields in the Add Role page.

    Role fields and descriptions
    Field Description

    Name

    Enter a unique name for the role.

    Description

    Enter a description for the role's purpose.

    Organization

    Select an organization from the drop-down menu.

    Role Type

    Select a role type.

    Static roles require you to manually add members. Dynamic roles evaluate membership based on object attributes. You can create this logic with JavaScript.

  3. Click Save.

  4. Click Members > Add to add members to the role.

    The steps to add members to a role are different depending on the type of role.

    Click Add to add members to the role.

    You can add CyberArk Cloud Directory users and external directory service users.

    1. Click Administrative Rights, then add appropriate administrative rights.

    2. Click Assigned Applications, then assign applications to role members.

      Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.

    3. Click Save to finish creating the role.

    1. Enter JavaScript in the Custom Logic box to add objects to the role based on attribute values, then click Save.

      You can use attributes from either AD or CyberArk Cloud Directory (including Additional Attributes). Examples of attributes that you could use include co (AD attribute for Country), Department, Location, Group membership, and Title.

      Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).

      The following example shows the sample script that checks for the country code stored for a user.

      trace(User.UserType);
      if(User.UserType == 'AD') { // User is an Active Directory user
          try {
              trace('Looking for property: co');
              if(User.Properties.Properties.co == 'Aruba') {
                  return true;
              }
          } catch (error) {
      		trace('property: co not found');
          }
      } else if(User.UserType == 'CUS') { // User is a cloud directory user
          try {
              trace('Looking for additional attribute: country_');
              if(User.Properties.Properties['country_'] == 'Aruba') {
                  return true;
              }
          } catch (error) {
      		trace('additional attribute: Country not found');
          }
      }
      
      return false;
    2. Click Test User, then search for the user that you want to add to the role and click Next.

      A window displays indicating whether or not the user would be a member based on your custom logic.

      1. Click Administrative Rights, then add appropriate administrative rights.

      2. Click Assigned Applications, then assign applications to role members.

        Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.

      3. Click Save to finish creating the role.

Export dynamic role membership

  1. Click Export Users.

    You can choose from the following:

    Member set and export type options
    Field Description

    Member set

    Active users

    Users that are logged in with role-based attributes.

    All users

    All users, active or not active, with roles.

    Export type

    Excel

    You can export data in an Excel file. The Excel format is compact and can contain up to one million records.

    CSV

    You can export data in a CSV file. The CSV format limitation is 150,000 records.

  2. Click OK to generate the report based on the dynamic role script.

    You will receive an email with the report as an attachment.

    Due to email restrictions, the attachment size is limited based on the email server. The default is 20 MB.