Create roles

This topic describes how to create roles in the Identity Administration portal to authorize access to features.

Roles are collections of objects (users, groups, or other roles) used to authorize access to applications and features, provision users, apply authentication rules, and deploy policy settings. CyberArk Identity includes predefined roles to control access to some features and services. You can create additional Roles if the predefined roles do not provide enough control.

There are two types of roles.

Role type	Description
Static	Static roles require you to manually add objects as role members. Role membership is not re-evaluated unless you add a member. All pre-defined roles are static roles.
Dynamic	Dynamic roles automatically add members based on custom logic that identifies the attributes of the objects that you want to include in the role. For example, you could create a role with custom logic to assign all users from a specified country. Dynamic roles require proficiency with JavaScript. Dynamic roles cannot be used for inbound or outbound provisioning.

Role type

Description

Static

Static roles require you to manually add objects as role members. Role membership is not re-evaluated unless you add a member.

All pre-defined roles are static roles.

Dynamic

Dynamic roles automatically add members based on custom logic that identifies the attributes of the objects that you want to include in the role. For example, you could create a role with custom logic to assign all users from a specified country.

Dynamic roles require proficiency with JavaScript.

Dynamic roles cannot be used for inbound or outbound provisioning.

Users can be a member of multiple roles. The following diagram illustrates the implications of a user who is a member of more than one role.

The diagram illustrates the following behavior.

Mary belongs to roles A and B so she has access to all 5 applications (Slack, ADP, Salesforce, Gmail, and Office 365).
Mary’s inherited mobile device policies depend on the prioritization of the policies. See Using hierarchical policy sets.
All members of the Active Directory group 1 have access to Gmail and Office 365.

Changes that impact the assigned applications, or Administrative Rights, take effect when the user next logs in to the Identity User Portal or enrolled device. You can push the changes to the users for immediate update by selecting the role members on the Users page and sending the Reload command.

If you plan to delegate administrative activity to other users, create the roles with appropriate administrative rights before you add users to the service. For example, you can create a role that limits the administrator to managing applications and application-to-roles assignments only. In this role, the administrators can perform all the functions on the Apps page and read-only access to the Users and Roles pages. Similarly, you can create administrative roles with just device, user, and report management permissions.

1ezx46frum

If you plan to create CyberArk Cloud Directory users in bulk, create roles first so you can assign each user to an existing role.

Before you begin

You must be a member of the System Administrator role or a role with the Role Management administrative right to create roles and assign users to roles.

Create roles in the Identity Administration portal

ynb00dkdr4

To create a CyberArk Identity role:

Go to Core Services > Roles, then click Add Role.

On the Description tab, complete the available fields and options.

Field	Description
Name	Enter a unique name for the role.
Description	Enter a description for the role's purpose.
Organization	Select an organization from the drop-down menu.
Role Type	Select a role type. Static roles require you to manually add members. Dynamic roles evaluate membership based on object attributes. You can create this logic with JavaScript.

Click Members, then add members to the role.

The steps to add members to a role are different depending on the type of role.
- Static
- Dynamic
Click Add to add members to the role.

You can add CyberArk Cloud Directory users and external directory service users.
1. Click Administrative Rights, then add appropriate administrative rights.
2. Click Assigned Applications, then assign applications to role members.
  
  Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.
3. Click Save to finish creating the role.
1. Enter JavaScript in the Custom Logic box to add objects to the role based on attribute values, then click Save.
  
  You can use attributes from either AD or CyberArk Cloud Directory. Examples of attributes that you could use include co (AD attribute for Country), Department, Location, Group membership, and Title.
  
  Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).
  
  The following example shows the sample script that checks for the country code stored for a user.
  
  trace(User.UserType); if(User.UserType == 'AD') { // User is an Active Directory user try { trace('Looking for property: co'); if(User.Properties.Properties.co == 'Aruba') { return true; } } catch (error) { trace('property: co not found'); } } else if(User.UserType == 'CUS') { // User is a cloud directory user try { trace('Looking for additional attribute: country_'); if(User.Properties.Properties['country_'] == 'Aruba') { return true; } } catch (error) { trace('additional attribute: Country not found'); } } return false;
2. Click Test User, then search for the user that you want to add to the role and click Next.
  
  A window displays indicating whether or not the user would be a member based on your custom logic.
  
  Click Administrative Rights, then add appropriate administrative rights.
  
  Click Assigned Applications, then assign applications to role members.
  
  Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.
  
  Click Save to finish creating the role.

Export dynamic role membership

Click Export Users.

You can choose from the following:

Member set and export type options
Field	Description
Member set
Active users	Users that are logged in with role-based attributes.
All users	All users, active or not active, with roles.
Export type
Excel	You can export data in an Excel file. The Excel format is compact and can contain up to one million records.
CSV	You can export data in a CSV file. The CSV format limitation is 150,000 records.

Click OK to generate the report based on the dynamic role script.

You will receive an email with the report as an attachment.

Due to email restrictions, the attachment size is limited based on the email server. The default is 20 MB.

Assign users to roles and manage roles