Manage users

As a Vault administrator you are responsible for managing users in the Vault. Users can be created, deleted, updated, etc. These tasks are carried out through the Users and Groups window.


Users are divided into hierarchical levels that mirror the hierarchy in the office environment. Each department can have a User Manager who creates new Users and updates existing Users' properties. The User Managers can manage Users who are in the same hierarchical level and those in lower levels. In this way, User Managers have flexibility to control permissions of Users in other departments that are hierarchically beneath in the same way as their own Manager would.

For example, the Manager of the Engineering department is out of the office for one week. During that week, User permissions for members of that department need to be updated. Using the current hierarchy setup, any Department Manager above the engineering department can alter the permissions of the member of the Engineering department, and enable the Engineering team to continue working. Therefore, they don’t have to wait for their own Manager to return to the office to update their permissions.

This feature makes User Management flexible, giving control to a wider group of authorized Users.

User authorizations determine which tasks users can perform in the Vault. Each user is only given the authorizations that they require and no others. This helps to achieve segregation of duties and provides a flexible methodology for controlling user management tasks in the Vault.

Depending on the permissions granted to them, Users of each level can manage other Users who are at the same level or lower than them, giving control and flexibility in user management.

Users who are listed in an LDAP-compliant enterprise directory can also be managed transparently by the Vault. They can be added as Safe members and given security attributes and authorizations depending on their location in the directory. For more information, see Configure transparent user management using LDAP.

Types of users

The CyberArk license defines different types of users that can access the Vault through specific interfaces. The user type is defined when users are added to the Vault and when their properties are updated. All users are assigned a user type, including predefined users and those that are added manually or through an LDAP directory. In addition, Vault users that are used by CyberArk components to access the Vault are assigned a user type.

You can generate a License Capacity report which enables you to see the maximum number of licenses for each user type or object, and the number of used licenses for each one. For more information about the License Capacity report, refer to Report License Usage.

Add a user to a Vault

The Vault administrator is responsible for adding new users to the Vault. This process involves assigning a user name and password, defining permissions, and other managerial tasks.

To add a new user:

  1. Log onto the PrivateArk Client as an administrative user.

  2. From the Tools menu, select Administrative Tools and then Users and Groups; the Users and Groups window appears.
  3. In the hierarchy, select the Location where the user will be, then click New, then select User; the New User window appears.

  4. In the different tabs of the New User window, fill in the information as described below. The General and the Authentication tabs are mandatory while the other tabs are optional.

Update users

After a User Account has been created for a User, it can be updated at any time by the Vault administrator. This is also relevant for external Users, although their General Details cannot be modified in the PrivateArk Client, but only in the external directory which supplies their details.

To update a user’s profile:

  1. Log on to the PrivateArk Client as an administrative user.

  2. In the Users and Groups window, select a user, then click Update; the Update Users window appears.
  3. Make the relevant changes in the Update User Window (e.g., change password, update picture, etc.), then click OK.

To rename a user:

  1. Log on to the PrivateArk Client as an administrative user.

  2. In the Users and Groups window, select the user’s name to change, then click Rename.
  3. Type the new name for the user, then click OK.

Delete users

When a User will not be using his User account any longer, you can delete the account from the Vault. This is important as it maintains the high level of security for the data in the Vault.


Although you can delete external Users’ accounts, the User must be deleted from the external directory to prevent a new User account being created for them when they next try to log on.

To delete a user account:

  1. Log on to the PrivateArk Client as an administrative user.

  2. In the Users and Groups window, select a User, then click Delete; a confirmation box appears.
  3. Click Yes to remove the User’s account, and to prevent him from logging onto the PrivateArk Client.

Update user types and authorized interfaces

A user’s type and authorized interfaces can be updated in the same way as all their other user account properties.

To update a user’s type:

  1. In the Users and Groups window, select a user, then click Update; the Update Users window appears.

  2. In the General tab, from the User type drop-down list, select the user type to apply to the user account.

  3. Click Authorized Interfaces; the Authorized Interfaces window appears. This window displays all the interfaces that can be accessed by the selected user type, as defined in the license.

    authorized interfaces

To add authorized interfaces to the user account:

  1. In the Available Interfaces list, select the authorized interface that the user will be able to use, then click the left-pointing arrow to move it over to the Authorized Interfaces list.

  2. When the Authorized Interfaces list contains all the interfaces that the user will be able to access, click OK.

To remove authorized interfaces from the user account:

  1. In the Authorized Interfaces list, select the interface to disable for this user, then click the right-pointing arrow to move it to the Available Interfaces list.

  2. When the Authorized Interfaces list contains the updated list of the interfaces that the user will be able to access, click OK.

Familiarization with other users in the Vault

In the Vault, users only see other users that they are familiar with. This ensures that users are not aware of users who are owners of other Safes. For example, a user from the IT department should not necessarily be aware that users from the Finance department are also using the Vault.

Familiarization is defined by at least one of the following:

  • The user has the Audit Users authorization in the Vault. This user is familiar with all the users in his location and sub-locations in the user hierarchy.

  • All users who share a Safe and have the View Safe Members authorization are familiar with each other. This means that they can all see each other in the users’ hierarchy.

  • All users who are members of the same group are familiar with each other.