Configure remote access for vendors

This topic describes how to configure remote access for vendors who require access to your organization's assets.


You can implement remote access for vendors (non-employees) to Privilege Cloud by integrating with CyberArk Remote Access.

CyberArk Remote Access is a SaaS product that enables vendors with Just in Time (JIT) access to your internal assets without the need for a VPN, agents, or passwords. To learn about Remote Access and how it works, see Introduction to CyberArk Remote Access and CyberArk Remote Access main concepts.

After you integrate with Remote Access, you can invite vendors to register to Remote Access and connect to Privilege Cloud remotely. To learn about the end-user experience of connecting to Privilege Cloud using Remote Access, see Connect from remote using Remote Access.


This feature is subscription-based and must be purchased separately.

Before you begin

Before you begin, review the following requirements:

  • Remote access for vendors relies on the same infrastructure as remote access for employees. If you have already configured remote access for employees, skip this step. If not, follow the instructions in Configure remote access for employees.

  • Vendors can use the Remote Access service to access Privilege Cloud after you invite them through the Remote Access service. At that time they are automatically assigned to the Privilege Cloud Remote Access External Vendor role.

    By default, vendors are assigned to the External vendor role, and consume the license type EXTUser. However, you can configure the system so that external vendors are assigned to the Privilege Cloud User role, which consumes EPVUser licenses. For details, see Change vendor license consumption.

  • Users need an iOS or Android device with an active phone number.


    Minimum version


    Version 10


    v6.0, with biometric security feature and Google Services Framework.

    On devices that support both facial and fingerprint capabilities, make sure that the fingerprinting option is enabled.

Setup workflow

  1. Setup the integration between Identity Administration and Remote Access, and setup Remote Access for vendor access. Follow the instructions to Integrate Remote Access on Shared Services.
  2. In Privilege Cloud, assign the Privilege Cloud External Vendor role, and any customer-specific Remote Access Vendor role that is defined by the customer, to the account(s) for which they should have access permissions. This is done by assigning the Remote Access External Vendor role to the relevant Privilege Cloud Safe(s).
    1. Define or select the Safe which handles the relevant accounts, and add the Remote Access External Vendor role as a member to that Safe. See Add Safe members.

      The vendors linked to this role automatically receive access to the Safe's related targets for an allotted time frame. When the access window expires, the vendors belonging to the assigned group are deprovisioned.

    2. Repeat this step for any customer-defined Remote Access Vendor role.

  3. Invite vendors to register to Remote Access and connect to Privilege Cloud remotely. For details, see Invite vendors and Enable and manage self-service requests.