Enable users to create personal privileged accounts

This topic describes how to enable end users, such as IT admins, to independently create their own personal privileged accounts.

What are personal privileged accounts?

A personal privileged account is a private account for end users, such as IT admins, to securely access any target within the domain. The advantage of a personal privileged account is that while you configure the platform and the associated CPM, the end user can independently add accounts.

  • Personal Safe. When the user creates his first personal privileged account, a personal Safe is automatically created with the user as the owner, and any subsequent accounts he creates are added to this Safe. You can manage permissions for the Safe but you cannot access the accounts stored in the Safe.

  • Account access. The user can access his personal privileged accounts from the moment they are created, depending on entry of correct passwords.

  • Password management. The account passwords are managed after the account is verified by the CPM.

To ensure a streamlined end user behavior, do not rename the Safe after it is created.

For the end user experience, see Add personal privileged accounts.

Before you begin

  • Personal privileged accounts is supported by CPM v13.1 and up. If your current CPM is lower than v13.1, upgrade at least one CPM instance in your system.

Enable users to add personal privileged accounts

Personal privileged accounts are disabled by default. To enable them, select the CPM, the platform, and the required end users.

We recommend associating a CPM when you enable personal privileged accounts, to ensure the passwords are managed automatically.

To enable personal privileged accounts:
  1. In the Privilege Cloud Portal, go to Administration > Personal Account Configuration.

  2. Click Enable.

  3. From the Set platform list, select the platform to associate with the personal privileged accounts.

  4. From the Select CPM list, select the CPM to manage the account.

    Only CPM instances v13.1 and up are displayed. If no CPMs are displayed, see steps in Before you begin

  5. From the Manage members table, click Add > Select member to select the users, groups or roles that can create personal privileged accounts. The selected members are assigned to the PPAUsers role.

    Use the following filter options:




    You can search for users or groups based on the user directory source:

    • CyberArk Cloud Directory

    • External directories, such as LDAP

    • System component users, are internal to CyberArk, such as application users

    • External Identity Providers, such as Okta or SAML

    Member type

    You can search based on member type:

    • User

    • Group

    • Role


    You can search for a specific user, group or role:

    • Enter an alphanumeric string of at least three characters.

    • Member names cannot include the following characters: \ / : * < > “ | ? % & +

    • If you are searching for a name that is less than three characters, enter the first character followed by two spaces or first two characters followed by a space.

  6. Click Save.

Edit personal privilege account settings

At any time, you can edit the personal privileged accounts settings. The following can be edited:

  • Platform type. Keep in mind that the user cannot edit the platform type. For example, if your end user is a Window admin, and the platform type is now Linux, the user cannot add new Windows accounts.

    Any accounts that the end user added before you updated the settings are not affected by the change.

  • Members. Add or remove users, groups or roles.

  • CPM. The new CPM will apply to an end user that is creating a personal privileged account for the relevant platform for the first time.

    Any user who previously created a personal privileged account for that platform is linked to the personal Safe that was created for his accounts. Therefore, he is linked to the previous CPM in all subsequent personal privileged accounts that he creates, disregarding the new CPM defined for the platform.

Roles and permissions

This section describes the roles and permissions that are involved in managing personal privileged accounts and their associated Safe.


The following table lists the roles used to create personal privileged accounts and view and audit the Safe.

Role name



Creates the personal privileged account Safe for the end user. You can view and audit the Safe.


Members of this role can create personal privileged accounts.

Privilege Cloud admin permissions

The following table lists the permissions that Privilege Cloud administrators have on the dedicated Safe.

Permissions are given even if they do not appear in the Privilege Cloud Portal list.



Safe Management

Manage safe properties


View safe members


List account

End user permissions

The following table lists the permissions that the end users have on the dedicated Safe.




Use accounts

Retrieve accounts

List accounts

Account Management

Add accounts

Update password value

Update password properties

Initiate CPM password management operations

Specify next password value

Rename accounts

Delete accounts

Unlock accounts


View audit log

View safe members


Access safe without confirmation

Considerations when working with personal privileged accounts

Non-compatible account management features

Personal privileged accounts do not support workflows such as dual control accounts and exclusive accounts.

Event Notification Engine behavior

The Event Notification Engine (ENE) displays regular account notifications, and has not been adjusted for unique personal privileged account notifications.

PSM only access cannot be applied

End users of Personal Privileged accounts are assigned by default Retrieve Accounts permissions. As a result PSM only access is not applied.