Configure remote access for vendors

This topic describes how to configure remote access for vendors who require access to your organization's assets.


You can implement remote access for vendors (non-employees) to Privilege Cloud by integrating with CyberArk Remote Access.

CyberArk Remote Access is a SaaS product that enables vendors with Just in Time (JIT) access to your internal assets without the need for a VPN, agents, or passwords. To learn about Remote Access and how it works, see Introduction to CyberArk Remote Access and CyberArk Remote Access main concepts.

After you integrate with Remote Access, you can invite vendors to register to Remote Access and connect to Privilege Cloud remotely. To learn about the end-user experience of connecting to Privilege Cloud using Remote Access, see Connect from remote using Remote Access.


This feature is subscription-based and must be purchased separately.

Before you begin

Before you begin, review the following requirements:

  • Remote access for vendors relies on the same infrastructure as remote access for employees. If you have already configured remote access for employees, skip this step. If not, follow the instructions in Configure remote access for employees.

  • Users need an iOS or Android device with an active phone number.


    Minimum version


    Version 10


    v6.0, with biometric security feature and Google Services Framework.

    On devices that support both facial and fingerprint capabilities, make sure that the fingerprinting option is enabled.

Configuration workflow


You need the assistance of CyberArk support to configure remote access for vendors.

  1. Contact CyberArk support and ask them to configure remote access for vendors.

  2. Download the CyberArk Mobile app to your smart phone and register. For details, see Mobile App.
  3. After CyberArk support begins the process of enabling remote access for vendors, you will receive a verification email. Scan the barcode provided in the email using the CyberArk Mobile app in order to complete the integration.

  4. After the integration is complete, you can Invite vendors to register to Remote Access.

Invite vendors to register to Remote Access

Invite vendors to register to Remote Access and connect to Privilege Cloud remotely. For details, see Invite vendors.

You can also send vendors a self-service link, in which they fill in their information themselves. For details, see Enable and manage self-service requests.

Manage vendor groups in Remote Access

When you invite a vendor you are prompted to assign the vendor to a group. You can create groups before or during the invitation process. For details, see Create vendor groups. Groups that you create in Remote Access are automatically created in Privilege Cloud. After you create a group, you need to add it as a Safe member in Privilege Cloud, as described in Configure remote access for vendors.

Add vendor groups as Safe members in Privilege Cloud

All Remote Access groups are automatically defined within Privilege Cloud. After the invited vendors are assigned to a group in Remote Access, you must make sure to assign each group to the accounts for which they should have access permissions.

To this end, in Privilege Cloud select the Safe which handles the relevant accounts, and add the group to which the vendor belongs as a member to that Safe. Groups are added to Safes so that users that are member s of these groups receive access to the Safe's related targets for an allotted time frame. When the access window expires, the users belonging to the assigned group are deprovisioned.

For details on adding groups as Safe members, see Add Safe members.

Add tenant admins in Remote Access

Users created in Remote Access are automatically created in Privilege Cloud as CyberArk users. To delegate vendor management responsibilities to your colleagues, create additional tenant admins (users). For details on adding tenant admins in Remote Access, see Manage users.

To learn more about CyberArk users, see Add and manage users.