Add and manage users

This section describes how users and groups are provisioned and managed in Privilege Cloud.

Privilege Cloud users and licenses

Privilege Cloud includes built-in and predefined users for different administrative purposes. These user types define the functions of your organization’s users within Privilege Cloud.

User type


CyberArk-defined users

  • Built-in users. Default set of admin and application users for internal tasks or integration with CyberArk services. See Privilege Cloud built-in users.

Customer-defined users

Customer users defined for administrative purposes or as end-users.

User provisioning modes in Privilege Cloud

Privilege Cloud users can be provisioned in two ways:

  • Automatically, through LDAP integration. These users are called LDAP users.
  • Manually, in Privilege Cloud. These users are called CyberArk users.

The following table describes the differences between the two modes of provisioning.



LDAP user

A user's account is created when:

  • The user first logs on to the Privilege Cloud Portal
  • The user is added as a safe member

  • The user becomes a group member

The user account is created with the user details, such as full name and email address. The permissions that the user is granted in Privilege Cloud, depend on the user's group memberships in LDAP and the directory mappings defined in the integration process. For details, LDAP integration.

LDAP users cannot be modified from within the Privilege Cloud Portal, only from the LDAP directory.

CyberArk user

If you did not configure LDAP integration or if you want to manage users separately, you can create users manually in Privilege Cloud.

If you intend to group users, we recommend that you first Create groups and then Create CyberArk users.

Both LDAP and CyberArk users are displayed in the User ProvisioningUsers page in Privilege Cloud Portal. The provisioning mode is indicated by an icon. Hover over the user icon to see how they were provisioned.

After users and groups are provisioned in Privilege Cloud, you can add them as safe members in order to give them access to privilege accounts. For details, see Add Safe members.

Map LDAP groups to user licenses

In your Privilege Cloud system you may have different types of licenses: EPVUser, BasicUser, or EPVUserLite licenses.

You may have expanded your initial system package to include new user license types.

For the most efficient use of these licenses:

  • Create separate Active Directory groups in your Active Directory for user type and license.

  • To map each of these user groups to the appropriate CyberArk user license, contact CyberArk Support.

Create groups

A group is a collection of users. You can use groups to organize users in any way you want. For example, according to the departments in your organization.

You can assign a group to be a safe member. This means that all the users in that group will share the same permissions on that safe. For details, see Add Safe members.


Roles are assigned to users and not to groups, so groups do not necessarily share roles.

To create a group:

  1. In the Privilege Cloud Portal, click User Provisioning, and then click Groups.
  2. On the Groups page, click Create Group.
  3. On the General Properties page, enter the group name and a description, and then click Create.

Create CyberArk users

Create a new user using the Create CyberArk User wizard.

To create a user:

  1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
  2. On the Users page, click Create CyberArk User.
  3. Follow the instructions in the wizard.

    Wizard page


    Define general properties

    • Enter a unique user name (without spaces).
    • Select a user role to assign a default set of permissions. For details, see Roles.

    Add personal details

    Enter the user's personal information.

    Select authentication method

    Both LDAP and CyberArk users can authenticate using either internal or external authentication.


    The user is authenticated using CyberArk authentication.

    • Enter a password that matches your organization's required format.
    • User must change password at next logon. Users are prompted to change their password when they first log on to Privilege Cloud Portal.
    • Password expiration. To enforce password change, select Every 30 days. In any case, users can change their password regulary.


    The user is authenticated using an external authentication method that is configured in Privilege Cloud.

    Depending on the authentication method used, enter the user's distinguished name.

    Assign to groups

    Select the groups to which you want to add the user. For details on groups, see Create groups.


    Review the user information and click Create.

Manage users

You can Perform the following actions on users:

Activate a suspended user

LDAP or CyberArk users who try to log on to Privilege Cloud Portal with the wrong password, are automatically suspended (locked) after a number of attempts.

You cannot suspend a user manually, but you can disable a user. For details, see Disable/enable a user.


LDAP users must first be activated in the LDAP directory before they can be activated in the Privilege Cloud Portal.

To activate a user:

  1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
  2. On the Users page, click the user, and in the user details pane, click Activate.

Disable/enable a user

Disabled users cannot log on to the Privilege Cloud Portal or work with Privilege Cloud. You can disable/enable a user manually from the Privilege Cloud Portal.

To disable/Enable a user:

  1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
  2. On the Users page, locate the user from the list, click the menu button, and then click Disable/Enable.


Each user is assigned a role that automatically assigns a set of predefined permissions for the user in Privilege Cloud.

When you create a CyberArk from the Privilege Cloud Portal, you can select any of the built-in roles.

If the user has a set of permissions that are different from the built-in roles, his role will be a custom role. For example, this can happen for LDAP users.

See alsoCreate Safes and assign access