Add and manage users

This section describes how users and groups are provisioned and managed in Privilege Cloud.

Privilege Cloud users and licenses

Privilege Cloud includes built-in and predefined users for different administrative purposes. These user types define the functions of your organization’s users within Privilege Cloud.

User type	Description
CyberArk-defined users	Built-in users. Default set of admin and application users for internal tasks or integration with CyberArk services. See Privilege Cloud built-in users. Predefined users and groups. Default set of user and group roles automatically setup per Safe. See Predefined users and groups for Privilege Cloud Standard.
Customer-defined users	Customer users defined for administrative purposes or as end-users.

User provisioning modes in Privilege Cloud

Privilege Cloud users can be provisioned in two ways:

• Automatically, through LDAP integration. These users are called LDAP users.
• Manually, in Privilege Cloud. These users are called CyberArk users.

The following table describes the differences between the two modes of provisioning.

Category	Description
LDAP user	A user's account is created when: The user first logs on to the Privilege Cloud Portal The user is added as a safe member The user becomes a group member The user account is created with the user details, such as full name and email address. The permissions that the user is granted in Privilege Cloud, depend on the user's group memberships in LDAP and the directory mappings defined in the integration process. For details, LDAP integration. LDAP users cannot be modified from within the Privilege Cloud Portal, only from the LDAP directory.
CyberArk user	If you did not configure LDAP integration or if you want to manage users separately, you can create users manually in Privilege Cloud. If you intend to group users, we recommend that you first Create groups and then Create CyberArk users.

Both LDAP and CyberArk users are displayed in the User Provisioning > Users page in Privilege Cloud Portal. The provisioning mode is indicated by an icon. Hover over the user icon to see how they were provisioned.

After users and groups are provisioned in Privilege Cloud, you can add them as safe members in order to give them access to privilege accounts. For details, see Add Safe members.

Create groups

A group is a collection of users. You can use groups to organize users in any way you want. For example, according to the departments in your organization.

You can assign a group to be a safe member. This means that all the users in that group will share the same permissions on that safe. For details, see Add Safe members.

Roles are assigned to users and not to groups, so groups do not necessarily share roles.

To create a group:

1. In the Privilege Cloud Portal, click User Provisioning, and then click Groups.
2. On the Groups page, click Create Group.
3. On the General Properties page, enter the group name and a description, and then click Create.

Create CyberArk users

Create a new user using the Create CyberArk User wizard.

To create a user:

1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
2. On the Users page, click Create CyberArk User.

3. Follow the instructions in the wizard.

   

   Wizard page	Instructions
   Define general properties	Enter a unique user name (without spaces). Select a user role to assign a default set of permissions. For details, see Roles.
   Add personal details	Enter the user's personal information.
   Select authentication method	Both LDAP and CyberArk users can authenticate using either internal or external authentication. Internal The user is authenticated using CyberArk authentication. Enter a password that matches your organization's required format. User must change password at next logon. Users are prompted to change their password when they first log on to Privilege Cloud Portal. Password expiration. To enforce password change, select Every 30 days. In any case, users can change their password regulary. External The user is authenticated using an external authentication method that is configured in Privilege Cloud. Depending on the authentication method used, enter the user's distinguished name.
   Assign to groups	Select the groups to which you want to add the user. For details on groups, see Create groups.
   Summary	Review the user information and click Create.

Manage users

You can Perform the following actions on users:

• Search (according to username, first name, and last name)

• Delete

• Edit

• Activate

• Disable/Enable

Activate a suspended user

LDAP or CyberArk users who try to log on to Privilege Cloud Portal with the wrong password, are automatically suspended (locked) after a number of attempts.

You cannot suspend a user manually, but you can disable a user. For details, see Disable/enable a user.

LDAP users must first be activated in the LDAP directory before they can be activated in the Privilege Cloud Portal.

To activate a user:

1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
2. On the Users page, click the user, and in the user details pane, click Activate.

Disable/enable a user

Disabled users cannot log on to the Privilege Cloud Portal or work with Privilege Cloud. You can disable/enable a user manually from the Privilege Cloud Portal.

To disable/Enable a user:

1. In the Privilege Cloud Portal, click User Provisioning, and then click Users.
2. On the Users page, locate the user from the list, click the menu button, and then click Disable/Enable.

Roles

Each user is assigned a role that automatically assigns a set of predefined permissions for the user in Privilege Cloud.

When you create a CyberArk from the Privilege Cloud Portal, you can select any of the built-in roles.

If the user has a set of permissions that are different from the built-in roles, his role will be a custom role. For example, this can happen for LDAP users.

See also: Create Safes and assign access