Authorize Users with Role-Based Access Control

This topic describes how to create Roles in the Identity Administration portal to authorize access to features.

Roles are collections of objects (Users, Groups, or other Roles) used to authorize access to applications and features, provision users, apply authentication rules, and deploy policy settings. CyberArk Identity includes predefined Roles to control access to some features and services. You can create additional Roles if the predefined Roles do not provide enough control.

There are two types of Roles.

Role type Description


Static Roles require you to manually add objects as Role members. Role membership is not re-evaluated unless you add a member.

All pre-defined Roles are static Roles.


Dynamic Roles automatically add members based on custom logic that identifies the attributes of the objects that you want to include in the Role. For example, you could create a Role with custom logic to assign all users from a specified country.

Dynamic Roles requires proficiency with JavaScript.

Dynamic Roles cannot be used for inbound or outbound provisioning.

Users can be a member of multiple Roles. The following diagram illustrates the implications of a user who is a member of more than one Role.

The diagram illustrates the following behavior.

  • Mary belongs to Roles A and B so she has access to all 5 applications (Slack, ADP, Salseforce, Gmail, and Office 365.
  • Mary’s inherited mobile device policies depend on the prioritization of the policies. See Apply hierarchical policy sets .
  • All members of the Active Directory group 1 have access to Gmail and Office 365.

Changes that impact the assigned applications or Administrative Rights take effect when the user next logs in to the Identity User Portal or enrolled device. You can push the changes to the users for immediate update by selecting the role members on the Users page and sending the Reload command.

If you plan to delegate administrative activity to other users, create the Roles with appropriate Administrative Rights before you add users to the service. For example, you can create a role that limits the administrator to managing applications and application-to-roles assignments only. In this role, the administrators can perform all the functions on the Apps page and read-only access to the Users and Roles pages. Similarly, you can create administrative roles with just device, user, and report management permissions.

If you plan to create CyberArk Cloud Directory users in bulk, create Roles first so you can assign each user to an existing Role.

Before you begin

You must be a member of the System Administrator Role or a Role with the Role Management administrative right to create Roles and assign users to Roles.

Create Roles in the Identity Administration portal

To create a CyberArk Identity Role

  1. Go to Core Services > Roles, then click Add Role.

  2. On the Description tab, complete the available fields and options.

    Field Description


    Enter a unique name for the role.


    Enter a description for the role's purpose.


    Select an organization from the drop-down menu. Refer to Manage organizations with delegated administrators for more information about Organizations.

    Role Type

    Select a role type.

    Static roles require you to manually add members. Dynamic roles evaluate membership based on object attributes. You can create this logic with JavaScript.

  3. Click Members, then add members to the role.

    The steps to add members to a role are different depending on the type of role.

    Click Add to add members to the role.

    You can add CyberArk Cloud Directory users and external directory service users.

    1. Enter JavaScript in the Custom Logic box to add objects to the role based on attribute values, then click Save.

      You can use attributes from either AD or CyberArk Cloud Directory. Examples of attributes that you could use include co, Department, Location, Group membership, and Title.

      Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).

      The following example shows the sample script that checks for the country code stored for a user.

      if(User.UserType == 'AD') { // User is an Active Directory user
          try {
              trace('Looking for property: co');
              if( == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('property: co not found');
      } else if(User.UserType == 'CUS') { // User is a cloud directory user
          try {
              trace('Looking for additional attribute: country_');
              if(User.Properties.Properties['country_'] == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('additional attribute: Country not found');
      return false;
    2. Click Test User, then search for the user that you want to add to the role and click Next.

      A window displays indicating whether or not the user would be a member based on your custom logic.

  4. Click Administrative Rights, then add appropriate administrative rights.

    Refer to Identity Administration portal administrative rights for a description of available administrative rights.

  5. Click Assigned Applications, then assign applications to role members.

    Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.

  6. Click Save to finish creating the role.