Manage Organizations with Delegated Administrators

This topic describes how to create Organizations with Delegated Administrators, manage Organizations as a Delegated Administrator, and assign user accounts to an Organization.

In the Organizations page in the CyberArk Identity Admin Portal, you can delegate administrator tasks for a group of users assigned to an Organization, without allowing the administrator access to the entire user base in the Admin Portal. Users with the System Administrator role (global system administrator) can create Organizations and then assign a Delegated Administrator to manage the group.

For example, you can create multiple Organizations that represent different regions within your company. You can then assign an administrator for each Organization to manage certain tasks for that group. Additionally, the Delegated Administrator of the Organization can create roles within their Organization to handle specific tasks, such as MFA unlock. A user in the role with the MFA Unlock administrative right can be assigned to perform MFA unlock tasks for other users within the Organization. This allows you to consolidate and separate administrative access so that no one administrator has too much control over various management tasks.

The following illustrates the hierarchy for Organizations:

Admin type Description
Global System Administrator

The global system administrator has read/write access to all resources in the Admin Portal and specifically performs the following tasks for the Organization:

  • Creates Organizations

  • Assigns users to Organizations

  • Assigns administrator(s) to the Organization

  • Assigns roles to the Organization

  • Manages all the Admin Portal resources shared with Organizations

Also refer to System administrator role permissions.

Delegated Administrator

Delegated Administrators can only manage one Organization; they cannot be assigned to multiple Organizations. However, you can assign multiple administrators to an Organization. Delegated Administrators manage users and roles assigned to the Organization and can specifically perform the following tasks:

  • Create, edit, and delete users assigned to the Organization

  • Create, edit, and delete roles assigned to the Organization

  • Manage workflow requests for applications (the Delegated Administrator needs to be configured as an approver for the application)

Delegated Administrators have limited access to the Admin Portal pages, and only have access to the resources the global system administrator assigns to them. The following the Admin Portal pages are not available to the Delegated Administrator: Dashboards, Policies, Reports, Organizations, Endpoints, Downloads, and Settings.

You can also enable the Manage permission in the CyberArk Identity Admin Portal Application Permissions page to delegate the management of specific applications to other users or roles (see Delegate application management).

Set up an Organization and assign an administrator

The global system administrator sets up Organizations, assigns members and roles to the Organization, and delegates an administrator to manage the Organization.

The global system administrator can also remove members, administrators, and roles from the Organization. Those resources, once removed from the Organization, are still available in the Admin Portal.

To set up an Organization and assign an administrator.

  1. Sign in to the Admin Portal with an account that has the System Administrator role.
  2. Go to Core Services > Organizations > Add Organization.

  3. Add a name for the Organization and optionally a description.
  4. Click Administrator and then click Add to display the Add Members dialog box.
  5. Start typing the name of the user you want to add as the Delegated Administrator of the Organization and once displayed, click Add.

    Members (administrators and users) can only be added to one Organization. If a user or administrator is already part of an Organization and you select that user or administrator a second time in the Add Members search query, the user is moved to the new Organization.
  6. Click Member and then click Add to display the Add Members dialog box.

  7. Start typing the user name, Active Directory/LDAP group name, to search for and select the members you want to add, then click Add.

    Additional ways to add members to an Organization include the following:

    • Import users into the Organization in bulk using Bulk Organization Update (see Bulk Organization update for more information).

    • Select multiple users from the Users page. In the Admin Portal Users page, select users, click Actions > Add to Organizations, and then select an Organization from the drop-down list. Organizations must already be created.

    • Select an individual user from the Admin Portal > Core Services > Users page and then select an Organization from the drop-down list in the Account page.

  8. Click Save once you have added the members to the Organization.

Assign roles to the Organization

The following procedure describes adding roles from the Organization > Roles page. You can also assign roles to an Organization from the drop-down in the Admin Portal > Roles page.

Roles can only be assigned to one Organization. You can change the Organization role assignment from the drop-down menu on the Roles page in the Admin Portal.
  1. Sign in to the Admin Portal with an account that has the System Administrator role.

    You can create new roles or add existing roles to the Organization. To create a new role, see Authorize Users with Role-Based Access Control.

  2. Click Core Services > Organizations and then select the Organization where you want to add a role.
  3. Click Role and then click Add to display the Add Members dialog box.
  4. Start typing the name of the role you want to add to the Organization and once displayed, click Add.

    Once added the role is assigned to the Organization, but members of that role that are not already assigned to the Organization are not added and remain outside of the Organization.

  5. Click Save once you have added the roles to the Organization.

    Any applications assigned to the role are then assigned to the users in that role. The Delegated Administrator can access the applications in the Web Apps page.

Delete an administrator, members, or roles from an Organization

The following procedure describes how to delete an administrator, members, or Roles from an Organization.

  1. Sign in to the Admin Portal with an account that has the System Administrator role.
  2. Click Core Services > Organizations and then select the Organization you want to edit.
  3. Select one of the following pages: Administrator, Member, Roles.
  4. Select the resources you want to delete.
  5. Click Delete from the Actions drop-down menu.
To delete an Organization, you need to delete all the resources (members and roles) associated with the Organization. Once deleted you can delete the Organization from the Actions drop-down menu.

Assign user accounts to an Organization in bulk

As the global system administrator, you can use an Excel spreadsheet or CSV file to assign user accounts to Organizations, and assign a Delegated Administrator to that Organization in bulk. The user account file can contain up to 10,000 accounts.

Make sure to run the Bulk Organization Update after you have created Organizations in the Admin Portal and assigned the roles.

To create the file, use the CSV file template provided in Organizations > Bulk Organization Update, or create the file from scratch. Ensure that your file includes the following data and includes a header using the default field terminology shown below:

Default Fields Rules

Login Name

Enter the full user name, including the login suffix in the form
<login name>@<loginsuffix>

The login suffix must exist already.

Organization Unit

Enter the name of the Organization. The user account is then added to that Organization.

OU Admin

Enter True or False.

  • True—User account is delegated as the administrator of the Organization.

  • False—User account is a member of the Organization.

Email Address

Enter the email address associated with the login name. You can specify only one email address. The email address must be a valid format. Plain text strings, such as N/A or unavailable, are rejected.

To update user accounts using the Bulk Organization Update file

The following procedure assumes you have already created the Excel or CSV file with the data listed above. You can download the template provided from the Admin Portal > Organizations > Bulk Organizations Update.

  1. Log in to the Admin Portal with an account that has the System Administrator role.
  2. Click Organizations > Bulk Organization Update > Browse.

  3. Navigate to the file populated with user accounts and Organization assignments.
  4. Click Open > Next.

    The first 15 records are displayed. Use this display to ensure you have formatted the entries correctly.

  5. Click Confirm to complete the update.

After the update is complete, CyberArk Identity sends an email message indicating the update is complete.

Manage Organizations as a Delegated Administrator

Once assigned as the administrator for an Organization, you can perform the following tasks within the Organization:

  • Create CyberArk Identity directory service users

  • Create roles

  • Edit users and roles

  • Remove users and roles

  • Manage applications and approve application requests

Create a new directory service user in the Organization

  1. Sign in to the Admin Portal with your Delegated Administrator account.

  2. Click Users and then click Add User.

  3. Enter the relevant user information as described in Create individual directory service users.

    The Organization field is already configured with the Organization name.

  4. Click Create User.

To edit the user settings, click Users and then click the specific user you want to edit.

Create a role in the Organization

  1. Sign in to the Admin Portal with your Delegated Administrator account.

  2. Click Roles and then click Add Role.

    The Organization field is already configured with the Organization name.

  3. Enter the relevant role information for the user access required as described in Authorize Users with Role-Based Access Control. The Delegated Administrator can create roles with the following Administrative Rights:

    • MFA Unlock

    • Role Management

    • User Management

    If additional Administrative Rights are required for a role, the Global Administrator can create a role outside of the Organization, and then assign that role to the Organization. See Assign roles to the Organization.
  4. Click Create Role.

To edit the role settings, click Roles and then click the specific role you want to edit.

Delete users in the Organization

If a CyberArk Identity directory service user is created inside an Organization by the Delegated Administrator, deleting that user from an Organizations also deletes the user from the Admin Portal. For Active Directory/LDAP user accounts assigned to the Organization, deleting the account from the Admin Portal only removes the account from the Users page. Users can still use their account credentials to sign in to CyberArk Identity. You must use Active Directory Users and Computers to disable the account in order to remove access to the Admin Portal.

  1. Sign in to the Admin Portal with your Delegated Administrator account.

  2. Click Users and then select the users you want to delete.
  3. Click Delete from the Actions drop-down menu.

Delete roles in the Organization

Deleting a role created inside an Organization, deletes the role from the Admin Portal.

  1. Sign in to the Admin Portal with your delegated administrator account.

  2. Click Roles and then select the role you want to delete.
  3. Click Delete from the Actions drop-down menu.

Run reports filtered by resources in the Organization

Delegated Administrators can run reports that are automatically filtered by resources available in the Organization when they are run within the Organization. The Data Dictionary is automatically filtered by resources available in the Organization when creating new reports from within the Organization, Built-in reports that are filtered by available resources are also available.

To access bult-in reports, go to Core Services > Reports, then expand Built-in Reports and select the desired report.

The following Built-in reports are available to Delegated Administrators.

  • Active Users

  • Connector Server Detail

  • Failed Logins

  • Failed Logins by Device Type

  • Failed Logins Map

  • Inactive Users

  • Logins by Country

  • Logins Map

  • MFA Events

  • MFA Failures

  • MFA Failures By Location

  • MFA Requests Denied by User

  • MFA Special Events

  • MFA User Summary

  • Top User Logins

  • Unique Logins by Device Type

  • User MFA Challenges Setup Status

  • Users Security Question State

Manage applications and application requests as a Delegated Administrator

As the Delegated Administrator for an Organization, you can manage applications assigned to the Organization, and create application management roles to assign to other users within the Organization.

Applications are assigned to the Organization in the following ways:

  • Global system administrator assigns a role with assigned applications to the Organization

  • Global application administrator (in a role with the Application Management right) or the delegated application administrator (has the Manage permission for an application) assigns the application to users in the Organization

Accessible applications are visible to users within the Organization from the Admin Portal Web Apps and Mobile Apps pages.

The Requests page in the Organization view of the Admin Portal includes a list of application requests and their status. The Delegated Administrator or any user in the Organization can approve user requests to access applications assigned to the Organization as long as application workflow is enabled, and the user is configured as the approver. For more information, see Manage application access requests.