Restrict application access

Workforce Password Management (WPM) allows you to restrict user access to specific application domains and URLs by adding them to an exclusion list. For example, you can prevent users from accessing personal websites. After you restrict application access, users cannot perform the following actions:

  • Store or update application credentials in the CyberArk Privileged Access Manager - Self-Hosted Self-Hosted vault or CyberArk Identity cloud.

  • Launch the application from the User Portal or Identity Browser Extension (IBE).

  • Launch admin-shared or user-shared applications.

  • Add the application to the User Portal from the Identity App Catalog or by using the IBE. Land&Catch is disabled for restricted applications. Accounts cannot be imported.

  • Share the application with other users.

  • Use IBE to complete a form in the application.

To add an application to the exclusion list:
  1. In the CyberArk Identity Admin Portal, go to Core Services > Policies.

  2. Open an existing policy or create a new one.

  3. Go to Application Policies > App Restrictions.

  4. In the Application URLs and Domains section, click Add.

  5. In the dialog box, specify the restricted URL or domain.

    For example: https://www.example.com/login or example.com. You can use the asterisk (*) as a wildcard. For example: www.example.com/* or *.example.com.

    The Type field indicates if you entered a URL or Domain.

  6. Click Save.

    The restrictions become effective when you click Save and the application status becomes Active.

    In the User Portal, a red icon indicates which applications are restricted.

To update an application in the list:
  1. You can perform the following actions on applications in the list:

    Action

    Description

    Modify Modify a URL or domain.
    Enable/Disable

    Disabling changes the restriction status of the application from Active (restrictions are enforced) to Inactive (restrictions are not enforced). Disabled applications remain on the restricted list, but users can store credentials, launch, and share them. Enabling changes the status to Active.

    Delete Delete the application from the restricted applications list.

    Select the checkbox next to the application. You can select multiple applications to perform a bulk operation for Enable/Disable and Delete.

  2. Click Actions, then select an action.

  3. Click Save.