CyberArk Identity Security Platform Shared Services user roles
This topic presents the service-specific roles that are available for each service on ISPSS.
Users can access a specific CyberArk service only if assigned a role with access permissions to that service. Built-in roles are available per service to define the access levels for each user in that service. Roles can be assigned to a group of users or to a single user.
Cloud Entitlements Manager
The following table describes the Cloud Entitlements Manager built-in roles.
|
Role |
Description |
|---|---|
|
CEMAdmin |
Static role. Users can onboard and manage cloud environments, configure integrations, and delegate cloud workspaces. |
|
CEMUser |
Static role. Users can view the dashboard and investigate all the available widgets (insights, findings, cloud identities, exposure, permissions, and recommendations). |
|
CEMAPIAdmin |
Static role. Users can perform all available API operations including onboarding and delegating cloud workspaces. This role should only be assigned to tenant owners and administrators. |
|
CEMAPIUser |
Static role. Users can perform API operations that don't require admin privileges. |
Secure Cloud Access
The following table describes the Secure Cloud Access built-in roles.
|
Role |
Description |
|---|---|
|
CS Admin |
Static role. Users have full access permissions for the SCA service to manage all functionality, policies, access request settings, and integrations. |
|
SCA Admin |
Dynamic role. Users have access permissions for the SCA service to manage policies and integrations. Policy and access request management (read only) may also be available based on workspace delegation. This role is assigned automatically when a user is assigned as a delegate to a workspace. |
|
SCAUserReadOnly |
Static role. Users have read-only permissions for the SCA user interface to allow viewing policies, access request settings, and integrations. |
|
SCA ApiFullAccess |
Static role. Users have full access permissions for SCA APIs. |
|
SCA ApiReadOnly |
Static role. Users have read-only permissions for SCA APIs. |
