Create SCA policies
This section describes how to create an SCA policy for each type of supported cloud workspace.
When SCA policies are implemented, users are assigned permissions to access cloud workspaces only when necessary, and not at any other time. Instead of granting always-on (or standing) access, you can grant access to a specific workspace during a specific time frame, and for a defined session length.
Wait for the discovery process to complete (the status of the workspace in CEM should be Connected) before creating your SCA policies.
Access policies view
The Access policies page contains a table where you can view all the SCA policies that exist for your cloud environment. You can filter the table according to cloud provider, policy type (pre-defined or on-demand), and the current status of the policy. You can also search for a specific policy using free text.
The access policy table includes the following information:
|
Column |
Description |
|---|---|
|
Policy |
Name of the policy, along with an icon that indicates the type (you can filter the table on policy type):
|
|
Status |
Current status of the access policy: Active - currently active and providing the defined permissions for identities that match Not started - defined with a start date in the future Suspended - already started but isn't currently active because it was paused by an admin Expired - isn't currently active because the end date has passed Validating - has been defined and is being verified by SCA, so isn't yet available Errors - was defined but failed the validation process |
|
Cloud provider |
Cloud provider and workspace type |
|
Entitlements |
Number of cloud roles or permission sets that match the policy definition |
|
Last updated on |
Date and time that the policy was last modified |
|
Created by |
Username of the identity that created the policy or approved the access request. If the policy type is on-demand, this table cell is empty. |
|
Description |
For pre-defined policies, if the user added a description it appears here. For on-demand policies, the request details appear in the format "<username> requested access to <cloud provider> on <dd Month yyyy>". For example, john.doe@somecompany.com requested on-demand elevated access to Google Cloud on 26 December 2022. |
Delegated workspaces
The cloud services administrator has full administrator privileges for all policies in the organization, meaning they can create, update, and delete policies as necessary.
When a workspace is delegated, the delegate is automatically assigned an SCA administrator role in CyberArk Identity that enables them to view and update policies for the workspaces they are assigned.
For more information about service roles in CyberArk Identity, see CyberArk Identity Security Platform Shared Services user roles.
If you want workspace delegation enabled, please contact your CyberArk representative.
If your organization uses workspace delegation to assign administrator permissions to workspaces, there may be identities that don't have permissions under some policies, or that only have permissions for some of the workspaces that match a policy. Additionally, identities may have varying levels of permissions (view or edit) under some policies, or in different workspaces that match a policy.
If you are a delegate, the Access policies table shows only those policies that you can view or edit. By default, you can see only policies that you can edit. To see all policies that give you at least partial or view permissions to workspaces, disable the Policies I can edit option above the table.
Delegates can only see the cloud roles that are attached to the workspaces they have permissions to view or edit.
