Create SCA policies

This section describes how to create an SCA policy for each type of supported cloud workspace.

When SCA policies are implemented, users are assigned permissions to access cloud workspaces only when necessary, and not at any other time. Instead of granting always-on (or standing) access, you can grant access to a specific workspace during a specific time frame, and for a defined session length.

Wait for the discovery process to complete (the status of the workspace in CEM should be Connected) before creating your SCA policies.

Access policies view

The Access policies page contains a table where you can view all the SCA policies that exist for your cloud environment. You can filter the table according to cloud provider, policy type (pre-defined or on-demand), and the current status of the policy. You can also search for a specific policy using free text.

The access policy table includes the following information:

Access policy view




Name of the policy, along with an icon that indicates the type (you can filter the table on policy type):

  • Pre-defined policy - created manually by a user to address specific use cases

  • On-demand policy- created automatically by SCA upon approval of an access request, and is deleted when the access window of the requested session expires


Current status of the access policy:

Active - currently active and providing the defined permissions for identities that match

Not started - defined with a start date in the future

Suspended - already started but isn't currently active because it was paused by an admin

Expired - isn't currently active because the end date has passed

Validating - has been defined and is being verified by SCA, so isn't yet available

Errors - was defined but failed the validation process

Cloud provider

Cloud provider and workspace type


Number of cloud roles or permission sets that match the policy definition

Last updated on

Date and time that the policy was last modified

Created by

Username of the identity that created the policy or approved the access request.

If the policy type is on-demand, this table cell is empty.


For pre-defined policies, if the user added a description it appears here.

For on-demand policies, the request details appear in the format "<username> requested access to <cloud provider> on <dd Month yyyy>". For example, requested on-demand elevated access to Google Cloud on 26 December 2022.

Delegated workspaces

The cloud services administrator has full administrator privileges for all policies in the organization, meaning they can create, update, and delete policies as necessary.

When a workspace is delegated, the delegate is automatically assigned an SCA administrator role in CyberArk Identity that enables them to view and update policies for the workspaces they are assigned.

For more information about service roles in CyberArk Identity, see CyberArk Identity Security Platform Shared Services user roles.

If you want workspace delegation enabled, please contact your CyberArk representative.

If your organization uses workspace delegation to assign administrator permissions to workspaces, there may be identities that don't have permissions under some policies, or that only have permissions for some of the workspaces that match a policy. Additionally, identities may have varying levels of permissions (view or edit) under some policies, or in different workspaces that match a policy.

If you are a delegate, the Access policies table shows only those policies that you can view or edit. By default, you can see only policies that you can edit. To see all policies that give you at least partial or view permissions to workspaces, disable the Policies I can edit option above the table.

Delegates can only see the cloud roles that are attached to the workspaces they have permissions to view or edit.