Manage Secrets Hub users

This topic describes how to give users access to Secrets Hub.

You must be an CyberArk Identity Security Platform Shared Services admin to perform this task.

Add a member to the Secrets Hub role

To give users access to Secrets Hub, you need to add them as members of the Secrets Manager - Secrets Hub Admin role.

Users that have access to Secrets Hub can see all of the Safes that the SecretsHub user in PAM - Self-Hosted has access to. Therefore, it’s important to ensure that only strong users are members of the Secrets Manager - Secrets Hub Admin role.

To add a member to the role
  1. Sign in to ISPSS, go to Identity Administration, and then click Roles.

  2. From the list of roles, click Secrets Manager - Secrets Hub Admin.

  3. Click Members, and then click Add

  4. In the Add Members dialog box, start typing the user name, Active Directory/LDAP group name, or an existing role. If you are using an external IdP, search for the secretshub-admins group.

    • For CyberArk Cloud Directory users, you can also search by email domain suffix.

    • You can add a CyberArk Identity role to an existing role. This is referred to as nesting a role. When you add a role to an existing role, the nested role members get all of the applications and rights assigned in the parent role. However, the applications and rights inherited from the parent are not displayed when you select the nested role. Only the nested role members have use of the rights and applications assigned to the nested role—the parent role members do not.

      Additionally, if you are also using Active Directory/LDAP as an ID repository, a role can contain Active Directory/LDAP user accounts and groups.

    Entries matching the string you type are displayed.

  5. Select the check box associated with the user, group, or role you want to add, then click Add.

    You must select a universal or security group. Local or distribution groups are not supported.

    If you are using Active Directory/LDAP as an identity store, all of the matching user accounts and groups in the Users container that can be seen in the domain or forest are displayed.

    After you add an Active Directory/LDAP user or group to a role, the name is not shown on the Users page until the user logs in to the User Portal or enrolls a device.

  6. Save your changes.

Remove members from the Secrets Hub role

When you remove users or Active Directory/LDAP groups from a role, any administrative rights or applications assigned to that role no longer apply to those users. For example, if you have assigned the Box application to that role ABC, then users removed from that role no longer have SSO access to Box.

  1. In the Identity Administration Portal, click Core Services > Roles.
  2. Click the Role.
  3. Click Members.

  4. Select the members you want to remove.

  5. From the Actions drop-down menu, click Delete.

  6. Save your changes.

Provision users in ISPSS

If you are working with PAM - Self-Hosted , your users may not be defined in CyberArk Identity Security Platform Shared Services Shared Services (ISPSS).

To provision users in ISPSS, see Add users.