Manage Secrets Hub users
This topic describes how to give users access to Secrets Hub.
You must be an CyberArk Identity Security Platform Shared Services admin to perform this task.
To give users access to Secrets Hub, you need to add them as members of the Secrets Manager - Secrets Hub Admin role.
Users that have access to Secrets Hub can see all of the Safes that the SecretsHub user in Privilege Cloud has access to. Therefore, it’s important to ensure that only strong users are members of the Secrets Manager - Secrets Hub Admin role.
If your CyberArk Identity Security Platform Shared Services integrates with an external Identity Provider (IdP), as described in Federate with an external IdP, then you need to map the admin group to the Secrets Hub admin group, so that you can later add it as a member of the Secrets Manager - Secrets Hub Admin role.
- In the Identity Administration Portal, click Settings > Users, and then, under Sources, click External Identity Providers.
- From the External Identity Providers list, select the relevant IdP, and then click Group Mappings.
- Create a group mapping between the admins group from the external IdP and a group named secretshub-admins.
- Sign in to ISPSS, go to Identity Administration, and then click Roles.
From the list of roles, click Secrets Manager - Secrets Hub Admin.
Click Members, and then click Add
In the Add Members dialog box, start typing the user name, Active Directory/LDAP group name, or an existing role. If you are using an external IdP, search for the secretshub-admins group.
For CyberArk Cloud Directory users, you can also search by email domain suffix.
You can add a CyberArk Identity role to an existing role. This is referred to as nesting a role. When you add a role to an existing role, the nested role members get all of the applications and rights assigned in the parent role. However, the applications and rights inherited from the parent are not displayed when you select the nested role. Only the nested role members have use of the rights and applications assigned to the nested role—the parent role members do not.
Additionally, if you are also using Active Directory/LDAP as an ID repository, a role can contain Active Directory/LDAP user accounts and groups.
Entries matching the string you type are displayed.
Select the check box associated with the user, group, or role you want to add, then click Add.
You must select a universal or security group. Local or distribution groups are not supported.
If you are using Active Directory/LDAP as an identity store, all of the matching user accounts and groups in the Users container that can be seen in the domain or forest are displayed.
After you add an Active Directory/LDAP user or group to a role, the name is not shown on the Users page until the user logs in to the User Portal or enrolls a device.
- Save your changes.
Remove members from the Secrets Hub role
When you remove users or Active Directory/LDAP groups from a role, any administrative rights or applications assigned to that role no longer apply to those users. For example, if you have assigned the Box application to that role ABC, then users removed from that role no longer have SSO access to Box.
- In the Identity Administration Portal, click Core Services > Roles.
- Click the Role.
- Click Members.
Select the members you want to remove.
From the Actions drop-down menu, click Delete.
- Save your changes.
Provision users in ISPSS
If you are working with Privilege Cloud
To provision users in ISPSS, see Add users.