CyberArk Identity Security Platform Shared Services user roles

This topic presents the service-specific roles that are available for each service on ISPSS.

Users can access a specific CyberArk service only if assigned a role with access permissions to that service. Built-in roles are available per service to define the access levels for each user in that service. Roles can be assigned to a group of users or to a single user.

Privilege Cloud roles and user licenses

As part of your Privilege Cloud system, you may have purchased different types of user licenses, or you may have expanded your initial system package to include new user license types.

User license options:

  • Privileged Basic User

  • Privileged Standard Lite User

  • Privileged Standard User

  • Privileged External User

Each of these user licenses types is mapped to a Privilege Cloud role in Identity Administration. As a result, the role not only defines the user's permissions within Privilege Cloud, it also maps the user to the user license that he will use.

The role name reflects the license type that is used. If you purchased multiple license types, each role appears multiple instances, where each instance reflects the user license that the role consumes. For example, the Privilege Cloud Administrators role consumes the Privileged Standard User license while Privilege Cloud Administrators Basic consumes the Privileged Basic User license.

Note that the Privileged Basic User license is not licensed to perform PSM connections, in all role types. Therefore, any user assigned to a role using the Privileged Basic User license is not permitted to perform PSM connections.

The Identity Administration roles display only the relevant licenses configured in your ISPSS tenant. The following image presents an example of possible role and license options.

Privilege Cloud built-in roles

The following table describes the Privilege Cloud built-in roles.

Role

Description

Privilege Cloud Administrators

Administrators set up and manage Privilege Cloud.

Privilege Cloud Auditors

Auditors can access audits, reports, and session recordings.

Privilege Cloud Safe Managers

Safe managers can create and delete safes, and manage user permissions to access safes.

Privilege Cloud Users

Users can view and connect to their privileged accounts.

Privilege Cloud External Vendors

Vendors can view and connect to their privileged accounts through CyberArk's Remote Access service. When they are invited from the Remote Access service, they are automatically defined as users in the Identity Administration service and are assigned to the Privilege Cloud External Vendor role.

By default, vendors are assigned to the External vendor role, and consume the license type Privileged External User. However, you can configure the system so that external vendors are assigned to the Privilege Cloud User role, which consumes Privileged Standard User licenses. For details, see Change vendor license consumption.

Privilege Cloud Session Risk Managers

Session Risk Managers can access audits, reports, and session recordings, along with permissions to terminate and suspend sessions.

Conjur Cloud roles

The following table describes the Conjur Cloud built-in roles.

Role

Description

Secrets Manager - Conjur Cloud Admin

Users are added to the Conjur Cloud admin user group in Conjur Cloud.

Secrets Manager - Conjur Cloud - User

Users are added to the Conjur Cloud standard user group in Conjur Cloud.

Secrets Hub

The following table describes the Secrets Hub built-in roles.

Role

Description

Secrets Manager - Secrets Hub Admin

Users can access Secrets Hub Admin where they can manage secrets synced from Privilege Cloud to the target, AWS Secrets Manager.

Cloud Entitlements Manager

The following table describes the Cloud Entitlements Manager built-in roles.

CEM built-in roles

Role

Description

CEMAdmin

Static role. Users can onboard and manage cloud environments, configure integrations, and delegate cloud workspaces.

CEMUser

Static role. Users can view the dashboard and investigate all the available widgets (insights, findings, cloud identities, exposure, permissions, and recommendations).

CEMAPIAdmin

Static role. Users can perform all available API operations including onboarding and delegating cloud workspaces. This role should only be assigned to tenant owners and administrators.

CEMAPIUser

Static role. Users can perform API operations that don't require admin privileges.

Secure Cloud Access

The following table describes the Secure Cloud Access built-in roles.

SCA built-in roles

Role

Description

CS Admin

Static role. Users have full access permissions for the SCA service to manage all functionality, policies, access request settings, and integrations.

SCA Admin

Dynamic role. Users have access permissions for the SCA service to manage policies and integrations. Policy and access request management (read only) may also be available based on workspace delegation. This role is assigned automatically when a user is assigned as a delegate to a workspace.

SCAUserReadOnly

Static role. Users have read-only permissions for the SCA user interface to allow viewing policies, access request settings, and integrations.

SCA ApiFullAccess

Static role. Users have full access permissions for SCA APIs.

SCA ApiReadOnly

Static role. Users have read-only permissions for SCA APIs.

Connector Management role

Role

Description

Connector Management Admin

Users have permissions to the Connector Management service only.

DPA roles

The following table describes the DPA built-in roles.

Role

Description

DPAAdmin

Administrators set up and manage DPA.

DPA RDP Privilege Cloud Secrets Access

During DPA provisioning, users can retrieve strong accounts that are vaulted in Privilege Cloud.

DPA Users

Users can view the connection guidance page.