Add system users and roles

This section covers all steps required to add and authenticate your users in Identity Administration and assign them the relevant permissions to access and use CyberArk shared services on ISPSS.

User types

There are two main types of users in ISPSS.

User type Description

Interactive users - for end user access to the User Portal and to any supported CyberArk service.

Any user who signs in to CyberArk to interact with a service portal (for example, the User Portal).

Interactive users are defined manually, or are imported from the following sources:

  • External directory based on your authentication solution:

    • On-prem authentication solution, such as Microsoft Active Directory, LDAP, or RADIUS.

    • Cloud-based authentication, such as Azure AD or Google Workspace.

  • External Identity Provider (IdP)  using SAML token to provide access to resources you want to share.

Service users, for non-interactive API

A service user, dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration.

To create a Service user, see Custom OAuth2 Client and the client credentials it describes.

To run API requests, see API Authentication for CyberArk Identity Security Platform Shared Services.

Internal service users

ISPSS internal service users are for internal use only. They cannot be edited or deleted and may appear in SIEM, logs, user reports, and audit events.

User roles

Roles determine which service the assigned users can access and the set of permissions that they have in that specific service.

After users are provisioned on CyberArk Identity Security Platform Shared Services, either from external directories or manually, the users, or groups, must be assigned to at least one role.

After assigning roles to users, you can invite them to sign in to ISPSS and access the specific service.

To learn about supported roles per service, see CyberArk Identity Security Platform Shared Services user roles.

User provisioning workflow

The following work flow illustrates the steps required to add and authenticate your users, then authorize them to securely access relevant services.

Prepare for deployment

  1. Receive the CyberArk Welcome email to the CyberArk Identity Security Platform Shared Services portal. The email contains a link to your CyberArk Identity Security Platform Shared Services cloud tenant, access credentials and your customer ID.

  2. Check necessary setup details and sign in to the ISPSS user portal. See Collect setup details and sign in to the ISPSS user portal.

    • If possible, sign in to the ISPSS portal from the Connector machine. If there is no internet access, sign in from a server that will allow to easily copy over the necessary installation files.

    • Ensure you log into the Connector machine with a user account that is a domain user with local admin and installation permissions on the machine.

  3. Check system prerequisites:

Add users and roles

In Identity Administration tenant:

  1. Add users from any of the following sources:

    Authentication services

    See Add users from a directory service.

    CyberArk Cloud Directory

    See Add CyberArk Cloud Directory Users.

  2. Set up federation with external identity providers, see Set up federation with external identity providers.

    This step is optional and may not apply to all services.

  3. Configure multi-factor authentication. See Configure MFA for Identity Administration.

    Multi-factor authentication applies to shared services on ISPSS, excluding Secure Cloud Access and Cloud Entitlements Manager

    Applies to CyberArk shared services on ISPSS, excluding Secure Cloud Access and Cloud Entitlements Manager.

  4. Add users and assign roles to your groups and users. See Assign users to roles and manage roles

  5. Ensure all required groups and users are issued an invitation to connect to CyberArk Identity Security Platform Shared Services to access the necessary services.