Assign users to roles

This topic describes how to manage role membership in the Identity Administration portal to control authorization to features and services.

Roles are the most efficient way to enforce adaptive MFA, deploy applications, provision users, and more. All users should belong to at least one role.

By default, all new users are added to the Everybody role. Members of the Everybody role are automatically granted permission to access the Identity User Portal. Make sure the Everybody role allows user access to the Identity User Portal at all times. If you have some users that are not included in the Everybody role, however, you must explicitly deploy the Identity User Portal application to the role where those users are members.

When you assign users to custom roles or change the default behavior of the Everybody role, ensure that users can access the Identity User Portal, to open assigned applications and enroll mobile devices.

Before you begin

Check the following:

  • You must be assigned to the System Administrator role or to a role with the Role Management administrative right. You can only create roles and assign users to roles if you have the appropriate rights.

  • The CyberArk Identity Connector is installed and the AD users and groups are integrated into CyberArk Identity. See Install the CyberArk Identity Connector. This prerequisite enables:

    • domain users to log in to the User Portal using their domain credentials

    • adding domain users to roles

Add members to an existing role

The following procedure describes how to add members to existing roles. To create roles, refer to Create roles.

To assign users to a role

  1. In the Identity Administration portal, click Roles.
  2. Select the role from the list of available roles. See built-in roles defined per CyberArk service.
  3. Click Members, then click Add to display the Add Members dialog box.
  4. Start typing the user name, Active Directory/LDAP group name, or an existing role.

    Distribution groups and local groups display in the filter; however, only security groups are supported.

    For CyberArk Cloud Directory users, you can also search by email domain suffix.

    You can add an CyberArk Identity role to an existing role. This is referred to as nesting a role. When you add a role to an existing role, the nested role members inherit all of the applications and rights assigned in the parent role. However, the applications and rights inherited from the parent are not displayed when you select the nested role. Only the nested role members have the rights and applications assigned to the nested role, while the parent role members do not.

    Additionally, if you are also using Active Directory/LDAP as an ID repository, a role can contain Active Directory/LDAP user accounts and groups.

    Entries matching the string you type are displayed.

  5. Select the check box associated with the user, group, or role you want to add, then click Add.

    You must select a universal or security group. Local or distribution groups are not supported.

    If you are using Active Directory/LDAP as an identity store, all of the matching user accounts and groups in the Users container that can be seen in the domain or forest are displayed. See Authenticate users in multiple domains for more information on which domains can be seen.

    After you add an Active Directory/LDAP user or group to a role, the name is shown on the Users page only after the user logs in to the User Portal or enrolls a device.

  6. Click Save.

Remove members from a role

When you remove users or Active Directory/LDAP groups from a role, any administrative rights or applications assigned to that role will no longer apply to those users. For example, if you have assigned the Box application to the role ABC, then users removed from that role will no longer have SSO access to Box.

To remove a role member
  1. In the Identity Administration portal, click Core Services > Roles.
  2. Click the role.
  3. Click Members.
  4. Click the check box for each member you want to remove.

    The Add button is replaced by an Actions button.

  5. From the Actions drop-down menu, click Delete.
  6. Click Save.

Assign domain users or groups to the System Administrator role

It is a best practice to secure your default administrator account by using your own personal account to administer CyberArk Identity. Assigning domain users or groups to the System Administrator role allows you to log in to CyberArk Identity with domain credentials. This also allows you to centrally manage CyberArk administrator access through Active Directory. If you do not have Active Directory, you can add users from LDAP, Google Workspace, or create users in the CyberArk Directory.

To assign domain users or groups to role

  1. Log in to the Identity Administration portal using the credentials provided in your welcome email.
  2. Click Core Services > Roles.
  3. Click the System Administrator role.
  4. Click Members > Add button.
  5. Search for the relevant domain user(s) and/or group(s) you want to grant administrative rights to the Identity Administration portal.

    The domain user should NOT match your Active Directory user name.

    Distribution groups and local groups display in the filter; however, only security groups are supported.

  6. Click Add.

    The Add Members page closes.

  7. Click Save.

    You can now log in with your domain credentials to the Identity Administration portal.