Built-in roles

You use roles to assign applications, permissions, and policies to separate sets of users. Your role must have the Roles Management administrative right to view, add, and modify roles.

CyberArk Identity provides the following predefined roles:

Built-in role Description


By default, all CyberArk Identity users are assigned to this role. For example, all users that are added to the CyberArk Cloud Directory by using bulk import are added to the Everybody. Similarly, if you are using Active Directory/LDAP as your directory service, users are automatically added to Everybody when they log in to CyberArk Identity user portal the first time or enroll a device. When you add an individual user, the default setting is to add the account to the Everybody role.

To exclude a user from the Everybody role, select the Is Service User option on the user Account page.

It is best practice to assign most users to the Everybody role. For example, CyberArk Identity User Portal application is automatically assigned to members so that they can log in to the user portal. However, thereare users you may not want to have in the Everybody role; for example, temporary users such as service contractors. Users that are not assigned to the Everybody role cannot log in to the user portal until they are members of a role to which you have explicitly deployed CyberArk Identity User Portal application. (See Deploy CyberArk Identity User Portal application for more information.)

Invited Users

This role is created when you use the Invite Users button and select Invited Users as the Role. The User Portal application is automatically assigned to this role.

If you do not use the Invite users button or select the Invited Users role when you invite a user, this role is not created.

System Administrator

This role grants full access to all the Identity Administration portal settings. By default, the CyberArk Cloud Directory account for the user who signed up for CyberArk Identity is a sysadmin role member. You cannot delete or rename the sysadmin role.

Only sysadmin role members can add more users to the sysadmin account.

CyberArk Identity Agent Endpoints

This role contains service users that allow CyberArk Identity to perform tasks on enrolled endpoints, such as authenticating users.

See Add Users for more information about service users.

See Deploy endpoint clients for more information about device enrollment and trust.

Read only Administrator

This role is automatically created when you enable read-only access for a support technician.

You can delete the Readonly Administrator role after the time period expires.