You use roles to assign applications, permissions, and policies to separate sets of users. Your role must have the Roles Management administrative right to view, add, and modify roles.
CyberArk Identity provides the following predefined roles:
By default, all CyberArk Identity users are assigned to this role. For example, all users that are added to the CyberArk Cloud Directory by using bulk import are added to the Everybody. Similarly, if you are using Active Directory/LDAP as your directory service, users are automatically added to Everybody when they log in to CyberArk Identity user portal the first time or enroll a device. When you add an individual user, the default setting is to add the account to the Everybody role.
To exclude a user from the Everybody role, select the Is Service User option on the user Account page.
This role is created when you use the Invite Users button and select Invited Users as the Role. The User Portal application is automatically assigned to this role.
If you do not use the Invite users button or select the Invited Users role when you invite a user, this role is not created.
This role grants full access to all the Identity Administration portal settings. By default, the CyberArk Cloud Directory account for the user who signed up for CyberArk Identity is a sysadmin role member. You cannot delete or rename the sysadmin role.
Only sysadmin role members can add more users to the sysadmin account.
CyberArk Identity Agent Endpoints
This role contains service users that allow CyberArk Identity to perform tasks on enrolled endpoints, such as authenticating users.
See Add Users for more information about service users.
See Deploy endpoint clients for more information about device enrollment and trust.
Read only Administrator
This role is automatically created when you enable read-only access for a support technician.
You can delete the Readonly Administrator role after the time period expires.