Invite vendors to access Privilege Cloud accounts

This topic describes how to invite vendors to access Privilege Cloud accounts on Shared Services.


Administrators, Vendor Managers, and external Vendors who have the relevant permissions, can invite vendors to Privilege Cloud accounts using Remote Access, providing them with just-in-time access to critical organizational applications.

Before you begin

Invite vendors to access Privilege Cloud

Vendors are invited in the Remote Access portal and automatically added to the Privilege Cloud External Vendor CyberArk Identity built-in Role. This Role allows vendors to view and connect to their assigned Privilege Cloud accounts.

The Privilege Cloud External Vendor role consumes the EXTUser license. To change this role, see Change vendor license consumption.

  1. In the Remote Access portal, go to the Sites page and click Applications in the Privilege Cloud tile.

  2. On the application tile, click More actions > Invite vendor.

  3. Enter the general details for this vendor.

  4. Field


    Company name

    The name of the company that the vendor represents.

    First name

    Vendor's first name.

    Last name

    Vendor's last name.

    Company email

    The vendor's email address in the company they represent.

    Phone number to register

    The phone number that the vendor entered when they registered for Remote Access.
    Make sure the phone number includes the '+' sign.

    When inviting multiple vendors, the phone numbers entered into the CSV file should not include the '+' character.

    Use this number to allow vendor to authenticate via SMS/phone call & email tokens instead of the CyberArk Mobile app

    Whether this vendor authenticates to Remote Access with an SMS code/phone call and a token received by email, instead of scanning the QR code with the CyberArk Mobile app.

    For multiple vendors invitation, to enable this, enter true in the CSV file.

    For details about this sign in flow, see Join Remote Access using phone/text and email tokens.

    Unique landline extension (if exists)

    If you enabled the above option, you can add the user's unique landline extension for vendors who can only be identified via landline phone numbers.

    Invitation language

    Allows you to select the language of the invitation.

    Default = English

    Currently Japanese is supported.

    This option is available only if the Language selector toggle is turned on in Settings. For details, see Set vendor invitations general settings.

  5. Set the vendor activation policy and access time frame.




    Whether account activation of this vendor requires Admin or Vendor Manager confirmation, or is automatically activated after registration. For more information, see Confirm vendor sign-up.

    Access time frame

    A time frame that limits this vendor's access to applications.

    Some of the access time frame options might be limited according to restrictions set by the Admin or by the Vendor Manager.

    • Time zone - The time zone set for this access time frame. This setting should be set according to the location of this vendor.

    • From date - To date - Select the dates that this vendor can access applications. Start and end of day are determined by the selected time zone.

    • Allowed working days - Set the days of the week this vendor is allowed to access applications, within the selected access dates. For example, allow this vendor to access applications Mondays through Fridays, but not on Saturdays and Sundays.

    • Allowed working hours - Set the allowed hours during the day that this vendor is allowed to access applications, within the selected access dates and working days. For example, allow this vendor to access applications from 9:00 AM to 6:00 PM only.

    Currently, allowed working hours and days can be edited from the Edit invite vendor form only.

  6. Set the vendor delegation policy.



    Allow this vendor to invite other vendors

    Whether this vendor can invite other vendors, providing them with external vendor manager rights. During the sub-vendor invitation process, this top-level vendor can choose a subset of their own time frame, applications, and groups for their invited vendors.


    Whether the account activation for the sub-vendors invited by this external vendor manager, requires Admin or Vendor Manager confirmation, or is automatically activated after registration. For more information, see Confirm vendor sign-up.

    Number of vendors to invite

    Whether this external vendor manager can invite an unlimited number of sub-vendors, or is limited to a specific number.
    This number applies to the number of sub-vendors who join Remote Access, not to the number of invitations that this vendor can send. It is displayed in the user's drop-down profile, as described in Invite vendors to access Privilege Cloud accounts .

    Allowed email domains

    Allows you to determine specific email domains this external vendor manager is allowed to send invitations to.

    If a list of allowed email domains is already set in Identities settings, or is restricted for the Vendor Manager inviting this vendor, this toggle is automatically turned on, and you can remove or add domains from the authorized list only.

  7. Determine the applications this vendor is allowed to access.



    Allowed applications

    Select the Privilege Cloud applications that this vendor is allowed to access through Remote Access.

    Allow access to CyberArk Identity web apps

    Whether this vendor can access CyberArk Identity web apps.

    This check box only appears if configured from the Settings - Identity SSO page.

    This option needs to be enabled when applying Secure Cloud Access policies to vendors that need to access AWS cloud environments. For details, see Integrate Remote Access for AWS environments.

    User provisioning

    Select the method that this vendor user is created and managed.

    Remote Access creates and manages the vendor in CyberArk Identity -

    Set the vendor's user name, and select a predefined CyberArk Identity Role to determine the relevant access to specific web applications in your organization. You can select more than one Role.

    Administer creates and manages the user - The Remote Access admin will create and manage the user for this vendor.

  8. Select an invitation template and add comments.



    Select custom invitation template

    Choose a customized invitation to add to the vendor invitation.



    Any comments you have about this vendor, including the purpose of this invitation. This is optional.

  9. Click Invite.

    The vendor is now added to the Privilege Cloud External Vendor CyberArk Identity built-in Role, and any other Role/s selected for this vendor.

  10. Add vendors to the Safe. For more information, see Add Safe members.

Change vendor license consumption

By default, new invited vendors are automatically added to the CyberArk Identity Privilege Cloud External Vendor built-in role, which consumes the EXTUser license.

Administrators can change this role to the Privilege Cloud Users built-in Role, which consumes the EPVUser license.

  1. In the Remote Access portal, click Settings > User management sources , and select Identity SSO.

  2. Change Vendor built-in role to Privilege Cloud Users.