Set up Workforce Password Management

This section describes how to set up Workforce Password Management for users.

Required tasks

Perform the tasks in this section before you test the deployment.

Required setup tasks for Workforce Password Management




Add users to CyberArk Identity.

Add users from the CyberArk Cloud Directory or an external directory server.

Add Users

Assign users to roles.

Roles are used to control who can access features and services. Roles are applied to specific policies. All users should be assigned to at least one role.

Make sure users have roles that enable them to share non-app secrets and business application credentials.

Assign users to roles

Enable securely sharing non-app secrets and app credentials

Enable Workforce Password Management.


Users can use Workforce Password Management after you enable it.

Configure Workforce Password Management for end users

Enable Land & Catch.

Land & Catch recognizes when users enter credentials and offers to add the site to their User Portal and store the user's credentials. Credentials are stored in CyberArk Identity or in the PAM - Self-HostedVault.

Enable Land & Catch for your organization

Deploy the CyberArk Identity Browser Extension

With the Browser Extension, users can conveniently sign in to applications and use Land & Catch by clicking an icon in their browser toolbar.

The CyberArk Identity Browser Extension

Transfer ownership of shared applications or Secured Items from one user/owner to another.


When a user/owner is removed from CyberArk Identity, all users who shared access to the item can no longer access it. By transferring ownership to a different user, you ensure continued access for users with whom the application or Secured Item was shared.

Transfer ownership of shared applications and Secured Items

Enable email notification for shared items in the Identity Administration portal.


Each time a user shares a Secured Item or application, Workforce Password Management can send the recipient user an email notification.

Enable email notifications for shared items

Enable TOTP.


TOTP is a time-based password that is valid for one use and must be used within a limited timeframe. TOTPs can be used to access user-added and admin-added applications. Users can save TOTP for an application and share it with other users as needed.

Enable time-based one-time passwords (TOTP) for two-factor authentication

Recommended tasks

Perform these tasks after initial deployment testing is completed.

Recommended setup tasks for Workforce Password Management




Harden your deployment.

Hardening is not required for initial testing but it is important after initial testing is completed. Follow our recommendations to harden your users' endpoints and browsers to ensure that the controls you implement with Workforce Password Management are not circumvented by a malicious actor.

These recommendations are the minimal requirements for protecting your CyberArk Identity deployment. You must follow the recommendations in this topic or use equivalent methods (based on your organization's relevant expertise) to secure your deployment.

Harden your Workforce Password Management deployment

Restrict application access.

Restrict access to applications by defining application challenge rules for user-added applications, or based on the application URL, application domain, or user domain (email).

Restrict application access

Integrate CyberArk Identity with PAM - Self-Hosted Vault.

Integrate your CyberArk Identity tenant with your PAM - Self-Hosted Vault so you can store Secured Items (notes and passwords) and application credentials in the self-hosted Vault.

Integrate Workforce Password Management with Privileged Access Manager - Self-Hosted

Create custom reports to capture CyberArk Identity shared application events.

Reports can capture an audit history for:

  • Updates to password permissions

  • Ownership transfers

  • Updates to credentials

Create reports for shared application events