Using roles for access management in CyberArk Configuration Console

• Any identity that has not specifically assigned a different role automatically has the User role. The User role cannot be assigned directly.

• Can see everything but change nothing

• The Auditor role is automatically given to an identity that has Trust Protection Foundation auditor rights. It can also be assigned directly to any identity.

• Can modify the properties (such as name, scope, description) of specific applications

• This role can be assigned by an Admin or by the Application Owner.

• Can modify and delete applications they own

• Can modify and delete rules related to applications they own

• Can revoke grants issued for applications they own

• Can assign and revoke the maintainer role for applications they own

• Can assign and revoke the owner role for applications they own

• This role can only be assigned by an Admin.

• Indicates that the user is the Application Maintainer of at least one application and the Application Owner of at least one application.

• This role cannot be directly assigned but is implied from a user being assigned the Application Owner and Application Maintainer roles.

• Can view all applications and rules

• Can view and revoke all grants for a user

• This role is intended for users or processes performing off-boarding tasks

• This role can be assigned by an Admin.

Admin

• Can create, modify and delete applications

• Can create, modify and delete rules

• Can issue and revoke grants

• Can assign and revoke Application Maintainer and Application Owner roles for any application

• Can assign and revoke the Admin role

• Can configure global settings (session parameters, auth parameters, etc.)

• Any master administrator automatically has this role, but it can also explicitly be assigned to regular identities by an existing OAuth Admin.