Understanding system roles

Trust Protection Foundation includes predefined system roles designed with specific permissions that you can assign to existing users.

You can see which roles are directly assigned to an identity in CyberArk Configuration Console on the System Roles node. See Managing system role assignments in CyberArk Configuration Console.

These roles include the following:

  • Access Management Admin: grants a non-Master Admin user the permissions to modify the roles of users and groups. This role can be granted in CyberArk Configuration Console.

  • Auditor: grants read access to view objects that are public, such as certificates, CSRs, and public keys. Also grants read access to view certain metadata about objects with higher security requirements, such as private keys. Can also read and run existing reports. This role can be granted in Policy Tree or CyberArk Configuration Console.

    NOTE  If the Auditor role is assigned to a user, all other permission assignments to that user are ignored.

  • Code Sign Manager - Self-Hosted Administrator: grants a non-Master Admin full permissions to the Code Sign Manager - Self-Hosted product for creating and updating templates, flows, signing applications, etc. (This role is sometimes referred to as "Code Signing Administrator".) This role can be granted in CyberArk Configuration Console.

  • Master Admin: grants access to every object, certificate, key, identity, and permission in the system. This role can be granted in Aperture, Policy Tree, or CyberArk Configuration Console. See About the Master Admin role.

    WARNING!  Use the Master Admin role with extreme caution. Users to whom you assign the Master Admin role have full permissions to every object in the Trust Protection Foundation database, including certificates, private keys, and credentials. You cannot hide any objects in the system from users who have been given this role.

  • Recycle Bin Administrator: grants a non-Master Admin user the permissions to manage the content and settings of the recycle bin. This role is particularly useful for delegating recycle bin management tasks to help desk staff without granting them full Master Admin privileges. This role can be granted in CyberArk Configuration Console.

    To use the MMC CyberArk Recycle Bin Snap-In and related WebSDK APIs, the user needs to be granted access to the CyberArk Recycle Bin API Integration.

    To set any engine list in the recycle bin configuration, the user must also have View permissions to the root of the Platform tree.

    A user with the Recycle Bin Administrator role can perform various actions, such as:

    • Purge, restore, empty and start operations in the recycle bin.

    • Configure the recycle bin settings.

    1. Open CyberArk Configuration Console, click on System Roles.

    2. Click on Add Recycle Bin Administrator.

    3. Select a user or group to whom you want to assign the role.

    4. Open either the Access Management MMC snap-in or go to Aperture > API Integrations, and then add the user or group to the Recycle Bin integration.

    5. Ask the user to install RemoteMmc-25.3.msi on their local workstation.

    6. Instruct the user to launch mmc.exe and add the ‘Recycle Bin’ snap-in.

    7. (Alternatively) Instead of using the snap-in, they could also use the Recycle Bin WebSDK APIs.

  • Schema Administrator: allows non-Master Admins to modify the operational config schema of the TPP environment. This role enables delegating schema management tasks without granting full Master Admin access. This role can be granted in CyberArk Configuration Console.

    A user with the Schema Administrator role can perform the following actions: