Summary and recommendation
CyberArk user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
CyberArk Identity is a privileged access management and workforce identity platform built for enterprise environments. It combines an IdP layer (CyberArk Identity / Workforce Identity) with a Privileged Cloud vault (PAM), and the two components have separate admin surfaces, user models, and licensing.
Every app connected to CyberArk requires its own outbound SCIM connector configuration - there is no automatic cascade deprovisioning by default. Administrators manage cloud directory users from Admin Portal → Core Services → Users; AD- and LDAP-sourced users must be managed in the source directory and cannot be fully edited inside CyberArk.
Quick facts
| Admin console path | Admin Portal → Users → User Management |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all CyberArk Identity admin functions: user/role management, policy configuration, directory integration, reporting, and licensing. | Cannot be restricted to a subset of admin functions without creating a custom delegated admin role. | All plans | Counts as a licensed user seat; exact cost depends on contracted edition. | Assigning System Administrator role grants unrestricted access; use delegated admin roles for scoped administration. |
| Delegated Administrator | Scoped administrative rights over a defined subset of users, roles, or applications as configured by a System Administrator. | Cannot manage users or resources outside their delegated scope; cannot modify global policies. | All plans (custom role creation required) | Counts as a licensed user seat. | Delegated admin scope must be explicitly configured; no delegation is applied by default. |
| End User | Access to assigned applications via the User Portal; self-service password reset and MFA enrollment if enabled by policy. | Cannot access Admin Portal, manage other users, or modify policies. | All plans | Counts as a licensed user seat under the applicable Workforce Identity edition. | End users can only see applications explicitly assigned to them via roles or direct assignment. |
| Help Desk Administrator | Can reset passwords, unlock accounts, and view user details for users within their delegated scope. | Cannot modify roles, policies, or application assignments unless explicitly granted. | All plans (requires custom delegated role configuration) | Counts as a licensed user seat. | This role is not a built-in named role; it must be constructed as a custom delegated admin role. |
Permission model
- Model type: hybrid
- Description: CyberArk Identity uses a hybrid model combining built-in system roles (e.g., System Administrator, Registered Users) with custom roles that administrators define. Roles are assigned to users or groups and control access to applications, admin functions, and policies. Granular administrative permissions can be delegated via custom roles scoped to specific user sets or resources.
- Custom roles: Yes
- Custom roles plan: Available on all CyberArk Identity plans; advanced delegated administration may require higher-tier editions.
- Granularity: Role-level and application-level; administrators can scope roles to specific directories, user groups, or application sets. Individual permission toggles are available within custom role definitions for admin capabilities.
How to add users
- Log in to the CyberArk Identity Admin Portal at https://yourtenantname.cyberark.cloud/admin.
- Navigate to Core Services → Users.
- Click 'Add User'.
- Enter required fields: Login Name (username), Display Name, Email Address, and Password (or select 'Send email invite').
- Optionally assign the user to one or more Roles under the 'Roles' tab.
- Optionally assign specific applications under the 'Applications' tab.
- Click 'Create User' to save.
Required fields: Login Name (username), Display Name, Email Address, Password or email invite selection
Watch out for:
- Login Name must be unique across the tenant; duplicate usernames are rejected.
- Users created manually are stored in the CyberArk Cloud Directory; users sourced from Active Directory or LDAP are managed via directory connectors and cannot be fully edited in the Admin Portal.
- Role assignment at creation is optional but users without roles will have no application access.
- Email invite delivery depends on SMTP configuration being correctly set up in the tenant.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Admin Portal → Core Services → Users → Import Users (CSV upload) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SCIM inbound provisioning from Azure AD/Entra ID requires Enterprise tier and SSO prerequisite) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Log in to the CyberArk Identity Admin Portal.
- Navigate to Core Services → Users.
- Search for and select the target user.
- Click 'Actions' → 'Disable User' to deactivate, or 'Delete User' to permanently remove.
- Confirm the action in the dialog prompt.
| Data impact | Behavior |
|---|---|
| Owned records | User's cloud directory record is retained on deactivation; permanently removed on deletion. Audit logs referencing the user are retained per tenant log retention policy. |
| Shared content | Application assignments and role memberships are removed upon deletion. On deactivation, assignments are preserved but the user cannot authenticate. |
| Integrations | Active sessions are terminated immediately upon deactivation or deletion. SCIM-provisioned accounts in downstream apps are not automatically deprovisioned unless outbound SCIM provisioning is configured for those apps. |
| License freed | Deactivating or deleting a user frees the consumed license seat; timing of seat release depends on billing cycle and contract terms. |
Watch out for:
- Deleting a user from CyberArk Identity does not automatically deprovision their accounts in connected SaaS applications unless outbound SCIM or lifecycle management is configured per application.
- AD/LDAP-sourced users cannot be deleted from within CyberArk Identity; they must be disabled or removed in the source directory.
- Deactivated users still appear in user lists and count toward directory records but should not consume active license seats.
- There is no built-in grace period or soft-delete recycle bin for cloud directory users; deletion is immediate and irreversible.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Workforce Identity – Standard/Essentials | SSO, basic MFA, user portal access. Entry-level Workforce Identity edition. | Approximately $2–$3/user/month (varies by contract; custom enterprise pricing applies) |
| Workforce Identity – Business/Enterprise | Advanced MFA, adaptive access, lifecycle management, SCIM provisioning, directory integrations, advanced reporting. | Approximately $4–$5/user/month (varies by contract; custom enterprise pricing applies) |
| Privileged Access Management (PAM) – Privilege Cloud | Privileged session management, credential vaulting, session recording, privileged account discovery. | Custom enterprise pricing; separate from Workforce Identity licensing |
- Where to check usage: Admin Portal → Settings → Licensing (displays active user counts and license consumption by edition)
- How to identify unused seats: Navigate to Admin Portal → Reports → User Activity to identify users with no recent login activity. Filter by last login date to surface inactive accounts.
- Billing notes: CyberArk uses custom enterprise pricing negotiated per contract. Workforce Identity is available in approximately five editions at different price points. Median annual spend reported at approximately $19,705/year (Vendr data), with a range of $3,226–$44,501/year depending on user count and features. Professional services are commonly required for initial deployment. License counts are typically based on named users, not concurrent sessions.
The cost of manual management
Every app in your environment that requires automated provisioning needs its own connector configured before deprovisioning works reliably. AD-sourced users force a context switch out of the CyberArk Admin Portal entirely, adding friction to routine offboarding.
Delegated administration has no pre-built help desk or read-only role templates; every scoped admin role must be constructed manually from scratch. Bulk operations in the Admin Portal are reported by practitioners as non-intuitive compared to competing identity platforms, increasing the time cost of routine lifecycle tasks at scale.
What IT admins are saying
Practitioners consistently flag the per-app SCIM connector requirement as the highest-friction point in CyberArk Identity administration. The absence of a built-in help desk role template means organizations must invest setup time before delegating even basic support tasks.
Licensing complexity - particularly when mixing Workforce Identity editions with PAM Privilege Cloud seats - makes cost forecasting difficult without direct engagement with CyberArk's sales team.
Common complaints:
- Complex configuration required for multi-application outbound SCIM provisioning; each app requires separate connector setup.
- AD-sourced users cannot be managed (edited or deleted) from within the CyberArk Identity Admin Portal, requiring administrators to context-switch to Active Directory.
- Delegated administration requires manual construction of custom roles; there are no pre-built help desk or read-only admin role templates.
- Deprovisioning downstream app accounts on user deletion requires per-app SCIM or lifecycle configuration; no automatic cascade deprovisioning by default.
- Licensing model complexity makes it difficult to predict costs when mixing Workforce Identity and PAM Privilege Cloud seats.
- The Admin Portal UI is reported by some users as non-intuitive for bulk operations compared to competing identity platforms.
The decision
CyberArk is the right fit when privileged access management is the primary requirement and the organization already operates at enterprise scale with budget to match. Every app that needs automated lifecycle management requires its own connector setup, and SCIM provisioning is gated behind the Enterprise edition with SSO configured as a prerequisite.
Teams that need lightweight identity management without PAM will find the platform over-engineered and the pricing structure misaligned. Professional services are commonly required for initial deployment, which should be factored into total cost of ownership.
Bottom line
CyberArk delivers enterprise-grade privileged access management and workforce identity in a single platform, but it demands enterprise-level operational investment to match.
Every app in your environment that requires automated provisioning needs its own connector configuration, and offboarding gaps are real without deliberate lifecycle automation in place.
The platform rewards organizations with dedicated identity engineering resources; teams without that capacity will accumulate manual overhead quickly, particularly around delegated administration and cross-directory user management.
Automate CyberArk workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
