Skip to main content
Version: v2.x

Manage Cyral administrator roles

You can grant permissions to Cyral administrators by assigning them to roles. By default, the roles Super Admin, Admin, and User are available and have privileges as shown below.

Create and manage administrator roles for Cyral control plane users

  1. Click Account users in the left navigation bar.
  2. Click Manage Roles.
  3. To add a role, click Add new role, or to edit a role, click the role's name in the table.

Map an SSO group to a Cyral administrator role

You can map SSO groups to Cyral administrator roles, so users are automatically assigned a role and granted corresponding privileges based on their SSO group membership. Follow the below steps in order to do so.

Note that these mappings apply to Cyral administrators who access the management console, not data users. For data users, see Map an SSO user or group to a local account.

  1. Click Account users in the left navigation bar.
  2. Click Manage Roles.
  3. Add or edit the role:
    • To use an existing role, click the role's name in the table.
    • To add and use a new role, click Add new role and give the new role a Role Name in the next window.
  4. In the Permissions section, set the rights this type of administrator will have.
  5. Click Add new mapping.
  6. In the Map SSO groups to this role field, choose the identity provider integration you use to authenticate users in this role. (If you don't have one, set up SSO now.)
  7. In the SSO Group Name field, specify the SSO group name as it's written in your identity service:
    • For Okta, use the group name as defined in Okta.
    • For Azure AD, use the Object ID of the group, which you'll find in the Groups panel of your Azure management console.
  8. Click the check mark to save the mapping.
  9. Map other SSO groups as needed.
  10. Click Save.
tip

Users belonging to multiple SSO groups and are therefore mapped to multiple Cyral administrator roles will have the most permissive role assigned to them.