Add CyberArk Cloud Directory Users

This topic describes how to create CyberArk Cloud Directory users.

The account that you typically use to sign in for the first time is the default administrative account for CyberArk Identity. This account has full administrative rights. Using this default administrative account, you can create additional directory service users one-at-a-time or you can perform a bulk import of up to 10,000 users from an Excel xls/xlsx spreadsheet or a comma‑separated values (CSV) file.

Create a single CyberArk Cloud Directory user

The following procedure describes how to create CyberArk Cloud Directory users one-at-a-time in the Identity Administration portal. For example, you might want to create a user that you can assign to the System Administrator Role or a different role with a more limited set of administrative rights.

To create a CyberArk Cloud Directory user:

  1. Sign in to the Identity Administration portal using your administrator account.

  2. Go to Core Services > Users > Add User.

  3. Enter a login name and select a suffix.

    For Customer Identity Access Management tenants, select the Primary Identifier from the drop-down list. The attribute you select as the primary identifier is used for user-related events, such as report generation. For example, if the user's mobile number is the primary identifier, then the user is identified based on the mobile number in CyberArk Identity.
    If you select the username as the primary identifier, then login name is a mandatory input.
    Contact your account representative to enable this feature.

    A username can contain of any UTF-8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period).

    The suffix is the part of your account name that follows “@”. For example, if your account name is bob.smith@acme.com, then the suffix is acme.com. By default, the suffix associated with your default account is populated. See Manage login suffixes for more information on suffixes and for information on creating a default login suffix for CyberArk Cloud Directory users.

    All login suffixes are displayed in the list, including the login suffix for any Active Directory/LDAP domains you are using.

    Important: If you select the login suffix for an Active Directory/LDAP domain, the account is not added to Active Directory/LDAP. The account’s Source column will indicate CyberArk Identity as the source, rather than Active Directory/LDAP.

    The login suffix doesn't exist for CyberArk Cloud Directory users in Customer Identity Access Management tenants. In addition, you can request a tenant without the login suffix. For details, see Add CyberArk Cloud Directory Users.
  4. Enter the email address and display name for the user.

  5. Enter a password.

    This is a one-time password for the user to sign in to Identity User Portal if you select Require password change at next login (recommended) in the Status settings. This password is replaced with the password created by the user.

    The default minimum password requirements are:

    • 8 characters

    • 1 numeric character

    • 1 upper case letter

    • 1 lower case letter

    See Set password complexity requirements to change the default requirements.

  6. Select the applicable Status settings.

    You can customize the email message sent when you invite users. For details, see Customize email message contents.

    A CyberArk Identity service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access CyberArk Identity.

    The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk Identity. The access token is then employed to authenticate CyberArk Identity-protected APIs for tasks such as:

    • Enrolling or unenrolling a device

    • Uninstalling an agent

    • Sending requests to SCIM server APIs

      Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

      How to create service users

      Automatic creation of service users. CyberArk Identity automatically creates service users during device enrollment using the format Machine_Id@TenantAlias.

      Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources.

  7. (Optional) Enter the appropriate information for the Profile fields.

  8. (Optional) Enter a date and time in the Start date and End date fields to allow CyberArk Identity Directory users access to CyberArk Identity resources during a specified time period.

    If Send email invite for user portal setup or Send SMS invite for device enrollment is selected, an invitation email or text message is automatically sent to the user on the start date. Users configured to have a start and end date are automatically suspended in the directory service and deprovisioned from applications once the specified end date is reached. You can not modify the Start date field once the user is active; you can modify the End date field at any time.

    When configuring the Start and End date fields, keep in mind that the dates and times are based on your local time zone. If you are creating users in a different time zone, be sure to calculate the proper start and end dates for the users time zone.

    Users with the System Administrator role or users that are in a role with User Management administrative rights can modify these settings.

  9. (Optional) Enter the appropriate information for the Organization field. For information on adding users to organizations, see Manage organizations with delegated administrators.

  10. Click Create User.

    A notification is sent to the newly created user using your selected method.

Create CyberArk Cloud Directory users in bulk

You can use an Excel spreadsheet or CSV file to import users to the CyberArk Cloud Directory in bulk. The user account file can contain up to 10,000 accounts.

Before you begin

We recommend creating roles and assigning web applications to those roles before a bulk import of user accounts. If you import user accounts first, then new users will see an empty Apps page when they sign in to the Identity User Portal for the first time.

You need an Excel or CSV file to create users in bulk. To create the file, use the CSV file template provided (Option 1 in the import wizard) or create the file from scratch. The Excel or CSV file should meet the following requirements:

  • The required fields must be present.

  • Each field must have a header.

  • Headers must match exactly as shown in the following table, including upper case characters and spaces.

  • Fields/attributes not listed in the following table must be defined in Settings > Customization > Additional Attributes. If the additional attributes are not defined, they are not uploaded. The attribute names you define on the Additional Attributes page must exactly match the corresponding headers in the CSV file.

The following table describes the required or optional field formats for the Excel spreadsheet or CSV file.

Default Fields Rules

Login Name

Required

Enter the full user name, including the login suffix in the form
<login name>@<loginsuffix>

The login suffix must exist already.

Email Address

Required

You can specify one email address only. The email address must be of a valid form. Plain text strings, such as “N/A” or “unavailable”, will be rejected.

Display Name

Optional

You can enter the display name in Excel using either format:

  • first, last
  • last, first

If you are editing the CSV file, use quotes if you specify the last name first (for example, “last, first”).

Description

Optional

Do not use punctuation. The limit is 128 characters.

Office Number

Mobile number

Home number

Optional

Enter the area code. You can enter domestic US numbers in the following forms:

  • 1234567890
  • 123-456-7890

Use E.164 number formatting to enter an international number.

If you are using the phone or text message options for multi-factor authentication, the Office and/or Mobile numbers must be accurate or the user will not be able to sign in.

Roles

Optional

All accounts are automatically added to the Everybody role.

You can specify multiple roles. Use a comma to separate each role. If you are editing the CSV file, surround the roles with quotes—for example: “role1, role2, role3”.

The role must already exist, and the names are case-sensitive.

Assign web applications to CyberArk Identity roles before you do a bulk user import. CyberArk Identity sends a login email message to new users immediately after creating the account. If you do not have the applications assigned, the users are presented with an empty Apps screen when they sign in to the Identity User Portal.

Expiration Date

Optional

Enter a date when the account expires. If you do not set a date, the account does not expire.

Password

Optional

Sets the password for the user. The password requirement is based on the password policy settings in Identity Administration portal > Policies > User Security Policies > Password Settings.

Require Password Change

Optional

Specifies if users must change the password upon the first successful login. The supported inputs are:

  • False, f, no, n -- No password change required
  • True, t, yes, y -- Password change required

Password Never Expires

Optional

Specifies if the password for the user expires or not. The supported inputs are:

  • False, f, no, n -- The password expires on the expiration date.
  • True, t, yes, y -- The password never expires for the user.

Reports to

Optional

The name of the reporting manager.

This field is not in the CSV template.

Create CyberArk Cloud Directory users from an import file

The following procedure describes how to use the import wizard to create CyberArk Cloud Directory users in bulk by importing user data from an Excel or CSV file.

  1. Go to Core Services > Users > Bulk User Import > Browse.

  2. Go to the Excel or CSV file you created.

  3. Click Open > Next.

  4. Review the entries.

    The first 15 records are displayed. Use this display to ensure you have formatted the entries correctly.

  5. Click Next.

    The CyberArk Cloud Directory - Bulk Import Report field is automatically populated with your email address. Change the address if you want the email to go to someone else.

  6. Click Confirm.

    After the wizard completes the import, CyberArk Identity sends two email messages:

    Message Description

    CyberArk Identity Service - Bulk Import Report

    This email message is sent to the email account that you had specified to receive the report. It indicates how many new users were specified in the file and how many were successfully added. An explanation is provided for each failed account.

    CyberArk Identity Service - User Account

    This email message is sent to each user account created. The message includes a link to the User Portal and a one-time password. When users open the link, they are prompted to create a new password (unless you have configured otherwise).

    You can customize email messages—see Customize email message contents.