Add service users

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework ( and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:

  • Enrolling or unenrolling a device

  • Uninstalling an agent

  • Sending requests to SCIM server APIs

    Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

    How to create service users

    Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.

Create a service user

  1. Go to Core Services > Users , then click Add User and complete the following fields:

    • Login name

    • Display name

    • Password

  2. In the Status checklist, select the Is OAuth confidential client checkbox.

    The following checkboxes are selected by default: 

    • Is Service User

    • Password never expires

  3. Click Create User.

  4. Assign the newly created Service user(s) to the your service role that enables them to send requests to the your service APIs.

    Go to Core Services > Roles, then access the relevant role and add the Service user(s) as a member.

Service users are not displayed in the list of active users as they do not access the Identity Administration User Portal. To view service users, click All Users or All Service Users.