Add Users

This topic describes your options for adding users so you can get started with CyberArk Identity Security Platform Shared Services.

There are two user types in CyberArk Identity Security Platform Shared Services.

User type Description

Interactive users - for end user access to the User Portal

Any user who signs in to CyberArk to interact with a service portal (for example, the User Portal).

Interactive users are defined manually, or are imported from the following sources:

  • External directory based on your authentication solution:

    • On-prem authentication solution, such as Microsoft Active Directory, LDAP, or RADIUS.

    • Cloud-based authentication, such as Azure AD or Google Workspace.

  • External Identity Provider (IdP)  using SAML token to provide access to resources you want to share.

Service users, for non-interactive API

A CyberArk Identity Security Platform Shared Services service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration.

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework ( and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:

  • Enrolling or unenrolling a device

  • Uninstalling an agent

  • Sending requests to SCIM server APIs

    Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

    How to create service users

    Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.