Add Users

This topic describes your options for adding users so you can get started with Identity Security Platform.

There are two user types in Identity Security Platform.

User type	Description
Interactive users - for end user access to the User Portal	Any user who signs in to CyberArk to interact with a service portal (for example, the User Portal). Interactive users are defined manually, or are imported from the following sources: External directory based on your authentication solution: On-prem authentication solution, such as Microsoft Active Directory, LDAP, or RADIUS. Cloud-based authentication, such as Azure AD or Google Workspace. External Identity Provider (IdP) using SAML token to provide access to resources you want to share.
Service users, for non-interactive API	A Identity Security Platform service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration. The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as: Enrolling or unenrolling a device Uninstalling an agent Sending requests to SCIM server APIs Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities. How to create service users Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.

User type

Description

Interactive users - for end user access to the User Portal

Any user who signs in to CyberArk to interact with a service portal (for example, the User Portal).

Interactive users are defined manually, or are imported from the following sources:

External directory based on your authentication solution:
- On-prem authentication solution, such as Microsoft Active Directory, LDAP, or RADIUS.
- Cloud-based authentication, such as Azure AD or Google Workspace.
External Identity Provider (IdP) using SAML token to provide access to resources you want to share.

Service users, for non-interactive API

A Identity Security Platform service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration.

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:

Enrolling or unenrolling a device
Uninstalling an agent
Sending requests to SCIM server APIs

Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

How to create service users

Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.