Add user

This method adds a new user to Privilege Cloud.

To run this Web service, you must have the following permissions:

  • Add Users
  • Update Users

URL

  
https://<subdomain>.privilegecloud.cyberark.com/PasswordVault/API/Users/

  • Make sure there are no spaces in the URL.

  • The following characters are not supported in URL values: + & %

  • If the URL includes a dot (.), add a forward slash (/) at the end of the URL. For example: api/Safes/MySafe/Members/user@cyber.com/

Resource information

HTTP method

Content type

POST

application/json

Header parameter

Parameter

Description

Authorization

The token that identifies the session.

Type: String

Valid values: A session token that was returned from the “Logon” method.

Body parameters

  
{
    "username":"newUser",
    "userType": "EPVUser",
    "initialPassword": "MyPassword123",
    "authenticationMethod": ["AuthTypePass"],
    "location": "\\",
    "unAuthorizedInterfaces": ["PSM", "PSMP"],
    "expiryDate": 1577836800,
    "vaultAuthorization": ["AddSafes", "AuditUsers" ],
    "enableUser": true,
    "changePassOnNextLogon": true,
    "passwordNeverExpires": true,
    "distinguishedName": "newUser@cyberark",
    "description": "This user is privileged",
    "businessAddress":
     {
     "workStreet": "Hapssagot 9",
     "workCity": "Petah Tikva",
     "workState": "Israel",
     "workZip": "9999999",
     "workCountry": "Israel"
     },
    "internet":
     {
     "homePage": "Cyberark.com",
     "homeEmail": "user@gmail.com",
     "businessEmail": "user@cyberark.com",
     "otherEmail": "user2@gmail.com"
     },
    "phones": {
     "homeNumber": "555123456",
     "businessNumber": "555456789",
     "cellularNumber": "555789789",
     "faxNumber": "999999",
     "pagerNumber": "111111"
  },
  "personalDetails": {
    "street": "2 Second Street",
    "city": "Tel Aviv",
    "state": "Israel",
    "zip": "123456",
    "country": "Israel",
    "title": "Mr. VIP",
    "organization": "CyberArk",
    "department": "R&D",
    "profession": "software development",
    "firstName": "John",
    "middleName": "Don",
    "lastName": "Smith"
  },
}

Parameter

Description

username

(Mandatory) The name of the user.

Validations:

  • Length <= 128
  • No leading or trailing space
  • No trailing dot
  • When a name is longer than 28 characters, the 28th character in the name cannot be space
  • Cannot include the characters: "\\/:*?\"<>|\t\r\n\x1F"
  • The first 28 characters in the name must be unique

Type: String
userType

The user type that was returned according to the license.

Possible types could be any user types according to the license.

Type: String

Default value: EPVUser
nonAuthorizedInterfaces

The CyberArk interfaces that this user is not authorized to use.

Valid values (depend on the specific user type as defined in the license):

  • PIMSU
  • PSM
  • PSMP
  • PVWA
  • WINCLIENT
  • PTA
  • PACLI
  • HTTPGW
  • EVD
  • PIMSu
  • AIMApp
  • CPM
  • PVWAApp
  • PSMApp
  • AppPrv
  • AIMApp
  • PSMPApp

Type: List of strings
location

The location in the Vault where the user will be created.

Validations:

  • Length <= 128 characters
  • Must begin with "\\", but cannot contain or end with "\\"
  • No trailing space

Type: String

Default value: Root
expiryDate

The date when the user expires.

Type: Date-time
enableUser

Whether the user will be enabled upon creation.

Type: Boolean

Default value: True
authenticationMethod

The authentication method that the user will use to log on.

Valid values:

  • AuthTypePass (CyberArk)

  • AuthTypeRadius (Radius)

  • AuthTypeLDAP (LDAP)

Type: String

Default value: AuthTypePass
password

The password that the user will use to log on for the first time.

This password must meet the password policy requirements.

Not required for PKI or LDAP.

Length <= 39 characters.

Type: String
changePasswordOnTheNextLogon

Whether or not the user must change their password from the second log on onward.

Type: Boolean

Default value: True

passwordNeverExpires

Whether the user’s password will not expire unless they decide to change it.

Type: Boolean

Default value: False

distinguishedName

The user’s distinguished name.

The usage is for PKI authentication, this will match the certificate Subject Name or domain name.

Type: String

vaultAuthorization

The user permissions.

To apply specific authorizations to a user, the user who runs this API must have the same authorizations.

Valid values:

  • AddSafes
  • AuditUsers
  • AddUpdateUsers
  • ResetUsersPasswords
  • ActivateUsers
  • AddNetworkAreas
  • ManageDirectoryMapping
  • ManageServerFileCategories
  • BackupAllSafes
  • RestoreAllSafes

Type: List of strings

businessAddress

The user’s postal address, including:

  • City, state, zip, and country (max 19 characters)
  • Street (max 29 characters)

Type: Object

internet

The user's email addresses, including:

  • Home page
  • Home email
  • Business email
  • Other email

Max 319 characters (for each).

Type: Object

phones

The user's phone numbers, including:

  • Home
  • Business
  • Cellular
  • Fax
  • Pager

Max 24 characters (for each).

Type: Object

description

Notes and comments.

Max 99 characters.

Type: String

personalDetails

The user's personal details, including:

  • firstName, middleName, lastName, address (max 29 characters)
  • city, state, zip, country (max 19 characters)
  • title, organization, department, profession (max 49 characters)

Type: Object

Result

  
{
  "enableUser": true,
  "changePassOnNextLogon": true,
  "expiryDate": 1577836800,
  "suspended": false,
  "lastSuccessfulLoginDate": 1561282853,
  "unAuthorizedInterfaces": [
    "PSMP",
    "PSM"
  ],
  "authenticationMethod": [
    "AuthTypePass"
  ],
  "passwordNeverExpires": true,
  "distinguishedName": "newUser@cyberark",
  "description": "This user is privileged",
  "businessAddress": {
    "workStreet": "9999999",
    "workCity": "White Mountain",
    "workState": "10 First Street",
    "workZip": "123456",
    "workCountry": "Canada"
  },
  "internet": {
    "homePage": "Cyberark.com",
    "homeEmail": "user@gmail.com",
    "businessEmail": "user@cyberark.com",
    "otherEmail": "user2@gmail.com"
  },
  "phones": {
    "homeNumber": "555123456",
    "businessNumber": "555456789",
    "cellularNumber": "555789789",
    "faxNumber": "999999",
    "pagerNumber": "111111"
  },
  "personalDetails": {
    "street": "3 Second Street",
    "city": "Tel Aviv",
    "state": "Israel",
    "zip": "123456",
    "country": "Israel",
    "title": "Manager",
    "organization": "CyberArk",
    "department": "R&D",
    "profession": "software development",
    "firstName": "John",
    "middleName": "David",
    "lastName": "Smith"
  },
  "id": 350,
  "username": "newUser",
  "source": "CyberArk",
  "userType": "EPVUser",
  "componentUser": false,
  "vaultAuthorization": [
    "AddSafes",
    "AuditUsers"
  ],
  "location": "\\"
}

Parameter

Description

id

The user's unique ID.

Type: Number

username

(Mandatory) The name of the user.

Validations:

  • Length <= 128
  • No leading or trailing space
  • No trailing dot
  • When a name is longer than 28 characters, the 28th character in the name cannot be space
  • Cannot include the characters: "\\/:*?\"<>|\t\r\n\x1F"
  • The first 28 characters in the name must be unique

Type: String

source

The user management system the user belongs to.

Valid values:

  • CyberArk
  • LDAP

Type: Boolean expression
changePasswordOnTheNextLogon

Whether or not the user must change their password from the second log on onward.

Type: Boolean

Default value: True
expiryDate

The date when the user expires.

Type: Date-time
userType

The user type that was returned according to the license.

Possible types could be any user types according to the license.

Type: String
unauthorizedInterfaces

The CyberArk interfaces that this user is not authorized to use.

Valid values (depend on the specific user type as defined in the license):

  • PIMSU
  • PSM
  • PSMP
  • PVWA
  • WINCLIENT
  • PTA
  • PACLI
  • HTTPGW
  • EVD
  • PIMSu
  • AIMApp
  • CPM
  • PVWAApp
  • PSMApp
  • AppPrv
  • AIMApp
  • PSMPApp

Type: List of strings

componentUser

Whether the user is a known component or not.

if the user is a component, then the value is true. Otherwise, it is false.

The following user types are considered components:

  • CPM
  • ENE
  • PVWA
  • PSM
  • AppProvider
  • OPMProvider
  • PIMProvider
  • PSMPServer
  • PSMPADBridge
  • PSMHTML5Gateway
  • CIFS
  • FTP
  • SFE
  • DCAInstance
  • FEWA
  • SEG

 
location

The user location.

Type: String
enabled

Whether or not the user is enabled.

Type: Boolean

suspended

Whether or not the user is suspended.

Type: Boolean
authenticationMethod

The authentication method that the user will use to log on.

Type: String

passwordNeverExpires

Whether the user’s password will not expire unless they decide to change it.

Type: Boolean

distinguishedName

The user’s distinguished name.

The usage is for PKI authentication, this will match the certificate Subject Name or domain name.

Type: String

vaultAuthorization

The user permissions.

Valid values:

  • AddSafes
  • AuditUsers
  • AddUpdateUsers
  • ResetUsersPasswords
  • ActivateUsers
  • AddNetworkAreas
  • ManageDirectoryMapping
  • ManageServerFileCategories
  • BackupAllSafes
  • RestoreAllSafes

Type: List of strings

businessAddress

The user’s postal address, including:

  • City, state, zip, and country
  • Street

Type: Object

internet

The user's email addresses, including:

  • Home page
  • Home email
  • Business email
  • Other email

Type: Object

phones

The user's phone numbers, including:

  • Home
  • Business
  • Cellular
  • Fax
  • Pager

Type:Object

description

Notes and comments.

Max 99 characters.

Type: String

personalDetails

The user's personal details, including:

  • firstName, middleName, lastName, address
  • city, state, zip, country
  • title, organization, department, profession

Type: Object

lastSuccessfulLoginDate

The date that the user last logged on to the Vault successfully.

Type: Date time

Return codes

For a complete list of return codes, see Return Codes.