Add CyberArk Cloud Directory Users

This topic describes how to create CyberArk Cloud Directory users.

The account that you typically use to sign in for the first time is the default administrative account for the CyberArk Identity. This account has full administrative rights. Using this default administrative account, you can create additional directory service users one-at-a-time or you can perform a bulk import of up to 10,000 users from an Excel xls/xlsx spreadsheet or a comma‑separated values (CSV) file.

Create a single CyberArk Cloud Directory user

The following procedure describes how to create CyberArk Cloud Directory users one-at-a-time in the CyberArk Identity Admin Portal. For example, you might want to create a user that you can assign to the System Administrator Role or a different Role with a more limited set of administrative rights.

To create a CyberArk Cloud Directory user

  1. Log in to the CyberArk Identity Admin Portal using your administrator account.

  2. Go to Core Services > Users > Add User.

  3. Enter a login name and select a suffix.

    A user name can be composed of any of the UTF8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period).

    The suffix is the part of your account name that follows “@”. For example, if your account name is bob.smith@acme.com, then the suffix is acme.com. By default, the suffix associated with your default account is populated. See Manage login suffixes for more information on suffixes and for information on creating a default login suffix for CyberArk Cloud Directory users.

    All login suffixes are displayed in the list, including the login suffix for any Active Directory/LDAP domains you are using.

    Important: If you select the login suffix for an Active Directory/LDAP domain, the account is not added to Active Directory/LDAP. The account’s Source column will indicate CyberArk Identity as the source, rather than Active Directory/LDAP.

  4. Enter the email address and display name for the user.

  5. Enter a password.

    This is a one-time password for the user to log in to CyberArk Identity User Portal when you select “Require password change at next login (recommended)” in the Status settings. This password is replaced with the password created by the user.

    The default minimum password requirements are:

    • 8 characters

    • 1 numeric character

    • 1 upper case letter

    • 1 lower case letter

    See Set password complexity requirements to change the default requirements.

  6. Select the appropriate Status settings.

    You can customize the email message sent when you invite users—see Customize email message contents.

    A CyberArk Identity service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749). The service user's credentials (client credentials) are used to obtain an access token from CyberArk Identity. The access token is used to gain access to CyberArk Identity-protected APIs for tasks such as:

    • enrolling or unenrolling a device

    • uninstalling an agent

    • sending requests to SCIM server APIs

      CyberArk Identity automatically creates service users during device enrollment using the format Machine_Id@TenantAlias. You can also create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources. Service users are not users who sign in to CyberArk Identity User, Admin, or User Behavior Analytics portals.

  7. (Optional) Enter the appropriate information for the Profile fields.

  8. (Optional) Enter a date and time in the Start and End date fields to allow CyberArk Identity Directory users access to the CyberArk Identity resources during a specified time period.

    If Send email invite for user portal setup or Send SMS invite for device enrollment is selected, an invitation email or text message is automatically sent to the user on the start date. Users configured to have a start and end date are automatically suspended in the directory service and deprovisioned from applications once the specified end date is reached. You can not modify the Start date field once the user is active; you can modify the End date field at any time.

    When configuring the Start and End date fields, keep in mind that the dates and times are based on your local time zone. If you are creating users in a different time zone, be sure to calculate the proper start and end dates for the users time zone.

    Users with the System Administrator role or users that are in a role with User Management administrative rights can modify these settings.

  9. (Optional) Enter the appropriate information for the Organization field. For information on adding users to Organizations, see Manage Organizations with Delegated Administrators.

  10. Click Create User.

    A notification will be sent to the newly created user using your selected method.

Create CyberArk Cloud Directory users in bulk

You can use an Excel spreadsheet or CSV file to import users to the CyberArk Cloud Directory in bulk. The user account file can contain up to 10,000 accounts.

Before you begin

You need an Excel or CSV file that meets the following requirements. To create the file, use the CSV file template provided (Option 1 in the import wizard) or create the file from scratch.

  • The required fields must be present.

  • Each field must have a header.

  • Headers must match exactly as shown in the following table, including upper case characters and spaces.

  • Fields/Attributes not listed in the following table must be defined in Settings > Customization > Additional Attributes. If the additional attributes are not defined, they are not uploaded. The attribute names you define on the Additional Attributes page must exactly match the corresponding headers in the CSV file.

The following table describes the required or optional field formats for the Excel spreadsheet or CSV file.

Default Fields Rules

Login Name

Required

Enter the full user name, including the login suffix in the form
<login name>@<loginsuffix>

The login suffix must exist already.

Email Address

Required

You can specify one email address only. The email address must be of a valid form. Plain text strings, such as “N/A” or “unavailable”, will be rejected.

Display Name

Optional

You can enter the display name in Excel using either format:

  • first last
  • last, first

If you are editing the CSV file, use quotes if you specify the last name first (for example, “last, first”).

Description

Optional

Do not use punctuation. Limit is 128 characters.

Office Number

Mobile number

Home number

Optional

You must enter the area code. You can enter domestic US numbers in the following forms:

  • 1234567890
  • 123-456-7890

Use E.164 number formatting to enter an international number.

If you are using the phone or text message options for multifactor authentication, the Office and/or Mobile numbers must be accurate or the user will not be able to log in.

Roles

Optional

All accounts are automatically added to the Everybody role.

You can specify multiple roles. Use a comma to separate each role. If you are editing the CSV file, surround the roles with quotes—for example: “role1,role2,role3”.

The role must already exist, and the names are case sensitive.

Assign web applications to CyberArk Identity Roles before you do a bulk user import. CyberArk Identity sends a login email message to new users immediately after creating the account. If you do not have the applications assigned, the users are presented with an empty Apps screen when they sign in to the CyberArk Identity User Portal.

Expiration Date

Optional

Enter a date when the account expires. If you do not set a date, the account does not expire.

Password

Optional

Sets the password for the user. Password requirement is based on the password policy settings in Admin Portal > Policies> User Security Policies > Password Settings.

Require Password Change

Optional

Specifies if users must change the password upon the first successful login. The supported inputs are:

  • False, f, no, n -- No password change required
  • True, t, yes, y -- Password change required

Reports to

Optional

Name of the reporting manager.

This field is not in the CSV template.

Create CyberArk Cloud Directory users from an import file

The following procedure describes how to use the import wizard to create CyberArk Cloud Directory users in bulk by importing user data from an Excel or CSV file.

  1. Go to Core Services > Users > Bulk User Import > Browse.

  2. Navigate to the Excel or CSV file you created.

  3. Click Open > Next.

  4. Review the entries.

    The first 15 records are displayed. Use this display to ensure you have formatted the entries correctly.

  5. Click Next.

    The CyberArk Cloud Directory - Bulk Import Report field is automatically populated with your email address. Change the address if you want the email address to go to someone else.

  6. Click Confirm

    After the wizard completes the import, the CyberArk Identity sends two email messages:

    Message Description

    CyberArk Identity Service - Bulk Import Report

    This email message is sent to the email account that you had specified to receive the report. It indicates how many new users were specified in the file and how many were successfully added. An explanation is provided for each failed account.

    CyberArk Identity Service - User Account

    This email message is sent to each user account created. The message includes a link to the User Portal and a one-time password. When users open the link, they are prompted to create a new password (unless you have configured otherwise).

    You can customize email messages—see Customize email message contents.