Add Users

This topic describes your options for adding users so you can get started with CyberArk Identity.

There are two user types in CyberArk Identity.

User type Description

User type	Description
Interactive users - for end user access to the User Portal	Any user who signs in to CyberArk Identity to interact with a portal (for example, the User Portal). Refer to Add Users for more information.
Service users, for non-interactive API	A CyberArk Identity service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access CyberArk Identity. The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk Identity. The access token is then employed to authenticate CyberArk Identity-protected APIs for tasks such as: Enrolling or unenrolling a device Uninstalling an agent Sending requests to SCIM server APIs Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities. How to create service users Automatic creation of service users. CyberArk Identity automatically creates service users during device enrollment using the format `Machine_Id@TenantAlias`. Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources. Refer to Add service users for more information.

Interactive users - for end user access to the User Portal

Any user who signs in to CyberArk Identity to interact with a portal (for example, the User Portal).

Refer to Add Users for more information.

Service users, for non-interactive API

A CyberArk Identity service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access CyberArk Identity.

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk Identity. The access token is then employed to authenticate CyberArk Identity-protected APIs for tasks such as:

Enrolling or unenrolling a device
Uninstalling an agent
Sending requests to SCIM server APIs

Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

How to create service users

Automatic creation of service users. CyberArk Identity automatically creates service users during device enrollment using the format Machine_Id@TenantAlias.

Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources.

Refer to Add service users for more information.

How are users provisioned ?

The following table describes the various methods for provisioning users.

Method	Description
Connect to On-prem authentication: Active Directory RADIUS	You can connect to on-prem authentication solutions by installing the CyberArk Identity Connector. On-prem authentication solutions include Active Directory (AD) , LDAP and RADIUS. Once the CyberArk Identity Connector is installed, users and groups are provisioned in the Identity Security Platform.
Connect to Cloud-based authentication solutions	Continue using your directory source, such as Google Workspace or Azure Active Directory.
Add CyberArk Cloud Directory users	You can add users, individually or in bulk, directly to the Identity Security Platform. These users are managed by CyberArk and are not connected to an external directory. See Add CyberArk Cloud Directory Users.
Set up federation	Set up federation with an external Identity Provider using SAML. See Set up external identity providers

Add service users

Refer to the following topics for more information about adding service users.

Custom OAuth2 Client
Client Credentials flow