Add service users

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework ( and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:

  • enrolling or unenrolling a device

  • uninstalling an agent

  • sending requests to SCIM server APIs

    Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

    How to create service users

    Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.

Create a service user

  1. In Users click Add User and enter user details: login name, display name and password. No need to enter an email address.

  2. In the Status checklist, select the Is OAuth confidential client checkbox. The following checkboxes are selected by default: 

    • Is Service User

    • Password never expires

  3. Click Create User.

  4. Assign the API user(s) you created to the your service user roles that are required for the APIs you want to run. In Roles, access the relevant user role, click Members and add the API user(s) you created.

Service users are not displayed in the list of active users as they do not access the Identity Administration User Portal. To view service users, click All Users or All Service Users.