Add Identity Administration users

This topic describes how to create CyberArk Cloud Directory users one at a time in Identity Administration. For example, you might want to create a user that you can assign to the System Administrator role, or a different role with a more limited set of administrative rights.

To create a CyberArk Cloud Directory user
  1. Sign in to the Identity Administration using your administrator account.

  2. Go to Core Services > Users > Add User.

  3. Enter a login name and select a suffix.

    For Customer Identity Access Management tenants, select the Primary Identifier from the drop-down list. The attribute you select as the primary identifier is used for user-related events, such as report generation. For example, if the user's mobile number is the primary identifier, then the user is identified based on the mobile number in CyberArk Identity.
    If you select the username as the primary identifier, then login name is a mandatory input.
    Contact your account representative to enable this feature.

    A username can contain of any UTF-8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period).

    The suffix is the part of your account name that follows “@”. For example, if your account name is, then the suffix is By default, the suffix associated with your default account is populated.

    All login suffixes are displayed in the list, including the login suffix for any Active Directory/LDAP domains you are using.

    Important: If you select the login suffix for an Active Directory/LDAP domain, the account is not added to Active Directory/LDAP. The account’s Source column will indicate CyberArk Identity as the source, rather than Active Directory/LDAP.

    The login suffix doesn't exist for CyberArk Cloud Directory users in Customer Identity Access Management tenants. In addition, you can request a tenant without the login suffix. For details, see Add Identity Administration users.
  4. Enter the email address and display name for the user.

  5. Enter a password.

    This is a one-time password for the user to sign in to Identity User Portal if you select Require password change at next login (recommended) in the Status settings. This password is replaced with the password created by the user.

    The default minimum password requirements are:

    • 8 characters

    • 1 numeric character

    • 1 upper case letter

    • 1 lower case letter

  6. Select the applicable Status settings.

    A CyberArk Identity Security Platform Shared Services service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration.

    The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework ( and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:

    • Enrolling or unenrolling a device

    • Uninstalling an agent

    • Sending requests to SCIM server APIs

      Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

      How to create service users

      Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.

  7. (Optional) Enter the appropriate information for the Profile fields.

  8. (Optional) Enter a date and time in the Start date and End date fields to allow CyberArk Identity Directory users access to CyberArk Identity resources during a specified time period.

    If Send email invite for user portal setup or Send SMS invite for device enrollment is selected, an invitation email or text message is automatically sent to the user on the start date. Users configured to have a start and end date are automatically suspended in the directory service and deprovisioned from applications once the specified end date is reached. You can not modify the Start date field once the user is active; you can modify the End date field at any time.

    When configuring the Start and End date fields, keep in mind that the dates and times are based on your local time zone. If you are creating users in a different time zone, be sure to calculate the proper start and end dates for the users time zone.

    Users with the System Administrator role or users that are in a role with User Management administrative rights can modify these settings.

  9. (Optional) Enter the appropriate information for the Organization field.

  10. Click Create User.

    A notification is sent to the newly created user using your selected method.