Add CyberArk Cloud Directory Users
This topic describes how to create CyberArk Cloud Directory users.
To avoid users logging in with the wrong account and other account-related confusion, CyberArk recommends that you do not create duplicate accounts (same user name/password) in both the CyberArk Cloud Directory and external directory sources.
Create a single CyberArk Cloud Directory user
The following procedure describes how to create CyberArk Cloud Directory users one-at-a-time in the Identity Administration. For example, you might want to create a user that you can assign to the System Administrator Role or a different role with a more limited set of administrative rights.
To create a CyberArk Cloud Directory user:
-
Sign in to the Identity Administration using your administrator account.
-
Go to Core Services > Users > Add User.
-
Enter a login name and select a suffix.
For Customer Identity Access Management tenants, select the Primary Identifier from the drop-down list. The attribute you select as the primary identifier is used for user-related events, such as report generation. For example, if the user's mobile number is the primary identifier, then the user is identified based on the mobile number in CyberArk Identity.
If you select the username as the primary identifier, then login name is a mandatory input.
Contact your account representative to enable this feature.A username can contain of any UTF-8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period).
The suffix is the part of your account name that follows “@”. For example, if your account name is bob.smith@acme.com, then the suffix is acme.com. By default, the suffix associated with your default account is populated.
All login suffixes are displayed in the list, including the login suffix for any Active Directory/LDAP domains you are using.
Important: If you select the login suffix for an Active Directory/LDAP domain, the account is not added to Active Directory/LDAP. The account’s Source column will indicate CyberArk Identity as the source, rather than Active Directory/LDAP.
The login suffix doesn't exist for CyberArk Cloud Directory users in Customer Identity Access Management tenants. In addition, you can request a tenant without the login suffix. For details, see Add CyberArk Cloud Directory Users. -
Enter the email address and display name for the user.
-
Enter a password.
This is a one-time password for the user to sign in to Identity User Portal if you select Require password change at next login (recommended) in the Status settings. This password is replaced with the password created by the user.
The default minimum password requirements are:
-
8 characters
-
1 numeric character
-
1 upper case letter
-
1 lower case letter
-
-
Select the applicable Status settings.
A CyberArk Identity Security Platform Shared Services service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access Identity Administration.
The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749) and is used to obtain an access token from CyberArk. The access token is then employed to authenticate CyberArk-protected APIs for tasks such as:
-
Enrolling or unenrolling a device
-
Uninstalling an agent
-
Sending requests to SCIM server APIs
Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.
How to create service usersManual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk resources.
-
-
(Optional) Enter the appropriate information for the Profile fields.
-
(Optional) Enter a date and time in the Start date and End date fields to allow CyberArk Identity Directory users access to CyberArk Identity resources during a specified time period.
If Send email invite for user portal setup or Send SMS invite for device enrollment is selected, an invitation email or text message is automatically sent to the user on the start date. Users configured to have a start and end date are automatically suspended in the directory service and deprovisioned from applications once the specified end date is reached. You can not modify the Start date field once the user is active; you can modify the End date field at any time.
When configuring the Start and End date fields, keep in mind that the dates and times are based on your local time zone. If you are creating users in a different time zone, be sure to calculate the proper start and end dates for the users time zone.Users with the System Administrator role or users that are in a role with User Management administrative rights can modify these settings.
-
(Optional) Enter the appropriate information for the Organization field.
-
Click Create User.
A notification is sent to the newly created user using your selected method.
Create CyberArk Cloud Directory users in bulk
You can use an Excel spreadsheet or CSV file to import users to the CyberArk Cloud Directory in bulk. The user account file can contain up to 10,000 accounts.
Before you begin
We recommend creating roles and assigning web applications to those roles before a bulk import of user accounts. If you import user accounts first, then new users will see an empty Apps page when they sign in to the Identity User Portal for the first time.
You need an Excel or CSV file to create users in bulk. To create the file, use the CSV file template provided (Option 1 in the import wizard) or create the file from scratch. The Excel or CSV file should meet the following requirements:
-
The required fields must be present.
-
Each field must have a header.
-
Headers must match exactly as shown in the following table, including upper case characters and spaces.
-
Fields/attributes not listed in the following table must be defined in Settings > Customization > Additional Attributes. If the additional attributes are not defined, they are not uploaded. The attribute names you define on the Additional Attributes page must exactly match the corresponding headers in the CSV file.
The following table describes the required or optional field formats for the Excel spreadsheet or CSV file.
| Default Fields | Rules |
|
Login Name |
Required Enter the full user name, including the login suffix in the form The login suffix must exist already. |
|
Email Address |
Required You can specify one email address only. The email address must be of a valid form. Plain text strings, such as “N/A” or “unavailable”, will be rejected. |
|
Display Name |
Optional You can enter the display name in Excel using either format:
If you are editing the CSV file, use quotes if you specify the last name first (for example, “last, first”). |
|
Description |
Optional Do not use punctuation. The limit is 128 characters. |
|
Office Number Mobile number Home number |
Optional Enter the area code. You can enter domestic US numbers in the following forms:
Use E.164 number formatting to enter an international number. If you are using the phone or text message options for multi-factor authentication, the Office and/or Mobile numbers must be accurate or the user will not be able to sign in. |
|
Roles |
Optional All accounts are automatically added to the Everybody role. You can specify multiple roles. Use a comma to separate each role. If you are editing the CSV file, surround the roles with quotes—for example: “role1, role2, role3”. The role must already exist, and the names are case-sensitive. Assign web applications to CyberArk Identity roles before you do a bulk user import. CyberArk Identity sends a login email message to new users immediately after creating the account. If you do not have the applications assigned, the users are presented with an empty Apps screen when they sign in to the Identity User Portal. |
|
Expiration Date |
Optional Enter a date when the account expires. If you do not set a date, the account does not expire. |
|
Password |
Optional Sets the password for the user. The password requirement is based on the password policy settings in Identity Administration > Policies > User Security Policies > Password Settings. |
|
Require Password Change |
Optional Specifies if users must change the password upon the first successful login. The supported inputs are:
|
|
Password Never Expires |
Optional Specifies if the password for the user expires or not. The supported inputs are:
|
|
Reports to |
Optional The name of the reporting manager. This field is not in the CSV template. |
Create CyberArk Cloud Directory users from an import file
The following procedure describes how to use the import wizard to create CyberArk Cloud Directory users in bulk by importing user data from an Excel or CSV file.
-
Go to Core Services > Users > Bulk User Import > Browse.
-
Go to the Excel or CSV file you created.
-
Click Open > Next.
-
Review the entries.
The first 15 records are displayed. Use this display to ensure you have formatted the entries correctly.
-
Click Next.
The CyberArk Cloud Directory - Bulk Import Report field is automatically populated with your email address. Change the address if you want the email to go to someone else.
-
Click Confirm.
After the wizard completes the import, CyberArk Identity sends two email messages:
Message Description CyberArk Identity Service - Bulk Import Report
This email message is sent to the email account that you had specified to receive the report. It indicates how many new users were specified in the file and how many were successfully added. An explanation is provided for each failed account.
CyberArk Identity Service - User Account
This email message is sent to each user account created. The message includes a link to the User Portal and a one-time password. When users open the link, they are prompted to create a new password (unless you have configured otherwise).
