Add Users

This topic describes your options for adding users so you can get started with CyberArk Identity.

There are two user types in CyberArk Identity.

User type Description

Interactive users - for end user access to the User Portal

Any user who signs in to CyberArk Identity to interact with a portal (for example, the User Portal).

Service users, for non-interactive API

A CyberArk Identity service user is dedicated to API and automation tasks. This user has least privilege access permissions, is not assigned MFA policies, and cannot access CyberArk Identity.

The service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework ( and is used to obtain an access token from CyberArk Identity. The access token is then employed to authenticate CyberArk Identity-protected APIs for tasks such as:

  • Enrolling or unenrolling a device

  • Uninstalling an agent

  • Sending requests to SCIM server APIs

    Service users do not access the service portal to perform portal-related tasks but are used to run automated and API-based activities.

    How to create service users

    Automatic creation of service users. CyberArk Identity automatically creates service users during device enrollment using the format Machine_Id@TenantAlias.

    Manual creation of service users. You can create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources.

How are users provisioned ?

The following table describes the various methods for provisioning users.



Connect to On-prem authentication:

Active Directory


You can connect to on-prem authentication solutions by installing the CyberArk Identity Connector.

On-prem authentication solutions include Active Directory (AD) , LDAP and RADIUS.

Once the CyberArk Identity Connector is installed, users and groups are provisioned in CyberArk Identity Security Platform Shared Services.

Connect to Cloud-based authentication solutions

Continue using your directory source, such as Google Workspace or Azure Active Directory.

Add CyberArk Cloud Directory users

You can add users, individually or in bulk, directly to CyberArk Identity Security Platform Shared Services. These users are managed by CyberArk and are not connected to an external directory.

See Add CyberArk Cloud Directory Users.

Set up federation

Set up federation with an external Identity Provider using SAML.

See Set up federation with external identity providers

Add service users

Refer to the following topics for more information about adding service users.

In this section: