Skip to main content
You must be an Identity Administration portal administrator to create service accounts and assign roles. The service account consumes a Privilege Cloud license.

Creating an OAuth Service Account

CyberArk Privilege Cloud uses OAuth 2.0 Client Credentials for API authentication. You need to create a dedicated service user in the CyberArk Identity Administration portal.

1

Sign in to CyberArk Identity Administration

Sign in to your CyberArk Identity Administration portal.

  • You need administrator privileges in the Identity Administration portal
  • Your Identity portal URL follows the format: https://<tenant-id>.id.cyberark.cloud
2

Navigate to Users

In the Identity Administration portal, go to Core Services > Users.

3

Create a New Service User

Click Add User and fill in the following fields.

  • Login Name: Enter a descriptive name (e.g., stackone-api-service). This will be your Client ID.
  • Display Name: Enter a display name (e.g., StackOne API Service Account)
  • Password: Set a strong password. This will be your Client Secret.
4

Configure Service Account Settings

In the Status checklist, enable the following checkboxes before saving.

  • Is OAuth confidential client — Required for OAuth 2.0 authentication
  • Is Service User — Marks this as a non-interactive API account
  • Password never expires — Automatically selected for service users
5

Save the Service Account

Click Create User to save.

  • Service users do not appear in the active users list
  • To view service users, click All Users or All Service Users in the filter
  • Store the Login Name (Client ID) and Password (Client Secret) securely

Assigning Privilege Cloud Roles

The service account must be assigned to the correct role to access Privilege Cloud APIs.

1

Navigate to Roles

In the Identity Administration portal, go to Core Services > Roles.

2

Add Service User to Privilege Cloud Role

Find and open the Privilege Cloud Administrators role (or the appropriate role for your use case), then add the service user as a member.

  • Privilege Cloud Administrators — Full API access (uses Privileged Standard User license)
  • Privilege Cloud Administrators Basic — Limited access (uses Privileged Basic User license)
  • Privilege Cloud Users — Standard user-level access
  • Click Members tab, then Add to add your service user
3

Configure Vault-Level Permissions (Optional)

For actions like managing users, groups, or safes, the service account may need additional Vault-level permissions.

  • Audit Users — Required for listing and viewing users/groups
  • Add/Update Users — Required for creating, updating, and deleting users/groups
  • Reset Users’ Passwords — Required for password reset actions
  • Add Safes — Required for creating new safes
  • Manage Safe Members — Required for adding/updating/removing safe members

Finding Your Tenant ID

The Identity Tenant ID is needed to construct the OAuth token endpoint URL.

1

Locate Your Tenant ID

In the Identity Administration portal, click the user icon in the top-right corner.

  • Click About or Tenant Details to see your Tenant ID
  • Your Identity tenant URL follows the format: https://<tenant-id>.id.cyberark.cloud
  • The Tenant ID is the prefix before .id.cyberark.cloud
  • Important: The Identity Tenant ID may differ from your Privilege Cloud subdomain

Finding Your Privilege Cloud Subdomain

The Privilege Cloud subdomain is needed to construct the API base URL.

1

Locate Your Subdomain

Open your CyberArk Privilege Cloud portal in a browser.

  • Your Privilege Cloud URL follows the format: https://<subdomain>.privilegecloud.cyberark.com
  • The subdomain is the prefix before .privilegecloud.cyberark.com
  • Example: If your URL is https://acme.privilegecloud.cyberark.com, your subdomain is acme
  • You can also find this in the CyberArk welcome email or by contacting your CyberArk administrator

Linking the Account from the Hub

1

Navigate to the Hub

Use one of the three Linking Account Methods to access the Hub.
2

Fill out the fields

Fill out the following fields using details from your provider:
  • Client ID
  • Client Secret
  • Identity Tenant ID
  • Privilege Cloud Subdomain
3

Connect

  • Click Connect
  • If applicable, the provider will redirect you to a sign-in or authorization page. Complete the provider’s authorization flow.
  • Once authorization is successful, you will see a confirmation popup
If the account linking is successful, you will see the newly linked account in your Accounts page.