> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackone.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect CyberArk (Privilege Cloud) with OAuth 2.0 (Service Account) – StackOne Hub

> Link a CyberArk (Privilege Cloud) account in the StackOne Hub using OAuth 2.0 (Service Account). End-user guide to authorize the integration and start using CyberArk (Privilege Cloud) actions.

<Warning>You must be an Identity Administration portal administrator to create service accounts and assign roles. The service account consumes a Privilege Cloud license.</Warning>

<section data-guide-section data-guide-scopes="">
  <h2>Creating an OAuth Service Account</h2>

  <p>CyberArk Privilege Cloud uses OAuth 2.0 Client Credentials for API authentication. You need to create a dedicated service user in the CyberArk Identity Administration portal.</p>

  <Steps>
    <Step title="Sign in to CyberArk Identity Administration">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Sign in to your <a href="https://<your-tenant>.id.cyberark.cloud" target="_blank" rel="noopener noreferrer">CyberArk Identity Administration portal</a>.</p>

        <ul>
          <li>You need administrator privileges in the Identity Administration portal</li>
          <li>Your Identity portal URL follows the format: `https://<tenant-id>.id.cyberark.cloud`</li>
        </ul>
      </div>
    </Step>

    <Step title="Navigate to Users">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>In the Identity Administration portal, go to <strong>Core Services</strong> > <strong>Users</strong>.</p>
      </div>
    </Step>

    <Step title="Create a New Service User">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>Add User</strong> and fill in the following fields.</p>

        <ul>
          <li><strong>Login Name</strong>: Enter a descriptive name (e.g., `stackone-api-service`). This will be your <strong>Client ID</strong>.</li>
          <li><strong>Display Name</strong>: Enter a display name (e.g., `StackOne API Service Account`)</li>
          <li><strong>Password</strong>: Set a strong password. This will be your <strong>Client Secret</strong>.</li>
        </ul>
      </div>
    </Step>

    <Step title="Configure Service Account Settings">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>In the <strong>Status</strong> checklist, enable the following checkboxes before saving.</p>

        <ul>
          <li><strong>Is OAuth confidential client</strong> — Required for OAuth 2.0 authentication</li>
          <li><strong>Is Service User</strong> — Marks this as a non-interactive API account</li>
          <li><strong>Password never expires</strong> — Automatically selected for service users</li>
        </ul>
      </div>
    </Step>

    <Step title="Save the Service Account">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Click <strong>Create User</strong> to save.</p>

        <ul>
          <li>Service users do not appear in the active users list</li>
          <li>To view service users, click <strong>All Users</strong> or <strong>All Service Users</strong> in the filter</li>
          <li>Store the Login Name (Client ID) and Password (Client Secret) securely</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Assigning Privilege Cloud Roles</h2>

  <p>The service account must be assigned to the correct role to access Privilege Cloud APIs.</p>

  <Steps>
    <Step title="Navigate to Roles">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>In the Identity Administration portal, go to <strong>Core Services</strong> > <strong>Roles</strong>.</p>
      </div>
    </Step>

    <Step title="Add Service User to Privilege Cloud Role">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Find and open the <strong>Privilege Cloud Administrators</strong> role (or the appropriate role for your use case), then add the service user as a member.</p>

        <ul>
          <li><strong>Privilege Cloud Administrators</strong> — Full API access (uses Privileged Standard User license)</li>
          <li><strong>Privilege Cloud Administrators Basic</strong> — Limited access (uses Privileged Basic User license)</li>
          <li><strong>Privilege Cloud Users</strong> — Standard user-level access</li>
          <li>Click <strong>Members</strong> tab, then <strong>Add</strong> to add your service user</li>
        </ul>
      </div>
    </Step>

    <Step title="Configure Vault-Level Permissions (Optional)">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>For actions like managing users, groups, or safes, the service account may need additional Vault-level permissions.</p>

        <ul>
          <li><strong>Audit Users</strong> — Required for listing and viewing users/groups</li>
          <li><strong>Add/Update Users</strong> — Required for creating, updating, and deleting users/groups</li>
          <li><strong>Reset Users' Passwords</strong> — Required for password reset actions</li>
          <li><strong>Add Safes</strong> — Required for creating new safes</li>
          <li><strong>Manage Safe Members</strong> — Required for adding/updating/removing safe members</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Finding Your Tenant ID</h2>

  <p>The Identity Tenant ID is needed to construct the OAuth token endpoint URL.</p>

  <Steps>
    <Step title="Locate Your Tenant ID">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>In the Identity Administration portal, click the <strong>user icon</strong> in the top-right corner.</p>

        <ul>
          <li>Click <strong>About</strong> or <strong>Tenant Details</strong> to see your Tenant ID</li>
          <li>Your Identity tenant URL follows the format: `https://<tenant-id>.id.cyberark.cloud`</li>
          <li>The Tenant ID is the prefix before `.id.cyberark.cloud`</li>
          <li><strong>Important</strong>: The Identity Tenant ID may differ from your Privilege Cloud subdomain</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Finding Your Privilege Cloud Subdomain</h2>

  <p>The Privilege Cloud subdomain is needed to construct the API base URL.</p>

  <Steps>
    <Step title="Locate Your Subdomain">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Open your CyberArk Privilege Cloud portal in a browser.</p>

        <ul>
          <li>Your Privilege Cloud URL follows the format: `https://<subdomain>.privilegecloud.cyberark.com`</li>
          <li>The subdomain is the prefix before `.privilegecloud.cyberark.com`</li>
          <li>Example: If your URL is `https://acme.privilegecloud.cyberark.com`, your subdomain is `acme`</li>
          <li>You can also find this in the CyberArk welcome email or by contacting your CyberArk administrator</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<div data-whitelabel-hide>
  <h2>Linking the Account from the Hub</h2>

  <Steps>
    <Step title="Navigate to the Hub">
      Use one of the three <a href="/guides/accounts-section#linking-accounts">Linking Account Methods</a> to access the Hub.
    </Step>

    <Step title="Fill out the fields">
      Fill out the following fields using details from your provider:

      <ul>
        <li><strong>Client ID</strong></li>
        <li><strong>Client Secret</strong></li>
        <li><strong>Identity Tenant ID</strong></li>
        <li><strong>Privilege Cloud Subdomain</strong></li>
      </ul>
    </Step>

    <Step title="Connect">
      <ul>
        <li>Click <strong>Connect</strong></li>
        <li>If applicable, the provider will redirect you to a sign-in or authorization page. Complete the provider's authorization flow.</li>
        <li>Once authorization is successful, you will see a confirmation popup</li>
      </ul>
    </Step>
  </Steps>

  <p>If the account linking is successful, you will see the newly linked account in your <a href="/guides/accounts-section">Accounts</a> page.</p>
</div>
