This article is intended for HelloTeam users with ADMIN Access Level
Step 1: Log in to your CyberArk Admin Portal
Log in to your CyberArk portal via your organization’s tenant URL.
The portal home page should look something like this:
Switch to the admin portal view by clicking on the grid symbol next to “Identity User Portal” and selecting Admin Portal:
Now your web page’s top left corner should look like this:
Step 2: Create a SCIM Client Role
Navigate to Core Services > Roles:
Click Add Role in the top left corner
Name your role “SCIM Client” and click Save. You will be automatically redirected to the settings page for the new role.
Under Administrative Rights, click Add, search/select the User Management right, and click Save.
Step 3: Create a Custom OAuth Client
Navigate to Apps & Widgets > Web Apps:
Click Add Web Apps in the top right corner.
On the Custom tab, next to the OAuth2 Client entry, click Add:
In the Add Web App screen, click Yes to add the application.
Click the Close button of the Add Web Apps modal. You will be redirected to a screen for configuring your OAuth2 client.
On the Settings page, complete the following fields:
Application ID: any arbitrary value you choose, e.g.
This is a unique key used to build the OAuth2 endpoint URL.
This is the Application ID that will need to be entered during the linking flow.
On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:
On the Tokens page, complete the following fields:
On the Scope page, click Add and create a new scope as follows:
On the Permissions page, add the SCIM client role that we set up in Section 1 and make sure the Run permission box is checked.
Click Save at the bottom of the page.
Step 4: Create a CyberArk Service User
Navigate to Core Services > Users
Click Add User in the top right corner
Complete the following fields:
This field combined with the @ symbol and chosen suffix will become your username and Client ID. In the below example that full value is “CLIENT_ID_PREFIX@merge”.
Display name (set to whatever you like)
Password (This field will become your password and Client Secret.)
Check the box under the Status section labeled “Is OAuth confidential client”. Upon clicking this box you should see the email field grayed out and the “is service user” box checked automatically.
Navigate back to Core Services > Roles and open the SCIM client role we created in Section 1.
Under the Members section, click Add and then add your newly created user.
Step 5: Enter information in the Linking Flow
Back in the linking flow enter the URL used to log into the CyberArk portal
Next enter the Application ID you created from step 3.6 above
On the following page, enter your Client ID and Secret/Password from step 4.3
The linking flow should complete!
To ensure you are viewing the most current information
regarding this specific HRIS, please visit: