Create Remediation User

Use this API to create a Remediation user. 

POST/adminui/user-management/v1/user

Input ParametersInput Parameters

Parameter  Sub Parameters  Data Type  Mandatory/Optional  Description
userDetails
 
 
 
 
 
 
 
 
 		 firstName Alphanumeric string Mandatory Specify the first name of the user. You can enter upto a maximum of 30 characters.
For example: John
 lastName Alphanumeric string Mandatory Specify the first name of the user. You can enter upto a maximum of 30 characters.
For example: Doe
 emailID  String Mandatory

Specify the email address of the user.

For example: johndoe@company.com
 contactNumber Number Optional

Specify the contact number of the user.
 title String Mandatory

Specify the title for the user. 

For example: IT User or Sales
 language String Mandatory Specify the language as 'English'or 'Japanese'.

Note that the value is case-sensitive.
 
zipCode String Optional Specify the zip code of the user's location.
state String Optional

Specify the state.

For example: Maharashtra

Note: This value must be specified only when the country value is Australia, Canada, India or United States of America.

country String Mandatory

Specify the country.

For example: India

Note: If the values specified are Australia, India, Canada or United States of America, it is mandatory to specify the state value.

For all other countries, the state value must be specified as null.  

city String Optional

Specify the city.

For example: Pune
externalId String Optional

Specify the external ID of the user.
For example: 453

Note:  The externalId field is mandatory when creating a user account with SAML authentication enabled.

  • If the account uses SAML, the samlEnabled flag (under the security section) must be set to true.

  • A valid externalId must also be  provided.

Note: The parameter samlEnabled is part of the security object within the user request payload.
accessToAllAssetGroups  Boolean Optional

Specify the value as true or false. The default value is false.

Note

  • This flag can only be set to true for the following user roles:

    • Reader

    • Scanner

    • Remediation

  • If the flag is set to true, a Business Unit (BU) must be selected; otherwise, the request will be rejected.

  • When enabled, this flag grants the user access to all asset groups under the specified Business Unit defined by the buTag.

Important:  If this flag is true, the user must not provide any specific list of asset groups in the assetGroupTags field.
 accessAll  Boolean  Optional

Specify the value as true or false.

Note: 

  • The value is always true for the following user roles:

    • Manager

    • Super

    • Admin

    • Super-admin

  • For all other user roles (e.g., Reader, Scanner, and so on), the default value is false unless explicitly set.

  • When the value is true, the user will have access to all assets within the subscription.

  • When the value is false, the user will only have access to assets assigned via: 

    • Tag-based scoping

    • Business units

    • Asset groups
address String Mandatory Specify the address of the user. You can enter upto a maximum of 150 characters.
sendEmail Boolean Optional

Specify the input as True or False.

The default value is True if no specific value is provided.

Note: 

  • This field determines whether an email is sent to initiate the password generation via the OTP process.

  • If the flag is set to false, the password is included directly in the API response instead of being sent via email.
apiExternalId String Optional Specify the external id of the user.
For example, johnd@qualys.com or 34562.

This parameter is used to support the OAUTH/OIDC passwordless authentication phase 1. It serves as the unique key for APIs within a subscription.
locale userDateFormat String

Optional

 

Specify either of the following values:

- dmy

- mdy

- ymd

- dmy_txt
userTimeZone String Optional Specify the timezone. 

For example: "Pacific/Samoa", "Asia/Calcutta" and similar timezones.
language String Optional Specify the language as English or Japanese. 
Note that the value is case-sensitive.
userDownloadFormat String Optional Specify the input as 'Comma-Seperated Value (CSV)'.
userType - String Mandatory Specify the input as 'REGULAR' or 'SUPER'. Note the value is case sensitive.

Note: If userType is set to SUPER, then the qwebUserRole must be MANAGER.
globalPermission - An array of strings Optional

These are the global permissions. Specify either of the input:

- [API_ACCESS]

- [UI_ACCESS]

- [API_ACCESS, UI_ACCESS]

Note: 

-  For contact  user type  no API_ACCESS / UI_ACCESS needs to be added.

- Permissions on the Create User and Edit User page apply only to VM and PC applications. For other applications, role based permissions determine the access.
buTag  
Optional Note:  buTag is mandatory only for UNIT MANAGER and it is optional for other type of users. 

Refer to the List of Business Units API to know the type of BUs that can be assigned to the to the user roles.
tagId Number Optional

Specify the tag ID.

For example: 4525678

Note: If the butag id specified, the tagId field is mandatory.
buSourceId Number Optional

Specify the source ID for the BU.
For example: 478r567.

NoteIf buTag needs to be assigned, then you must provide the buSourceId. If you do not want to specify the buTag parameter, then specify '0'.
tagName  String Optional

Specify the name of the tag.

For example: Unit BU

Note: If buTag needs to be assigned, then upu must provide tagName.

assetGroupTags     Optional

Asset Group Assignment Rules

  • Asset group assignment is required only for users with the following roles:

    • READER
    • REMEDIATION
    • SCANNER

  • For all other user roles, asset  group assignment is not applicable.

Business Unit Dependency

The list of asset groups that can be assigned to a user is determined by the Business Unit (buTag) selected. 

To retrieve the asset groups available for assignment based on the selected business unit, refer to the List Asset Groups API.

tagId Number Optional

Specify the tag ID.

For example: 325678

Note: If assetGroupTags is provided, the tagNameId field within it is mandatory.

tagSourceId Number Optional

Specify the source ID for the tag.

For example: 177567.

 Note: If assetGroupTags is provided, the tagSourceId field within it is mandatory.

tagName String Optional

Specify the name of the tag.

For example: AG_2

Note: If assetGroupTags is provided, tagName sub-parameter is mandatory.

scopedTags - An array of numbers showing tagIDs Optional

Specify the tag IDs.

For example: [860765, 834567,861234]

Note: If the user’s accessAll flag is set to false, then asset group scope must be defined using the appropriate assigned tags.

additionalRoles - Array of numbers Optional Specify the additional roles. 

For example: [560765, 534567,561234]

Note: 

  • The list additionalRoles must only contain role IDs that are valid for the given customerId.

  • If the user’s primary qwebUserRole  is not MANAGER, the following system roles IDs for are not allowed in additionalRoles:

    • VM_MANAGER

    • PC_SCA_MANAGER

  • These system roles are usually reserved for managers only.
notification
 		      

The set of notifications  that can be assigned to  a user depends on:

  • The subscription-level configurations

  • The user role of the user being created or updated

To retrieve the correct configuration, refer to the Get List of VM/PC Permissions API.
latestControls String Optional

Specify either of the input:

- monthly

- weekly

- none

Note: This sub paramter is supported only when the PC module access is granted and the role is Manager or Auditor.
latestVulns String Optional

Specify either of the input:

- monthly

- weekly

- none

Note: This sub paramter is supported only for the VM module.
 exception String Optional

Specify either of the inputs:

- my_exceptions

- no_notifcation

Note: This sub-parameter is supported only for the PC module for all roles, except the Contact role.
ticketNotification String Optional Specify the input as 'null'.

Note: This sub paramter is supported only for the VM module.
dailyTicket Boolean Optional Specify the input as True or False.

Note: This sub paramter is supported only for the VM module.
numberOfDaysBeforeExpiration Number Optional Specify the input in days between 1 and 31. Set it to 'null' if not applicable 

Note: This sub parameter is supported only for the PC module for all roles, except Contact role.
scanSummaryNotification Boolean Optional Specify the input as True or False.

Note: This sub paramter is supported only for the VM module.
mapNotification Boolean Optional Specify the input as True or False.

Note: This sub paramter is supported only for the VM module.
report String Optional

Specify either of the input: 

- my_reports

- no_notifcation

Note: This sub paramter is supported for PC and VM modules and the report permission is enabled.
scanCompleteNotification Boolean Optional Specify the input as True or False.

Note: This sub paramter is supported only for the VM module for all roles, except Remediation User role.
heartbeatFailed String  Optional Specify the value as "0" or "1".

Note: This sub-parameter is applicable only wen a scanner appliance is added in the user account.
security vipEnabled Boolean  Optional Specify the input as True or False.
samlEnabled Boolean  Optional Specify the input as True or False.
session Timeout Integer  Optional Specify a value between 10 to 240.
passwordNeverExpired Boolean  Optional Specify this value as true for users having only API_ACCESS.

Note: This feature is not supported for UI access users.
securityQuestion1 String Optional This field is applicable only if user is editing itself.
securityQuestion2 String Optional This field is applicable only if user is editing itself.
securityQuestion3 String Optional This field is applicable only if user is editing itself.
answer1 String Optional This field is applicable only if user is editing itself.
answer2 String Optional This field is applicable only if user is editing itself.
answer3 String Optional This field is applicable only if user is editing itself.
excludeDefaultRoles  - Boolean Optional Specify the input as True or False. 

Note: The value must be true when user does not have defaultRoles assigned based on userRole given as part of qwebUserRole field. 
qwebUserRole  String  Mandatory Specify the value REMEDIATION_USER. 
extendedPermissions      

Regular and Super manager do not have VM/PC permissions. It should be null for those users.

These fields are available based on the subscription configurations and settings. To fetch the exact available values, refer to the Get List of VM/PC Permissions API. 

Note: We have additional sub-parameters that will be listed sooner. 

 addAssets String Optional Specify the value as 0 or 1. 

This parameter will be disabled based on the editor and roles permission and if user is editing the parameter. 
createOptionProfiles String Optional Specify the value as 0 or 1. 
 
purgeHostInfo String Optional Specify the value as 0 or 1. 
manageAuthRecords String Optional Specify the value as 0 or 1. 
manageVirtualScanners String Optional  Specify the value as 0 or 1. 
manageOfflineScanners  String  Optional  Specify the value as 0 or 1. 
manageUserAccounts  String  Optional  Specify the value as 0 or 1. 

Note: This parameter is applicable if Tweak:allowUserManagementSubscriptions is enabled for subscription and logged in user is Super Administrator or Administrator user. They can control Unit Manager, Administrator, and Regular/Super Manager. 
manageExternalIds  String  Optional Specify the value as 0 or 1. 

This parameter manages the external IDs for users and is applicable for Manager, Unit Manager and Administrator user if edit external id option is selected in security page.
manageVmModule  String  Optional Specify the value as 0 or 1. 

This parameter manages the VM application.
manageRemediationPolicies  String  Optional Specify the value as 0 or 1. 
manageWebAppPermission  String  Optional

Specify the value as 0 or 1. 

This parameter is availble only if WAS is enabled for users Unit Manager, Scanner, and Reader.
createWebAppsPermission  String  Optional

Specify the value as 0 or 1. 

This parameter is disabled if manageWebAppPermission is not enabled.
manageVirtualHosts  String  Optional Specify the value as 0 or 1. 
manageComplianceModules  String  Optional

Specify the value as 0 or 1. 

This parameter manages the SCA/PC application.
manageCompliancePolicies  String  Optional

Specify the value as 0 or 1. 

This parameter is disabled if manageComplianceModules is not enabled.
approveExceptions  String  Optional

Specify the value as 0 or 1. 

This parameter is disabled if manageComplianceModules is not enabled.
 createUserDefinedControls  String  Optional

Specify the value as 0 or 1. 

This parameter is disabled for SCA only accounts, if not SCA only shown for Unit Manager and manageComplianceModules is enabled.
 modifyUserDefinedControls String  Optional

Specify the value as 0 or 1. 

This parameter is disabled for SCA only accounts, if not SCA only shown for Unit Manager and manageComplianceModules is enabled.
 allowAdminUserDeletion  String  Optional Specify the value as 0 or 1. 

This parametrs is used to delete an Administrator user by another Administrator user.
 isAdminUser    Boolean Optional Specify the value as true or false.

Note: The value must be true when SUPER MANAGER user with admin rights is created.
allowDeletionofAdminUser   Boolean Optional Specify the value true or false.

Note: Needs to be true when ADMINISTRATOR user needs to have permission to delete other Administrator users.

The API request and response are in JSON format. Some characters, such as backslash (\) and double quotes (") in passwords or other fields may appear escaped in raw JSON responses. It is recommended to alway as parse responses using standard JSON parser to retrieve the correct values. 

Sample - Create Remediation UserSample - Create Remediation User

API request

curl --location --request POST '<qualys_base_url>/adminui/user-management/v1/user' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <JWT_Token>' \
--data-raw '

Request body

{
    "userDetails": {
        "firstName": "john",
        "lastName": "doe",
        "title": "remediation to super user without admin",
        "emailId": "johnd@qualys.com",
        "contactNumber": null,
        "zipCode": "411038",
        "country": "Andorra",
        "state": null,
        "city": null,
        "externalId": null,
        "address": "Test",
        "language": "English",
        "accessToAllAssetGroups": true,
        "sendEmail": true
        "apiExternalId": "54321"
    },
    "locale": {
        "userDateFormat": "mdy",
        "language": "English",
        "userDownloadFormat": "Comma-Separated Value (CSV)"
    },
    "userType": "REGULAR",
    "globalPermission": [
        "UI_ACCESS"
    ],
    "buTag": {
        "tagId": 47734065,
        "buSourceId": 1807825,
        "tagName": "Test_UM"
    },
    "assetGroupTags": [
        {
            "tagId": -999,
            "agSourceId": -999,
            "tagName": "All"
        }
    ],
    "scopedTags": [
        36810704
    ],
    "qwebUserRole": "REMEDIATION_USER",
    "additionalRoles": [
        9292525
    ],
    "notification": {
        "latestVulns": "daily",
        "ticketNotification": null,
        "dailyTicket": true
    },
    "security": {
        "vipEnabled": false,
        "samlEnabled": false,
        "passwordNeverExpired": false,
        "sessionTimeOut": null
    },
    "excludeDefaultRoles": true
}

Response

{
    "userId": 1072481696,
    "username": "quaysxtr13",
    "status": "SUCCESS"
}

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026