> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions/create-application-user.md).

# Create an application user

## Why use an application user?

When an action in DataOS runs under a personal user's identity, its access is tied to that person. If they leave the organization or change roles, anything running as them loses access.

An application user is a non-personal identity that you can provision with any role or permission — a role in a tenant, access to compute, depots, secrets, or any other use-case. You define what it can do based on what it is meant to represent, not who it is. Once set up, any person who needs to act under that identity simply gets `runAsUser` granted against this application user — they do not need individual access to each resource the application user holds.

This keeps access stable regardless of team changes, and avoids repeated per-person provisioning every time someone new needs to perform the same actions.

## Before you start

{% hint style="info" %}
Only an Operator can create users in DataOS, including application users.
{% endhint %}

Make sure you have:

* **DataOS CLI installed** — follow the [CLI setup](/concepts/interfaces/command-line-interface.md) guide if you have not done this yet.
* **CLI initialized and logged in** — run `dataos-ctl init` and authenticate against your DataOS instance. If you are unsure whether you are logged in, run `dataos-ctl user get` and confirm your own user appears.
* **Operator role** — your account must have the Operator role assigned.

## How to create an application user?

{% stepper %}
{% step %}

### Create the application user

Run the following command in the DataOS CLI:

```bash
dataos-ctl user create -n 'Data Product Developer' -t application -u dpdeveloper -e dpdeveloper@tmdc.io
```

```
INFO[0000] 🤠 user create...
INFO[0006] 🤠 user create...complete

          NAME          │     ID      │    TYPE     │        EMAIL        │         TAGS
────────────────────────┼─────────────┼─────────────┼─────────────────────┼──────────────────────
 Data Product Developer │ dpdeveloper │ application │ dpdeveloper@tmdc.io │ users:id:dpdeveloper
```

{% endstep %}

{% step %}

### Verify the user

Run this command:

```bash
dataos-ctl user get -i dpdeveloper
```

```
INFO[0000] 😃 user get...
INFO[0001] 😃 user get...complete

          NAME          │     ID      │    TYPE     │        EMAIL        │         TAGS
────────────────────────┼─────────────┼─────────────┼─────────────────────┼──────────────────────
 Data Product Developer │ dpdeveloper │ application │ dpdeveloper@tmdc.io │ users:id:dpdeveloper
```

{% endstep %}
{% endstepper %}

The application user now exists in Bifrost under the **Users** tab filtered by type **application**.

<figure><img src="/files/Unwvr2ZBufdUpxSTb05N" alt="Bifrost Users tab filtered by application type, showing Data Product Developer"><figcaption><p>Application users in Bifrost</p></figcaption></figure>

At this point the user has no permissions beyond its own identity tag.

<figure><img src="/files/IWsYn0C9dqU80oqqrRui" alt="Tags tab showing only the users:id:dpdeveloper tag"><figcaption><p>Initial state — only the identity tag is present</p></figcaption></figure>

The application user starts with minimal permissions. See [Grant permissions](/concepts/foundations/access-control-landscape/runasuser-permissions/grant-user-permissions.md) to set up what the user can do and who can act under its identity.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions/create-application-user.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
