diff --git a/config/crd/bases/redhatgov.io_nexususer.yaml b/config/crd/bases/redhatgov.io_nexususer.yaml
new file mode 100644
index 0000000..e92db63
--- /dev/null
+++ b/config/crd/bases/redhatgov.io_nexususer.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: nexususers.redhatgov.io
+spec:
+  group: redhatgov.io
+  names:
+    kind: NexusUser
+    listKind: NexusUserList
+    plural: nexususers
+    singular: nexususer
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        description: NexusUser is the Schema for the nexus_user API
+        properties:
+          apiVersion:
+            description: |
+              APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info:
+              https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |
+              Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info:
+              https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the user information to add to the local Nexus authorization list
+            properties:
+              user:
+                description: Keycloak User REST object.
+                properties:
+                  username:
+                    description: User Name.
+                    type: string
+                  password:
+                    description: Password.
+                    type: string
+                  firstName:
+                    description: First Name.
+                    type: string
+                  lastName:
+                    description: Last Name.
+                    type: string
+                  email:
+                    description: Email.
+                    type: string
+                required:
+                - username
+                - password
+                type: object
+            required:
+            - user
+            type: object
+        type: object
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
index 5fed6eb..1b85d2b 100644
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@@ -6,4 +6,5 @@ kind: Kustomization
 # It should be run by config/default
 resources:
 - bases/redhatgov.io_nexus.yaml
+- bases/redhatgov.io_nexususer.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml
index e1a0235..c5ba555 100644
--- a/config/rbac/cluster_role.yaml
+++ b/config/rbac/cluster_role.yaml
@@ -82,6 +82,8 @@ rules:
   resources:
   - nexus
   - nexus/status
+  - nexususers
+  - nexususers/status
   verbs:
   - create
   - update
diff --git a/config/rbac/namespaced/role.yaml b/config/rbac/namespaced/role.yaml
index fe878f4..48c2458 100644
--- a/config/rbac/namespaced/role.yaml
+++ b/config/rbac/namespaced/role.yaml
@@ -82,6 +82,8 @@ rules:
   resources:
   - nexus
   - nexus/status
+  - nexususers
+  - nexususers/status
   verbs:
   - create
   - update
diff --git a/config/rbac/nexus_editor_role.yaml b/config/rbac/nexus_editor_role.yaml
index 22760fe..016ebeb 100644
--- a/config/rbac/nexus_editor_role.yaml
+++ b/config/rbac/nexus_editor_role.yaml
@@ -8,6 +8,7 @@ rules:
   - redhatgov.io
   resources:
   - nexus
+  - nexususers
   verbs:
   - create
   - delete
@@ -20,5 +21,6 @@ rules:
   - redhatgov.io
   resources:
   - nexus/status
+  - nexususers/status
   verbs:
   - get
diff --git a/config/rbac/nexus_viewer_role.yaml b/config/rbac/nexus_viewer_role.yaml
index 01f9ff7..b8408ba 100644
--- a/config/rbac/nexus_viewer_role.yaml
+++ b/config/rbac/nexus_viewer_role.yaml
@@ -8,6 +8,7 @@ rules:
   - redhatgov.io
   resources:
   - nexus
+  - nexususers
   verbs:
   - get
   - list
@@ -16,5 +17,6 @@ rules:
   - redhatgov.io
   resources:
   - nexus/status
+  - nexususers/status
   verbs:
   - get
diff --git a/config/samples/redhatgov_v1alpha1_nexus_user_openshift.yaml b/config/samples/redhatgov_v1alpha1_nexus_user_openshift.yaml
new file mode 100644
index 0000000..904ece4
--- /dev/null
+++ b/config/samples/redhatgov_v1alpha1_nexus_user_openshift.yaml
@@ -0,0 +1,11 @@
+apiVersion: redhatgov.io/v1alpha1
+kind: NexusUser
+metadata:
+  name: nexususer1
+spec:
+  user:
+    username: user1
+    password: user1pwd
+    firstName: Nexus
+    lastName: User
+    email: user1@sample.net
diff --git a/playbooks/nexus-user.yml b/playbooks/nexus-user.yml
new file mode 100644
index 0000000..e9e1ad0
--- /dev/null
+++ b/playbooks/nexus-user.yml
@@ -0,0 +1,15 @@
+---
+# Persistent nexus deployment playbook.
+
+# The following variables come from the ansible-operator
+# - ansible_operator_meta.namespace
+
+- hosts: localhost
+  gather_facts: no
+  tasks:
+  - name: Add Nexus User
+    include_role:
+      name: ./roles/nexus-user
+    vars:
+      _nexus_namespace: "{{ ansible_operator_meta.namespace }}"
+      _nexususer: "{{ user }}"
diff --git a/roles/nexus-user/defaults/main.yml b/roles/nexus-user/defaults/main.yml
new file mode 100644
index 0000000..c40e5d1
--- /dev/null
+++ b/roles/nexus-user/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+_nexus_state: present
+_nexus_namespace: nexus
+_nexus_name: nexus
+
diff --git a/roles/nexus-user/tasks/main.yml b/roles/nexus-user/tasks/main.yml
new file mode 100644
index 0000000..2ee25d6
--- /dev/null
+++ b/roles/nexus-user/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+# Tasks file for Nexus
+
+- name: Check for Nexus CR object
+  k8s_info:
+    api_version: redhatgov.io/v1alpha1
+    namespace: "{{ _nexus_namespace }}"
+    kind: Nexus
+  register: nexus_cr_object
+
+- set_fact:
+    nexus_name: "{{ nexus_cr_object.resources[0].metadata.name }}"
+  when: nexus_cr_object.resources
+
+- name: Check for admin credential secret
+  k8s_info:
+    namespace: "{{ _nexus_namespace }}"
+    kind: Secret
+    name: "{{ nexus_name }}-admin-credentials"
+  register: nexus_admin_credentials
+  when: nexus_name is defined
+
+- set_fact:
+    nexus_admin_password: "{{ nexus_admin_credentials.resources[0].data.password | b64decode }}"
+  when: nexus_admin_credentials.resources
+
+- name: Add NexusUser
+  shell: >-
+    devsecops-api nexus add-user
+    http://{{ nexus_name }}-bypass.{{ _nexus_namespace }}.svc:8081
+    --login-username admin --login-password {{ nexus_admin_password }}
+    --usernames "{{ _nexususer.username }}"
+    --passwords "{{ _nexususer.password }}"
+  when: nexus_admin_password is defined
diff --git a/watches.yaml b/watches.yaml
index 0ab1e42..2f96961 100644
--- a/watches.yaml
+++ b/watches.yaml
@@ -3,3 +3,9 @@
   group: redhatgov.io
   kind: Nexus
   playbook: playbooks/nexus-operator.yml
+
+- version: v1alpha1
+  group: redhatgov.io
+  kind: NexusUser
+  playbook: playbooks/nexus-user.yml
+  reconcilePeriod: "0"