Documentation Center

Provisioning users through the API

Automating user provisioning using the API.

Authentication happens through a central/3rd party system such as Active Directory. Once authenticated as an external user, Content Manager maps it to a Content Manager user profile for authorization and application data. These Content Manager user profiles need to be provisioned. There are two types of user profiles:

Internal users pass business logic that matches the incoming user name to a Content Manager user, and validates the password to authenticate the user before authorization happens. Internal users require a password maintained by Content Manager (for storage, complexity rules, expiration, lost passwords,...).
  • The incoming user name and password are passed to, and validated by Application.Login to be matched to a unique Content Manager user profile.
  • User profile creation happens through User.Create where the field FISHUSERTYPE should contain Internal, and you have to specify the PASSWORD field.

External users are authenticated by standardized systems before getting matched to a Content Manager user profile for authorization. There is no password management for these users.
  • The incoming authenticated identity is matched to a unique Content Manager user profile using the field, FISHEXTERNALID.
  • User profile creation happens through User.Create where field FISHUSERTYPE should hold External, and FISHEXTERNALID should contain a match for an incoming IIdentity.Name call (e.g. MYDOMAIN\username). You are not allowed to specify the PASSWORD field.
The API allows you CRUD and Disabling of user profiles. The following algorithm can guide you in sync'ing your user systems.
  1. Delete or Disable Content Manager User Profiles that no longer exist in the central system.
    1. List all Content Manager user profiles that have FISHUSERTYPE set to External and FISHUSERDISABLED set to No
    2. For every user in the Content Manager user list, find the external user profile by FISHEXTERNALID
      • If none exist, delete the Content Manager user profile if not referenced, otherwise disable the Content Manager user profile.
      • If one or more exist; check if disabled, possibly disable the Content Manager user profile.
  2. Create or Update Content Manager User Profiles in the Content Manager system.
    1. List all external users required to have a matching profile in Content Manager (e.g. limited by a role,…)
    2. For every user in the external-user-list find the Content Manager User Profile by FISHEXTERNALID
      • If multiple hits; throw exception as multiple profile hits never grant a login
      • If none exists; create the user profile with required roles and user groups
      • If one exists; enable, skip or possibly update the user profile