Provisioning users through the API
You can automate user provisioning using the Content Manager Web Services API.
User authentication happens through Tridion Access Management and an identify provider. Once authenticated as an external user, Content Manager maps it to a Content Manager user profile for authorization and application data. These Content Manager user profiles need to be provisioned.
There are two types of user profiles:
Internalusers are authenticated by the Tridion Docs Identity Provider. Internal users require a password maintained by Content Manager (for storage, complexity rules, expiration, lost passwords, and so on. ).- The incoming user name and password are passed to, and validated by Application.Login to be matched to a unique Content Manager user profile.
- User profile creation happens through User.Create where the field
FISHUSERTYPEshould containInternal, and you have to specify thePASSWORDfield.
Externalusers are authenticated by an external identity provider before getting matched to a Content Manager user profile for authorization. There is no password management for these users.- The incoming authenticated identity is matched to a unique Content Manager user profile using the field,
FISHEXTERNALID. - User profile creation happens through User.Create where field
FISHUSERTYPEshould holdExternal, andFISHEXTERNALIDshould contain a match for an incoming IIdentity.Name call (e.g. MYDOMAIN\username). You are not allowed to specify thePASSWORDfield.
- The incoming authenticated identity is matched to a unique Content Manager user profile using the field,
The API allows you CRUD and Disabling of user profiles. The following algorithm can guide you in synchronizing your user systems.
- Delete or Disable Content Manager User Profiles that no longer exist in the central system.
- List all Content Manager user profiles that have
FISHUSERTYPEset toExternalandFISHUSERDISABLEDset toNo - For every user in the Content Manager user list, find the external user profile by
FISHEXTERNALID- If none exist, delete the Content Manager user profile if not referenced, otherwise disable the Content Manager user profile.
- If one or more exist; check if disabled, possibly disable the Content Manager user profile.
- List all Content Manager user profiles that have
- Create or Update Content Manager User Profiles in the Content Manager system.
- List all external users required to have a matching profile in Content Manager (e.g. limited by a role,…)
- For every user in the external-user-list find the Content Manager User Profile by
FISHEXTERNALID- If multiple hits; throw exception as multiple profile hits never grant a login
- If none exists; create the user profile with required roles and user groups
- If one exists; enable, skip or possibly update the user profile